403 Forbidden on initial cert request

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sarasotasailingsquadron.org

I ran this command: sudo certbot --apache -d sarasotasailingsquadron.org -d imap.sarasotasailingsquadron.org -d smtp.sarasotasailingsquadron.org -d webmail.sarasotasailingsquadron.org -d luffinglassies.org

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): webmaster@sarasotasailingsquadron.org

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at

(A)gree/©ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for imap.sarasotasailingsquadron.org
http-01 challenge for luffinglassies.org
http-01 challenge for sarasotasailingsquadron.org
http-01 challenge for smtp.sarasotasailingsquadron.org
http-01 challenge for webmail.sarasotasailingsquadron.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. smtp.sarasotasailingsquadron.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://smtp.sarasotasailingsquadron.org/.well-known/acme-challenge/pjl-SurmvA5XYBZ84FErL_aBST_n6H2_kxlWVMbM7Ds []: “\n\n403 Forbidden\n\n


\n<p”, imap.sarasotasailingsquadron.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://imap.sarasotasailingsquadron.org/.well-known/acme-challenge/Pl-dHqkrcJtz19DOAyjOhW14JNMTRjAVh4v6XPgLMns []: “\n\n403 Forbidden\n\n


\n<p”, luffinglassies.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://luffinglassies.org/.well-known/acme-challenge/FxGAvOapNwJFKrhP3-6-4YNs4071c9X3lvghew_Gc []: “<html lang=“en” data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWX”


My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0letsencrypt.txt (63.2 KB)

1 Like

Are you aware that luffinglassies.org expired a few weeks ago and is currently parked?


Yes I am. But that is not the reason for the failure, right?

It’s the reason for for 1 of the 3 failures. To resolve that one, don’t include the expired domain on your certificate request.

The remaining 2 failures are for smtp.sarasotasailingsquadron.org and imap.sarasotasailingsquadron.org. I’m not too sure about that one. It will probably have something to do with your virtual host setup.

apachectl -t -D DUMP_VHOSTS

Additionally, can you post the port 80 virtualhost config for either of those domains?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.