403 errors when running certbot

shachar · October 7, 2018, 2:26am

I’m trying to get certbot-auto to issue a certificate. It goes through all stages, but then reports:
Domain: practical-pl.org
Type: unauthorizedY
Detail: Invalid response from
http://practical-pl.org/.well-known/acme-challenge/6OIKQE0y6tCPTyJldIWdojl8QJcgw0KvYSUfGuUoPRw:
“\n\n403
Forbidden\n\n

Forbidden

\n<p”

My domain is:
practical-pl.org

I ran this command:
certbot-auto

My web server is (include version):
Apache 2.4.45

The operating system my web server runs on is (include version):
Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

I’d probably be able to solve this on my own, except certbot takes pains to under every configuration change it does, so I can’t experiment with the system.

This is a fairly default installed Apache. The error logs show this:
[Sun Oct 07 04:09:09.789266 2018] [access_compat:error] [pid 30349] [client 66.133.109.36:45256] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/nXsevA0ileMH29CjB6UKYkuNL52WrExFx_3rr3mqvtU

stevenzhu · October 7, 2018, 2:31am

Hi,

What exact command did you run?

What choice did you choose if you are in interactive mode (with certbot-auto)?

Thank you

shachar · October 7, 2018, 4:06am

I just ran “certbot-auto”, and selected two domain names (practical-pl.org and www.practical-pl.org. It seems to have correctly sent out the challenge, but the CA failed to get the response due to the above mentioned 403.

The 403 also appears in the usual server logs, so I’m fairly confident the request was sent out correctly.

stevenzhu · October 7, 2018, 5:53am

Emm…

Are you using the Apache Authenticator or Webroot?

Could you also please try to place a file under the .well-known/acme-challenge/ folder (just a sample dummy file) to test if the folder is accessible?

Thank you

mnordhoff · October 7, 2018, 6:26am

Can you identify what's blocking the requests and try to change or remove it?

Certbot tries to avoid most pitfalls, but doesn't always succeed.

If you run Certbot with --debug-challenges it will pause in the middle and you can examine the configuration.

There should also be some information in /var/log/letsencrypt/letsencrypt.log.

shachar · October 7, 2018, 6:56am

I am using apache authenticator.

It uses a <directory< directive to direct the traffic to /var/lib/letsencrypt/http_challenges/

When I replace that with a symbolic link, it works

Using the webroot authentication would probably work (I tried once, and got an error saying it couldn’t communicate with the VA, and I could get the files with my browser), but I’m worried that auto-renewal would be much more difficult.

system · November 6, 2018, 6:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.