There are various reasons why a Let's Encrypt certificate can't be installed or renewed. Here are some I've come across:
Error:
Not documented, add it if you have it
Issue:
The stack is behind a load balancer and traffic is being shared between multiple web servers. The verification check isn't getting to the server where the temporary authorisation file is located
Solution:
The certificate needs to be added to the land balancer rather than the web server(s). This probably means that you don't want to use Let's Encrypt for this certificate
Error:
Wrote file to /etc/cloud66/webroot/[...], but couldn't download http://[Certificate Domain]/.well-known/acme-challenge/[...]
Issue:
The Let's Encrypt service can't access the temp file at the given domain and is therefore unable to verify the domain. In this case it was because there was no DNS record for the [Certificate Domain] so the address did not resolve to the stack in question.
Solution:
Add a DNS record for the [Certificate Domain] so that the request resolves to the correct stack and can be verified
Error:
Not documented, add it if you have it. Probably something like
Wrote file to /etc/cloud66/webroot/[...], but couldn't download http://[Certificate Domain]/.well-known/acme-challenge/[...]
Issue:
The stack is configured to redirect www to the root domain. When Let's encrypt tries to verify the certificate for the www the web server is redirecting to the root domain and therefore blocking access to the requested path.
This will also happen if the reverse is true and the root domain redirects to www.
Solution:
Make sure the Let's Encrypt request doesn't get redirected:
- Open the NGINX config for the server
- Go to the httpserver config section starting withlisten 80 default_server;
- Immediately before:
if ($www_rewrite = 1) {
  return 301 $scheme://www.$www_host$request_uri;
}
- Add:
if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
  set $www_rewrite 0;
}
Error:
Not documented, add it if you have it. Probably something like
Wrote file to /etc/cloud66/webroot/[...], but couldn't download http://[Certificate Domain]/.well-known/acme-challenge/[...]
Issue:
Let's Encrypt is trying to verify your domain using http, but you're redirecting traffic to https.
Solution:
Make sure the Let's Encrypt request doesn't get redirected:
- Open the NGINX config for the server
- Go to the httpserver config section starting withlisten 80 default_server;
- Immediately before:
if ($http_rewrite = 1) {
  rewrite ^(.*) https://$host$1 permanent;
}
- Add:
if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
  set $http_rewrite 0;
}
Error:
You get a certificate error when accessing the site using the root domain over https when the stack is supposed to redirect traffic to www.
Also applied the other way round (redirecting www to root).
Issue:
You didn't create a Let's Encrypt certificate for the address which is being redirected because, well, why would you need it? Turn out an https request for the domain is hitting the server before being redirected so your browser is wary of the response as it's https without a valid certificate.
Solution:
Make sure you have configured certificates for both the www and non-wwww versions of the domain so that there's a certificate there.
Honestly I'm not sure about this and there might be a way to restructure the config to prevent this issue, but then again there might not and the extra certificate costs nothing so this is the low effort solution.