After applying certbot trying to access my website with https returns 403

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
compari-zone.com

I ran this command:
followed the instructions here - https://www.linode.com/docs/guides/how-to-install-certbot-on-centos-8/

It produced this output:
I'm getting the Fedora test page with status code 403

My web server is (include version):
Apache/2.4.46 (Fedora)

The operating system my web server runs on is (include version):
Fedora 32

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

1 Like

Hi and welcome!

Let's see what we can do...
What says?:
apachectl -S

1 Like

Your Fedora test page however is fully secure! Isn't that what you wanted?

Also, that Linode guide uses certbot-auto wrapper script, which is being deprecated. Be aware that the script might not be upgraded or work at all in the future.

1 Like

Hi!

$ apachectl -S

apachectl: The "-S" option is not supported.

$ apachectl status

● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-11-15 08:51:26 UTC; 1h 11min ago
Docs: man:httpd.service(8)
Main PID: 72230 (httpd)
Status: "Total requests: 28; Idle/Busy workers 99/1;Requests/sec: 0.00655; Bytes served/sec: 88 B/sec"
Tasks: 318 (limit: 9501)
Memory: 89.9M
CPU: 10.343s
CGroup: /system.slice/httpd.service
├─72230 /usr/sbin/httpd -DFOREGROUND
├─72231 /usr/sbin/httpd -DFOREGROUND
├─72232 /usr/sbin/httpd -DFOREGROUND
├─72233 /usr/sbin/httpd -DFOREGROUND
├─72234 /usr/sbin/httpd -DFOREGROUND
├─72235 /usr/sbin/httpd -DFOREGROUND
├─72237 /usr/sbin/httpd -DFOREGROUND
├─72265 /usr/sbin/httpd -DFOREGROUND
└─72487 /usr/sbin/httpd -DFOREGROUND

Nov 15 08:51:25 compari-zone.com systemd[1]: Starting The Apache HTTP Server...
Nov 15 08:51:26 compari-zone.com systemd[1]: Started The Apache HTTP Server.
Nov 15 08:51:26 compari-zone.com httpd[72230]: Server configured, listening on: port 443, port 80

1 Like

Hi Osiris,

When accessing with http, I can see my website up and running (now it will redirect to https).
I expected to see it with https too.

What other details I can provide to help you help me :slight_smile: ?

1 Like

HTTP redirects to HTTPS.
HTTPS returns 403.

What does the HTTPS vhost config look like?

1 Like

My http vhost:

<VirtualHost *:80>
        ServerName compari-zone.com
        ServerAlias localhost

        Alias /static /var/www/my_site/static/

        WSGIScriptAlias / /var/www/my_site/newsite/wsgi.py
        #WSGIDaemonProcess apache user=apache group=apache
        WSGIDaemonProcess compari-zone.com processes=2 threads=15
        WSGIProcessGroup compari-zone.com

        <Directory /var/www/my_site/newsite>
                Require all granted
        </Directory>

        DocumentRoot /var/www/my_site/newsite
        CustomLog /var/www/my_site/tmp.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =compari-zone.com [OR]
RewriteCond %{SERVER_NAME} =localhost
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

My https vhost:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName compari-zone.com
        ServerAlias localhost

        Alias /static /var/www/my_site/static/

        WSGIScriptAlias / /var/www/my_site/newsite/wsgi.py
        #WSGIDaemonProcess apache user=apache group=apache
        #WSGIDaemonProcess compari-zone.com processes=2 threads=15
        #WSGIProcessGroup compari-zone.com

        <Directory /var/www/my_site/newsite>
                Require all granted
                DirectoryIndex index.html
        </Directory>

        DocumentRoot /var/www/my_site/newsite
        CustomLog /var/www/my_site/tmp.log combined




SSLCertificateFile /etc/letsencrypt/live/compari-zone.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/compari-zone.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
1 Like

Try removing both:
<IfModule mod_ssl.c>
</IfModule>

Because:

curl -Iki https://compari-zone.com/
HTTP/1.1 403 Forbidden
Summary

Date: Sun, 15 Nov 2020 10:16:08 GMT
Server: gws mod_wsgi/4.6.8 Python/3.8
Last-Modified: Tue, 28 Jan 2020 18:21:43 GMT
ETag: "15bc-59d374bbd1bc0"
Accept-Ranges: bytes
Content-Length: 5564
Content-Type: text/html; charset=UTF-8

curl -Iki https://compari-zone.com/static
HTTP/1.1 404 Not Found
Summary

Date: Sun, 15 Nov 2020 10:16:13 GMT
Server: gws mod_wsgi/4.6.8 Python/3.8
Content-Type: text/html; charset=iso-8859-1

1 Like

Thanks,

Removed and restarted httpd

I'm getting the same output from the command you executed

1 Like

Then there is another vhost config that is taking precedence.

Please show:
grep -Ri 'servername|virtual|listen|serveralias|ssl|root' /etc/apache2/
[if not @/etc/apache2/ replace with w/e your apache configs are]

1 Like

This command returned:

grep: /etc/httpd/run/wsgi.74867.0.1.sock: No such device or address
grep: /etc/httpd/run/cgisock.74867: No such device or address

But I do have another vhost (the default one) in ssl.conf:

<VirtualHost _default_:443>
1 Like

Hi @razot

if that doesn't work, what says

httpd -S

Your port 80 has the same DocumentRoot like your port 443. So if you have a 403, that vHost isn't used -> it's unrelevant.

2 Likes

$ httpd -S

httpd -S
VirtualHost configuration:
*:80                   compari-zone.com (/etc/httpd/conf/httpd.conf:84)
*:443                  is a NameVirtualHost
         default server compari-zone.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost compari-zone.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost compari-zone.com (/etc/httpd/conf/httpd-le-ssl.conf:1)
                 alias localhost
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/czone/Themis"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default 
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODSEC_2.5
Define: MODSEC_2.9
User: name="apache" id=48
Group: name="apache" id=48
1 Like

There is your bug. Two vHosts with the same domain name.

Merge these two in one.

1 Like

Duplicate name.
You can probably remove the ssl.conf file.
[I would move it elsewhere, just in case you need it later]

1 Like

Thank you JuergenAuer, rg305 and Osiris!
Fixed the bug you found and now my site is accessible again!

Best support I ever got :clap:t3:

4 Likes