Acme-challenge fails

Hi all, thanks for your help

My domain is: lebichani.fr

I ran this command: sudo certbot renew --post-hook "systemctl reload nginx"

It produced this output:
Processing /etc/letsencrypt/renewal/lebichani.fr.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lebichani.fr
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (lebichani.fr) from /etc/letsencrypt/renewal/lebichani.fr.conf produced an unexpected error: Failed authorization procedure. lebichani.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 92.159.196.199: Invalid response from https://lebichani.fr/.well-known/acme-challenge/XJAnT3AgsN8vmS-y9lGFd2HlZVctG-YcP4d9tiEQcGo: 403. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lebichani.fr/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/ebenisterieabc.fr/fullchain.pem expires on 2023-03-27 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lebichani.fr/fullchain.pem (failure)


Running post-hook command: systemctl reload nginx
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): raspbian 10.13

My hosting provider, if applicable, is: hosted from home

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

1 Like

Hello @kamekool, welcome to the Let's Encrypt community. :slightly_smiling_face:

I would have expected file not found instead of this:

$ curl -Ii http://lebichani.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Wed, 22 Feb 2023 16:18:42 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://lebichani.fr/.well-known/acme-challenge/sometestfile
$ curl -k -Ii https://lebichani.fr/.well-known/acme-challenge/sometestfile
HTTP/2 403
server: nginx/1.14.2
date: Wed, 22 Feb 2023 16:18:46 GMT
content-type: text/html; charset=UTF-8
set-cookie: oc9r04yskf4q=ckt7trv3bjta5u670ou1rg8mgr; path=/; secure; HttpOnly; SameSite=Strict
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=fmB3B4T%2Fm3RjpZIRiZrEqtO%2FygpkVcbh4txV6oryWBIDRY0e9qp0hvfmVluZHRZOSHJAMR839Zo1Sd2sOUlg2brlWUp0JKMqLs0qdJNBMfje1dBJ%2F57n2G6GiN%2BmRdYC; expires=Wed, 22-Feb-2023 16:38:46 GMT; Max-Age=1200; path=/; secure; HttpOnly; SameSite=Strict
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *

Also that is an old version of Certbot check Certbot 2.3.0 Release

3 Likes

That looks like the webroot being used is incorrect OR the nginx configuration has been altered since the last renewal.

We should have a look at both:

  • the renewal config file: /etc/letsencrypt/renewal/lebichani.fr.conf
  • the complete nginx config: nginx -T
3 Likes

Thanks for your replies :slightly_smiling_face:

Below the /etc/letsencrypt/renewal/lebichani.fr.conf

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/lebichani.fr
cert = /etc/letsencrypt/live/lebichani.fr/cert.pem
privkey = /etc/letsencrypt/live/lebichani.fr/privkey.pem
chain = /etc/letsencrypt/live/lebichani.fr/chain.pem
fullchain = /etc/letsencrypt/live/lebichani.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 8201d37a665ee7986281b4c25b2f7299
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = systemctl reload nginx
[[webroot_map]]
lebichani.fr = /var/www/owncloud

and nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	#server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/php-fpm.conf:

# configuration file /etc/nginx/sites-enabled/abc.conf:
upstream php-wp {
    server            unix:/var/run/abc.sock;
}

server {
    listen            80;
    listen            [::]:80;
    server_name       ebenisterieabc.fr;
    return            301 https://$host$request_uri;
}

server {
    listen                    443 ssl http2;
    listen                    [::]:443 ssl http2;
    root              /var/www/abc;
    
    index             index.php;

    ssl_certificate /etc/letsencrypt/live/ebenisterieabc.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ebenisterieabc.fr/privkey.pem;    

    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
    ssl_ecdh_curve            secp384r1;
    
    ssl_session_cache         shared:SSL:1m;
    ssl_session_timeout       1440m;
    ssl_stapling              on;
    ssl_stapling_verify       on;
    resolver                  8.8.8.8 8.8.4.4;

    add_header                Strict-Transport-Security max-age=31536000;

    location / {
        try_files     $uri $uri/ /index.php?$args;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    location = /robots.txt {
        allow                    all;
        log_not_found off;
        access_log    off;
    }

    location ~ .php$ {
        include       fastcgi.conf;
        fastcgi_pass  php-wp;
    }

    location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
        expires       max;
        log_not_found off;
    }
} 
 


# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/owncloud.conf:
upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/run/php/php7.4-fpm.sock;
}

server {
    listen 80;
    server_name lebichani.fr;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name lebichani.fr;

    ssl_certificate /etc/letsencrypt/live/lebichani.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lebichani.fr/privkey.pem;

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    root /var/www/owncloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    gzip off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        access_log off;
    }
}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

The HTTP challenge requests are being forwarded to HTTPS:

server {
    listen 80;
    server_name lebichani.fr;
    return 301 https://$server_name$request_uri;
}

The HTTPS challenge request is being redirected to a PHP page:

    location / {
        rewrite ^ /index.php$uri;
    }

=
The challenge fails.

