I was getting a 404 for the http-01 challenge used by certbot to verify the domain and renew the ssl certificate. I had an nginx server with Varnish as reverse proxy.
I added the .well-known/acme-challenges in the webroot & gave it the appropriate permission. I also added the block in nginx and allowed all access. There needs to be vcl for redirecting /well-known starting requests.
vcl 4.0;
backend certbot {
.host = “127.0.0.1”;
.port = “8080”;
}
sub vcl_recv {
if (req.url ~ “^/.well-known/acme-challenge/”) {
set req.backend_hint = certbot;
return(pipe);
}
}
sub vcl_pipe {
if (req.backend_hint == certbot) {
set req.http.Connection = “close”;
return(pipe);
}
}
Then I came across the certbot doc about webroot, where token will be created. It can be given as a flag, when I gave my docroot in the flag, everything started working fine, /var/www/html is my docroot and example.com the domain.
certbot renew –webroot -w /var/www/html –cert-name example.com
I had to pull my hair out to figure this out, it is really stressful if your site is live and you just figure out that ssl certificate is expired. Always check if your ssl certificates are renewing properly.
liberalskeptic 