AH01797: client denied by server configuration

blsaws · March 7, 2023, 5:34am

My server and sites are accessible from the internet on port 80 and 443. However I see these 403 responses:
23.178.112.103 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U HTTP/1.1" 403 453 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.16.168.159 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U HTTP/1.1" 403 453 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.42.65.249 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U HTTP/1.1" 403 453 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.106 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs HTTP/1.1" 403 461 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.221.37.132 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs HTTP/1.1" 403 461 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.219.255.192 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs HTTP/1.1" 403 461 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I didn't see any setup notes about the need for folders "/.well-known/acme-challenge/" to be pre-configured, and they do not exist. Are they prerequisite for some reason?

Similarly in the error log:

[Mon Mar 06 20:47:04.065753 2023] [access_compat:error] [pid 9990] [client 23.178.112.103:43854] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U
[Mon Mar 06 20:47:04.082319 2023] [access_compat:error] [pid 9991] [client 3.16.168.159:63538] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U
[Mon Mar 06 20:47:04.096710 2023] [access_compat:error] [pid 9992] [client 52.42.65.249:42716] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U
[Mon Mar 06 20:47:04.143880 2023] [access_compat:error] [pid 9993] [client 23.178.112.106:34248] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs
[Mon Mar 06 20:47:04.189478 2023] [access_compat:error] [pid 9994] [client 34.221.37.132:26304] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs
[Mon Mar 06 20:47:04.212959 2023] [access_compat:error] [pid 9990] [client 18.219.255.192:34596] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs

What aspect of server configuration could be at fault here? Everything under "/" (the server root) is accessible.

My domain is: bkaj.net and sullivanzone.com

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): bkaj.net, sullivanzone.com
Requesting a certificate for bkaj.net and sullivanzone.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: bkaj.net
Type: unauthorized
Detail: 174.164.247.25: Invalid response from http://bkaj.net/.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U: 403

Domain: sullivanzone.com
Type: unauthorized
Detail: 174.164.247.25: Invalid response from http://sullivanzone.com/.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04.5 LTS
My hosting provider, if applicable, is:
self-hosted
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.3.0

_az · March 7, 2023, 5:37am

What's the umask on your server?

blsaws · March 7, 2023, 5:39am

Explain, please (maybe you mean a command):
umask
0002

_az · March 7, 2023, 5:40am

You can just run:

umask

as the root user in an SSH terminal to get its value.

It can affect the permissions that Certbot's working directories get created with. We fixed that issue fairly ~recently, but it's possible that your directories were created before the fix was in.

Some "hardened" configurations of Ubuntu can sometimes have a stricter umask than on an ordinary system.

Edit: OK got it, thanks.

blsaws · March 7, 2023, 5:41am

I just installed this a couple of hours ago.

_az · March 7, 2023, 5:43am

Thanks. Can you also please share the output of:

find /var/lib/letsencrypt/http_challenges -ls

blsaws · March 7, 2023, 5:44am

find /var/lib/letsencrypt/http_challenges -ls
956288 4 drwxr-xr-x 2 root root 4096 Mar 6 20:47 /var/lib/letsencrypt/http_challenges

_az · March 7, 2023, 6:34am

That looks fine. I'm not sure what would be causing the problem in this case.

If you know the document root of your website, you could try something like:

sudo certbot run -d bkaj.net -d www.bkaj.net -i apache \
-a webroot -w /path/to/your/domains/webroot

If you're willing to try some more troubleshooting, posting the Apache <VirtualHost> for your website might give us a further clue why certbot --apache doesn't work. Up to you.

blsaws · March 7, 2023, 6:37am

That worked. The issue could have been, I guess, that the server root was not at /var/www/ ?
Thanks a lot for your help.

system · April 6, 2023, 6:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.