4 Likes

Ok I see.
How am I to change that correctly, I'm not really an expert.
Do I just remove the redirection ?

I'd leave the redirection.
But add an exclusion to bypass redirection for the ACME challenge requests.
[and also include the same root path as used by the webroot settings]

3 Likes

I tried to add this in the http section
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

and this in /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/owncloud;
break;
}
location = /.well-known/acme-challenge/ {
return 404;
}

But no difference when renewing cert

Those location's don't look quite right. Try:

server {
    listen 80;
    listen  [::]:80;
    server_name lebichani.fr;

    location /.well-known/acme-challenge/ {
        root /var/www/owncloud;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

You should really add a listen for IPv6 too since your other server blocks have that.

5 Likes

I'd try creating the full challenge path and placing a test text file in that location.
To see if it can be reached from the Internet.
[before continuing to test actual renewal requests]

4 Likes

Also there are fresher versions of nginx nginx: download

1 Like

OK so I tried to put a test file
https://lebichani.fr/.well-known/acme-challenge/test.txt

This is not accessible, permissions look like this :
drwxr-xr-x 3 www-data www-data 4,0K févr. 22 16:08 .well-known

maybe something to do with the .htaccess from owncloud ?

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header      unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"
    Header      unset X-XSS-Protection
    Header always set X-XSS-Protection "0"
    Header      unset X-Robots-Tag
    Header always set X-Robots-Tag "none"
    Header      unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"
    Header      unset X-Download-Options
    Header always set X-Download-Options "noopen"
    Header      unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Let browsers cache CSS, JS files for half a year
  <FilesMatch "\.(css|js)$">
    Header      unset Cache-Control
    Header always set Cache-Control "max-age=15778463"
  </FilesMatch>
  
  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff$">
    Header      unset Cache-Control
    Header always set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

<IfModule mod_php5.c>
    php_value always_populate_raw_post_data -1
    php_value upload_max_filesize 513M
    php_value post_max_size 513M
    php_value memory_limit 512M
    php_value mbstring.func_overload 0
    php_value default_charset 'UTF-8'
    php_value output_buffering 0
    <IfModule mod_env.c>
      SetEnv htaccessWorking true
    </IfModule>
</IfModule>

<IfModule mod_php7.c>
    php_value upload_max_filesize 513M
    php_value post_max_size 513M
    php_value memory_limit 512M
    php_value mbstring.func_overload 0
    php_value default_charset 'UTF-8'
    php_value output_buffering 0
    <IfModule mod_env.c>
      SetEnv htaccessWorking true
    </IfModule>
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
  RewriteRule ^core/signature\.json - [R=404,L]
  RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /owncloud/core/templates/403.php
ErrorDocument 404 /owncloud/core/templates/404.php

IPv6 added

I don't see anything wrong with that .htaccess file.

Are there any clues in nginx access.log or error.log files?

2 Likes

avec un tail -f

> [IP] - - [23/Feb/2023:11:05:35 +0000] "GET /.well-known/acme-challenge/test.txt HTTP/2.0" 403 6531 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0"

et le error.log

> 2023/02/23 11:06:23 [error] 9630#9630: *90991 access forbidden by rule, client: [IP], server: lebichani.fr, request: "GET /.well-known/acme-challenge/test.txt HTTP/2.0", host: "lebichani.fr"

You must find this rule and change it.

2 Likes

I tried to add your rules in the http part, it worked !
Thanks a lot

1 Like

Good. I can see your test.txt file now but using http: instead of https: (like it should)

And, I see your server is using a new cert from today. Very nice.

3 Likes

Thanks.
How can it be using https then. Because it didn't work when the rule was in the https section on this host

1 Like

The ACME HTTP Challenge always arrives on port 80 (http). You can redirect it to another http or https location. But, unless redirection is needed for some reason it is best to process the challenge when it first arrives. (more details here)

All other requests to HTTP should be redirected to HTTPS. Which is what my suggested location blocks did. And, of course, regular requests can first come into HTTPS.

3 Likes