403 err. on Mac OSX Some challenges have failed

Hi.. I'm Japanese.. not so good English talker.
My server is M1 Macmini(Monterey) for FileMaker.
FileMaker system needs real SSL.. I must get and set? it to my server.

My domain is:
r2hs.jp

I ran this command:
sudo certbot certonly --manual --domain r2hs.jp

It produced this output:
Create a file containing just this data: u_????M.g????8
And make it available on your web server at this URL: http://r2????M

>>>> i got it....

 cd .well-known/acme-challenge/
 echo -n"u??????M.g?????8" > u?????M

>>>> ok.. i did it. I can see that file on my mac. (finder) and continue.. but,

  Type:   unauthorized
  Detail: 163.4???2: Invalid response from http://r2????8guM: 403

>>>> MY QUESTION how can i resolve this 403 err.? **
** if you have some good advice, please tell me for? easy English.

** thank you..**

Do you have a Palo Alto firewall on your network?

% curl -IL r2hs.jp/.well-known/acme-challenge/aaa
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 14 May 2022 13:02:06 GMT
Content-Type: text/html
Content-Length: 1509
Connection: keep-alive
ETag: "620b7c7f-5e5"

% curl -IL r2hs.jp/.well-known/acme-challenge
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 14 May 2022 13:02:17 GMT
Content-Type: text/html
Content-Length: 19268
Connection: keep-alive
ETag: "620b7bd8-4b44"
2 Likes

What is Palo Alto FW… I dont have no so much knowledge about Network.. so I cant understand what you mean. So sorry… but thanx.

Now. Im checking curl -il command.. too difficult to me..

It's a brand name.

They broke a lot of validations in a similar way.

Are you hosting at home? Workplace? Commercial provider?

1 Like

The server is in my workplace. <- this mean, i’m a network admin in my office..
Sorry poor English…

Check your firewalls, the most likely culprit is a Palo Alto brand WAF.

2 Likes

Are you sure? I can't remember those Palo Alto FWs returning 403's or 404's, but more connection reset by peer shizzle?

3 Likes

They weren't that consistent.

But yeah, it's not the only suspect.

2 Likes

It could also just be access rights to that location within apache.

But the different returns with and without the slash are pointing to the known Palo Alto firewall problem.

2 Likes

thank you so much... everyone!
I challanged to change? router filltering. port 80 and 443 -> open
and i tried acme-challange.. but.
still now 403 err..returned..

next time i'll try that challange on another machine in my net work..

Please show the certbot error message output or the LE log file.

2 Likes

I don't think Palo Alto firewall is causing the 403 Forbidden either. We are seeing "Server: nginx" in the response headers. We have not seen any "Server" headers from the acme-challenge issue before. And, it seems unlikely a firewall would choose to send one.

This looks more like nginx server config is causing the 403.

@guymallow can you upload the config.txt file made by this command?

sudo nginx -T  >config.txt
3 Likes

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: r2hs.jp
Type: unauthorized
Detail: 163.44.185.222: Invalid response from http://r2hs.jp/.well-known/acme-challenge/ZyuGmyXXXXXXX5XIUWvdrY: 403

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

thank you Mr...rg305.. this is full err Msg.. Is this OK?

1 Like

Hi! MikeMcQ..

I did that command. but..

Host:~ admin$ sudo nginx -T >config.txt
sudo: nginx: command not found

Is this my big misstake?

1 Like

Please make sure your DNS records are pointing to the right server :wink:

1 Like

Is your server actually running nginx, as indicated by the return headers shown by @9peppe? Or is there a different nginx server in front of your server acting as reverse proxy? Questions questions. Unfortunately, you've removed most of the questions of the questionnaire which would have answered these questions :confused:

2 Likes

I'd say an explanation for "nginx: command not found" is nginx running in docker.

sudo ss -tlpn should answer that.

1 Like

Mr...Osiris.. I'm so sorry.. but, i don't have any knowledge about network? (like this..)
that is the reason why, i've removed most of the title on template..

sorry...

by the way, i get another idea from my colleague. ill try it...

thank you so much every one.

1 Like

thank you 9peppe..

i entered "sudo ss" in? on? my mac terminal.
but it doesnt have the command.

may be my way is wrong...

1 Like

Yeah, maybe macOS doesn't use iproute2 but the older netstat

Go with sudo netstat -tlpn

1 Like