Letsencrypt on VirtualHost domains returns 404 on HTTP challenge

Published: by

I serve multiple subdomains on my domain abhi.host and these are configured on the same port by using a well known feature commonly called Virtual Hosts. The way I implement Virtual Hosts is by simply proxy passing various services on my VPS through nginx.

If you were to execute a command like this to issue a certificate and one of these domains is configured as a VirtualHost with different root directory or an external service:

sudo certbot certonly --webroot -w /var/www/html --rsa-key-size 4096 --expand -dabhi.host,abhijeetr.com,blog.abhi.host,resume.abhi.host,rss.abhi.host,til.abhi.host,torrent.abhi.host,vpn.abhi.host

You'll experience 404s on ACME HTTP challenges. Because, as per the above command, it'll always put files under /var/www/html and not in any of the other directories/endpoints of these configured VirtualHosts

Hence, you need to add special remaps inside the virtualhost definition like this.

shadyabhi@abhi:~$ cat /etc/nginx/sites-enabled/til_abhi_host.conf
#Ansible managed

server {
   listen 443 ssl;
   listen [::]:443 ssl;
   server_name  til.abhi.host;
   location /.well-known {
      root /var/www/html;

   location / {
      proxy_pass https://localhost/til/;


This way, requests to the path /.well-known will to the root /var/www/html which was originally specified in the certbot command.

Hope it'll save you a couple of minutes.