HOME > > [Let's Encrypt]リバースプロキシNginxでの証明書更新時に404エラーで更新できない

事象

リバースプロキシのNginxで運用しているサイトの証明書の更新を行おうとしてcertbot-auto renewコマンドを実行したら下記のエラーが出てしまいました。

./certbot-auto renew
Requesting root privileges to run certbot...
  /Users/xxxx/.local/share/letsencrypt/bin/letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/xxxxx.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxxx.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/xxxxx.net.conf produced an unexpected error: Failed authorization procedure. xxxxx.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xxxxx.net/.well-known/acme-challenge/dZNKNOcS_-pxyVUzUtW89wL9Gfqhbat-22LM-ojYIV8: "<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <title>Redmine 404 error</title>
  <style>
    body {font-family: "Tr". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxxxx.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxxxx.net
   Type:   unauthorized
   Detail: Invalid response from
   http://xxxxx.net/.well-known/acme-challenge/dZNKNOcS_-pxyVUzUtW89wL9Gfqhbat-22LM-ojYIV8:
   "<!DOCTYPE html>
   <html>
   <head>
     <meta charset="utf-8" />
     <title>Redmine 404 error</title>
     <style>
       body {font-family: "Tr"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

回答

certbot-auto renewコマンドで認証時にxxxx.com//.well-known/acme-challenge/xxxxxxxxにアクセスを行なっており、その結果として404エラーを返すような場合にこのような事象が発生するようです。

Nginxのサーバ設定に下記のように/.well-known/acme-challenge/に対して正常なステータスコードを返せるように存在するドキュメントルートを設定する事により認証が通るようになります。

location ^~ /.well-known/acme-challenge/ {
    root /var/www; # 実在するリバースプロキシ側のドキュメントルートを指定
}