After applying certbot trying to access my website with https returns 403

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
followed the instructions here -

It produced this output:
I'm getting the Fedora test page with status code 403

My web server is (include version):
Apache/2.4.46 (Fedora)

The operating system my web server runs on is (include version):
Fedora 32

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

1 Like

Hi and welcome!

Let's see what we can do...
What says?:
apachectl -S

1 Like

Your Fedora test page however is fully secure! Isn't that what you wanted?

Also, that Linode guide uses certbot-auto wrapper script, which is being deprecated. Be aware that the script might not be upgraded or work at all in the future.

1 Like


$ apachectl -S

apachectl: The "-S" option is not supported.

$ apachectl status

● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-11-15 08:51:26 UTC; 1h 11min ago
Docs: man:httpd.service(8)
Main PID: 72230 (httpd)
Status: "Total requests: 28; Idle/Busy workers 99/1;Requests/sec: 0.00655; Bytes served/sec: 88 B/sec"
Tasks: 318 (limit: 9501)
Memory: 89.9M
CPU: 10.343s
CGroup: /system.slice/httpd.service
├─72230 /usr/sbin/httpd -DFOREGROUND
├─72231 /usr/sbin/httpd -DFOREGROUND
├─72232 /usr/sbin/httpd -DFOREGROUND
├─72233 /usr/sbin/httpd -DFOREGROUND
├─72234 /usr/sbin/httpd -DFOREGROUND
├─72235 /usr/sbin/httpd -DFOREGROUND
├─72237 /usr/sbin/httpd -DFOREGROUND
├─72265 /usr/sbin/httpd -DFOREGROUND
└─72487 /usr/sbin/httpd -DFOREGROUND

Nov 15 08:51:25 systemd[1]: Starting The Apache HTTP Server...
Nov 15 08:51:26 systemd[1]: Started The Apache HTTP Server.
Nov 15 08:51:26 httpd[72230]: Server configured, listening on: port 443, port 80

1 Like

Hi Osiris,

When accessing with http, I can see my website up and running (now it will redirect to https).
I expected to see it with https too.

What other details I can provide to help you help me :slight_smile: ?

1 Like

HTTP redirects to HTTPS.
HTTPS returns 403.

What does the HTTPS vhost config look like?

1 Like

My http vhost:

<VirtualHost *:80>
        ServerAlias localhost

        Alias /static /var/www/my_site/static/

        WSGIScriptAlias / /var/www/my_site/newsite/
        #WSGIDaemonProcess apache user=apache group=apache
        WSGIDaemonProcess processes=2 threads=15

        <Directory /var/www/my_site/newsite>
                Require all granted

        DocumentRoot /var/www/my_site/newsite
        CustomLog /var/www/my_site/tmp.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} [OR]
RewriteCond %{SERVER_NAME} =localhost
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

My https vhost:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAlias localhost

        Alias /static /var/www/my_site/static/

        WSGIScriptAlias / /var/www/my_site/newsite/
        #WSGIDaemonProcess apache user=apache group=apache
        #WSGIDaemonProcess processes=2 threads=15

        <Directory /var/www/my_site/newsite>
                Require all granted
                DirectoryIndex index.html

        DocumentRoot /var/www/my_site/newsite
        CustomLog /var/www/my_site/tmp.log combined

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
1 Like

Try removing both:
<IfModule mod_ssl.c>


curl -Iki
HTTP/1.1 403 Forbidden

Date: Sun, 15 Nov 2020 10:16:08 GMT
Server: gws mod_wsgi/4.6.8 Python/3.8
Last-Modified: Tue, 28 Jan 2020 18:21:43 GMT
ETag: "15bc-59d374bbd1bc0"
Accept-Ranges: bytes
Content-Length: 5564
Content-Type: text/html; charset=UTF-8

curl -Iki
HTTP/1.1 404 Not Found

Date: Sun, 15 Nov 2020 10:16:13 GMT
Server: gws mod_wsgi/4.6.8 Python/3.8
Content-Type: text/html; charset=iso-8859-1

1 Like


Removed and restarted httpd

I'm getting the same output from the command you executed

1 Like

Then there is another vhost config that is taking precedence.

Please show:
grep -Ri 'servername|virtual|listen|serveralias|ssl|root' /etc/apache2/
[if not @/etc/apache2/ replace with w/e your apache configs are]

1 Like

This command returned:

grep: /etc/httpd/run/wsgi.74867.0.1.sock: No such device or address
grep: /etc/httpd/run/cgisock.74867: No such device or address

But I do have another vhost (the default one) in ssl.conf:

<VirtualHost _default_:443>
1 Like

Hi @razot

if that doesn't work, what says

httpd -S

Your port 80 has the same DocumentRoot like your port 443. So if you have a 403, that vHost isn't used -> it's unrelevant.


$ httpd -S

httpd -S
VirtualHost configuration:
*:80          (/etc/httpd/conf/httpd.conf:84)
*:443                  is a NameVirtualHost
         default server (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost (/etc/httpd/conf/httpd-le-ssl.conf:1)
                 alias localhost
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/czone/Themis"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default 
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/etc/httpd/run/"
Define: MODSEC_2.5
Define: MODSEC_2.9
User: name="apache" id=48
Group: name="apache" id=48
1 Like

There is your bug. Two vHosts with the same domain name.

Merge these two in one.

1 Like

Duplicate name.
You can probably remove the ssl.conf file.
[I would move it elsewhere, just in case you need it later]

1 Like

Thank you JuergenAuer, rg305 and Osiris!
Fixed the bug you found and now my site is accessible again!

Best support I ever got :clap:t3:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.