Renewing Let's Encrypt Certificate - A new fix

I had some problems renewing my SSL certificate automatically again. However, this time it was not related to an automatic HTTP to HTTPS redirection as I posted before. This time it was because my blog is not a static website. Sounds so weird, but believe me, that's how it was.

I received an email from "Let's Encrypt Expiry Bot" with a SSL certificate about to expire' notification. I logged into my server to review the /var/log/le-renew.log file and I found this:

• There is no longer necessary to temporarily remove the automatic HTTP to HTTPS redirection as I suggested to do here.
• On the one hand, the validation of https://immontilla.eu and https://www.immontilla.eu gone right. On the other hand, the validation of https://blog.immontilla.eu gone wrong.

The only difference between my blog and my web is that my web is static while my blog is dynamic. More exactly, my blog is running Ghost over a node.js server using ngnix as a proxy whereas my web is a simple collection of HTML, CSS and JavaScript files.

Apart from log analysis, I searched on the Internet more information about the "client lacks sufficient authorization" error and I found this answer at community.letsencrypt.org.  As sahsanu suggested there, I put a simple text file named somefile with no extension in /content/themes/casper/.well-known/acme-challenge/ path. Then, I tried to open it via browser and I finally found what was wrong:

Ghost adds a / at the end of the URL, so blog.immontilla.eu/.well-known/acme-challenge/somefile is changed to blog.immontilla.eu/.well-known/acme-challenge/somefile*/**.*

That was the reason because the SSL certificate regeneration process is getting a 404 response when tries to access to any URL like blog.immontilla.eu/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxx.

I managed to solve this problem by doing this:

1. Create a static version of my blog.

• Change my blog configuration file to point to the static version.
• Change the configuration file at /etc/letsencrypt/renewal/ to set the temporary static blog path.
• Run sudo service nginx restart.
• Run sudo /usr/local/sbin/certbot-auto renew again.
• Restart nginx server again, after a successful SSL certificate regeneration.

To verify the final result, on the Chrome developer console, I checked that my website's SSL certificate was successfully renovated.

In my opinion, Let's Encrypt Certbot log message is not clear enough. In fact, it is the same error message you received when an error occurred generating the certificate for the first time. A better error log message could be something like:

Has the site change of hosting provider recently? If so, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. If don't, add a non-empty text file at /.well-known/acme-challenge/, and check if this file is accessible from the Internet and its Content-Type header is plain/text.