Apache: ACME challenge 403's

#1

My domain is:
not really domain.com, but likely irrelevant to the convo.

I ran this command:
certbot certonly --webroot -w /var/www/html -d domain.com -d www.domain.com
It produced this output:

  • The following errors were reported by the server:
   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.com/.well-known/acme-challenge/8qHxp1tzM1Fat-XVV6zKHZZBxZ9aqO1cAMj_vZ2X1XA
   [<IP>]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain.com/.well-known/acme-challenge/QMXETgpJJaGZkcFcX7-meduHaJkRGY46DQRWS7sPVQ8
   [<IP>]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

My web server is (include version):
Apache 2.4.29-1ubuntu
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

Additional Details:
I set apache2 to LogLevel Debug and attempted to access the challenge through a browser. The log yielded the following lines

[Tue Apr 09 16:49:46.859177 2019] [ssl:info] [pid 8295] [client myip:16191] AH01964: Connection to child 0 established (server domain:443)
[Tue Apr 09 16:49:46.860021 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(2139): [client myip:16191] AH02043: SSL virtual host for servername domain found
[Tue Apr 09 16:49:46.860246 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(2139): [client myip:16191] AH02043: SSL virtual host for servername domain found
[Tue Apr 09 16:49:46.860366 2019] [core:debug] [pid 8295] protocol.c(2257): [client myip:16191] AH03155: select protocol from , choices=h2,http/1.1 for server domain
[Tue Apr 09 16:49:46.896611 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(2067): [client myip:16191] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Tue Apr 09 16:49:46.918325 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(377): [client myip:16191] AH02034: Initial (No.1) HTTPS request received for child 0 (server domain:443)
[Tue Apr 09 16:49:46.918669 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of Require all denied: denied
[Tue Apr 09 16:49:46.918784 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of <RequireAny>: denied
[Tue Apr 09 16:49:46.918907 2019] [authz_core:error] [pid 8295] [client myip:16191] AH01630: client denied by server configuration: /var/www/html/.well-known/acme-challenge/test.txt
[Tue Apr 09 16:49:47.071186 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(377): [client myip:16191] AH02034: Subsequent (No.2) HTTPS request received for child 0 (server domain:443)
[Tue Apr 09 16:49:47.071466 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of Require all granted: granted
[Tue Apr 09 16:49:47.071623 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of <RequireAny>: granted
[Tue Apr 09 16:49:47.071870 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of Require all granted: granted
[Tue Apr 09 16:49:47.071983 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of <RequireAny>: granted
[Tue Apr 09 16:49:47.086175 2019] [ssl:debug] [pid 8295] ssl_engine_io.c(1103): [client myip:16191] AH02001: Connection closed to child 0 with standard shutdown (server domain:443) 

Looking at the log, it looks like there’s two conflicting authz_core rules going on here. I checked this Apache thread about upgrading from 2.2 to 2.4 and how the config lines change in how they name directives. To get around the issue for now, I loaded mod_authz_compat.

More Context:
Here are the contents of my .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/(.*)
</IfModule>

Credit to this thread for the last line in this config. Helped me with half of the issue :blush:

Also, yes the directory and it’s file at .well-known/acme-challenge/test.txt has been 755'd.

I think that my solution is found in the answer to this question: is the best way to go about finding the authz rule that is impeding access to the ACME challenge?

#2

You are missing where the web server needs to allow access to that file/directory.

1 Like
#4

Can you elaborate just a little bit? I’m not sure what exactly you’re referencing :blush:

#5

Certbot with webroot relies on whichever web server you are using to allow access to the required file.
Which is, as per your instructions, placed in folder:
/var/www/html/.well-known/acme-challenge/
The URL accessed is something like:
http://your.domain/.well-known/acme-challenge/some-agreed-file-name
It seems that your web server is NOT liking that path.
It doesn’t want to allow access to:
/var/www/html/.well-known/acme-challenge/test.txt
This is NOT an action of certbot.
It is an action of the web server (configuration).

#6

Hi everyone. It turned out that I wasn’t shutting down my apache2 instance before initiating the certbot renew command. Shutting down apache2 solved this issue. Please mark as closed/solved.

closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.