My server and sites are accessible from the internet on port 80 and 443. However I see these 403 responses:
23.178.112.103 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U HTTP/1.1" 403 453 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.16.168.159 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U HTTP/1.1" 403 453 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.42.65.249 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U HTTP/1.1" 403 453 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.106 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs HTTP/1.1" 403 461 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.221.37.132 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs HTTP/1.1" 403 461 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.219.255.192 - - [06/Mar/2023:20:47:04 -0800] "GET /.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs HTTP/1.1" 403 461 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
I didn't see any setup notes about the need for folders "/.well-known/acme-challenge/" to be pre-configured, and they do not exist. Are they prerequisite for some reason?
Similarly in the error log:
[Mon Mar 06 20:47:04.065753 2023] [access_compat:error] [pid 9990] [client 23.178.112.103:43854] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U
[Mon Mar 06 20:47:04.082319 2023] [access_compat:error] [pid 9991] [client 3.16.168.159:63538] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U
[Mon Mar 06 20:47:04.096710 2023] [access_compat:error] [pid 9992] [client 52.42.65.249:42716] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U
[Mon Mar 06 20:47:04.143880 2023] [access_compat:error] [pid 9993] [client 23.178.112.106:34248] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs
[Mon Mar 06 20:47:04.189478 2023] [access_compat:error] [pid 9994] [client 34.221.37.132:26304] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs
[Mon Mar 06 20:47:04.212959 2023] [access_compat:error] [pid 9990] [client 18.219.255.192:34596] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs
What aspect of server configuration could be at fault here? Everything under "/" (the server root) is accessible.
My domain is: bkaj.net and sullivanzone.com
I ran this command: sudo certbot --apache
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): bkaj.net, sullivanzone.com
Requesting a certificate for bkaj.net and sullivanzone.com
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: bkaj.net
Type: unauthorized
Detail: 174.164.247.25: Invalid response from http://bkaj.net/.well-known/acme-challenge/7KFnuDDLKE3HfYOKZT6CXteVnGib-1UL55uyIXc9J9U: 403
Domain: sullivanzone.com
Type: unauthorized
Detail: 174.164.247.25: Invalid response from http://sullivanzone.com/.well-known/acme-challenge/u4daIf-W1v7cohYbZoCVE76QKNyi3mQYxLh4TzSASXs: 403
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04.5 LTS
My hosting provider, if applicable, is:
self-hosted
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 2.3.0