403 err. on Mac OSX Some challenges have failed

guymallow · May 14, 2022, 11:58am

Hi.. I'm Japanese.. not so good English talker.
My server is M1 Macmini(Monterey) for FileMaker.
FileMaker system needs real SSL.. I must get and set? it to my server.

My domain is:
r2hs.jp

I ran this command:
sudo certbot certonly --manual --domain r2hs.jp

It produced this output:
Create a file containing just this data: u_????M.g????8
And make it available on your web server at this URL: http://r2????M

>>>> i got it....

 cd .well-known/acme-challenge/
 echo -n"u??????M.g?????8" > u?????M

>>>> ok.. i did it. I can see that file on my mac. (finder) and continue.. but,

  Type:   unauthorized
  Detail: 163.4???2: Invalid response from http://r2????8guM: 403

>>>> MY QUESTION how can i resolve this 403 err.? **
** if you have some good advice, please tell me for? easy English.

** thank you..**

9peppe · May 14, 2022, 1:02pm

Do you have a Palo Alto firewall on your network?

% curl -IL r2hs.jp/.well-known/acme-challenge/aaa
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 14 May 2022 13:02:06 GMT
Content-Type: text/html
Content-Length: 1509
Connection: keep-alive
ETag: "620b7c7f-5e5"

% curl -IL r2hs.jp/.well-known/acme-challenge
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 14 May 2022 13:02:17 GMT
Content-Type: text/html
Content-Length: 19268
Connection: keep-alive
ETag: "620b7bd8-4b44"

guymallow · May 14, 2022, 2:25pm

What is Palo Alto FW… I dont have no so much knowledge about Network.. so I cant understand what you mean. So sorry… but thanx.

Now. Im checking curl -il command.. too difficult to me..

9peppe · May 14, 2022, 2:30pm

It's a brand name.

They broke a lot of validations in a similar way.

Are you hosting at home? Workplace? Commercial provider?

guymallow · May 14, 2022, 2:34pm

The server is in my workplace. <- this mean, i’m a network admin in my office..
Sorry poor English…

9peppe · May 14, 2022, 2:47pm

Check your firewalls, the most likely culprit is a Palo Alto brand WAF.

Osiris · May 14, 2022, 6:04pm

Are you sure? I can't remember those Palo Alto FWs returning 403's or 404's, but more connection reset by peer shizzle?

9peppe · May 14, 2022, 6:19pm

They weren't that consistent.

But yeah, it's not the only suspect.

rg305 · May 14, 2022, 7:23pm

It could also just be access rights to that location within apache.

But the different returns with and without the slash are pointing to the known Palo Alto firewall problem.

guymallow · May 15, 2022, 9:55am

thank you so much... everyone!
I challanged to change? router filltering. port 80 and 443 -> open
and i tried acme-challange.. but.
still now 403 err..returned..

next time i'll try that challange on another machine in my net work..

rg305 · May 16, 2022, 2:43am

Please show the certbot error message output or the LE log file.

MikeMcQ · May 16, 2022, 3:33am

I don't think Palo Alto firewall is causing the 403 Forbidden either. We are seeing "Server: nginx" in the response headers. We have not seen any "Server" headers from the acme-challenge issue before. And, it seems unlikely a firewall would choose to send one.

This looks more like nginx server config is causing the 403.

@guymallow can you upload the config.txt file made by this command?

sudo nginx -T  >config.txt

guymallow · May 16, 2022, 6:11am

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: r2hs.jp
Type: unauthorized
Detail: 163.44.185.222: Invalid response from http://r2hs.jp/.well-known/acme-challenge/ZyuGmyXXXXXXX5XIUWvdrY: 403

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

thank you Mr...rg305.. this is full err Msg.. Is this OK?

guymallow · May 16, 2022, 6:38am

Hi! MikeMcQ..

I did that command. but..

Host:~ admin$ sudo nginx -T >config.txt
sudo: nginx: command not found

Is this my big misstake?

9peppe · May 16, 2022, 7:01am

Please make sure your DNS records are pointing to the right server

Osiris · May 16, 2022, 8:27am

Is your server actually running nginx, as indicated by the return headers shown by @9peppe? Or is there a different nginx server in front of your server acting as reverse proxy? Questions questions. Unfortunately, you've removed most of the questions of the questionnaire which would have answered these questions

9peppe · May 16, 2022, 8:45am

I'd say an explanation for "nginx: command not found" is nginx running in docker.

sudo ss -tlpn should answer that.

guymallow · May 16, 2022, 8:59am

Mr...Osiris.. I'm so sorry.. but, i don't have any knowledge about network? (like this..)
that is the reason why, i've removed most of the title on template..

sorry...

by the way, i get another idea from my colleague. ill try it...

thank you so much every one.

guymallow · May 16, 2022, 9:17am

thank you 9peppe..

i entered "sudo ss" in? on? my mac terminal.
but it doesnt have the command.

may be my way is wrong...

9peppe · May 16, 2022, 9:23am

Yeah, maybe macOS doesn't use iproute2 but the older netstat

Go with sudo netstat -tlpn