403 Forbidden Error


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: andrewlyndem.com

I ran this command: certbot --apache

It produced this output: Forbidden. You don’t have permission to access / on this server.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): WebMin 1.900 + VirtualMin 6.04

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0


I followed the instructions on this page: https://certbot.eff.org/lets-encrypt/ubuntutrusty-apache and tried adding certificates to 3 sites from my server but this resulted in a 403 error on all my sites including the ones that I didn’t add a certificate to.

What should I do?


For hosting control panel software like Webmin/Virtualmin, there are usually more specialized ways to use Let’s Encrypt.

For example, https://doxfer.webmin.com/Webmin/Let’s_Encrypt

Trying to use Certbot may not be successful due the the ways that hosting control panels tend to manage their webserver configurations.


I tried to use cert delete and removed all the certificates I installed but now the Apche server won’t even start anymore.

Please help me revert the server to it’s initial stage so I can retry using the above webmin link.


You should also disable any Apache configuration file ending on -le-ssl.conf

Also, certbot wouldn’t have caused all your sites to return a 403 error, unless your Apache configuration is very strange and certbot contains a very serious bug. Most likely you have manually changed some aspect of the configuration.


I have deleted all the files ending in -le-ssl.conf as you recommended. The 403 error is gone but all my wordpress sites’ file/directory permissions have changed and I’m getting permission errors.

What should I do?


On checking the server logs, I got this error: - - [27/Jan/2019:06:25:27 -0500] "OPTIONS * HTTP/1.0" 200 116 "-" "Apache/2.4.7 (Ubuntu) SVN/1.8.8 mod_fcgid/2.3.9 PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f (internal dummy connection)"


This most certainly isn’t something certbot would have done.

Luckily, you still have backups from before your site was malfunctioning, don’t you?


@Osiris Yes I do. But I just want to see if I can try fixing the current set-up with that as the last resort.

And with the help of members in StackExchange, I managed to find out that the issue is because of “Certificate name mismatch” as can be seen here when I run the ssl check in ssllabs.

What could be causing this?


Apache configuration error.


@Osiris Can you please guide me in undoing this misconfiguration?


If you could provide your full Apache configuration, I might try.


@Osiris I am using a VPS that has Ubuntu 14.04.2 as the server OS with apache 2.4.7 as the web server. I use Webmin 1.900 as my server’s system configuration tool and Virtualmin 6.04 as my server’s Control Panel.


That’s not exactly what I meant, but I guess your Apache configuration files are managed by Webmin/Virtualmin.

Personally, I don’t have any experience with both of those systems. I only “know” how to debug the Apache configuration files themselves. But if they are generated and written by Webmin/Virtualmin, it’s probably not a very good idea to edit them manually.

Without the Apache configuration files themselves, I cannot help you.


How can I retrieve them? I can copy them and paste it here if you want.


With your root shell through SSH, as you have said in the startpost you have root access to your server.


@Osiris Hello. I have opened a new question with the apache configuration files added as you asked here: 403 Forbidden error on all sites after adding SSL certificate


403 generally means it requires authentication.
Are these sites open to the public?
Or do they require a login?

closed #19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.