Apache: ACME challenge 403's

My domain is:
not really domain.com, but likely irrelevant to the convo.

I ran this command:
certbot certonly --webroot -w /var/www/html -d domain.com -d www.domain.com
It produced this output:

• The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.com/.well-known/acme-challenge/8qHxp1tzM1Fat-XVV6zKHZZBxZ9aqO1cAMj_vZ2X1XA
   [<IP>]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain.com/.well-known/acme-challenge/QMXETgpJJaGZkcFcX7-meduHaJkRGY46DQRWS7sPVQ8
   [<IP>]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

My web server is (include version):
Apache 2.4.29-1ubuntu
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

Additional Details:
I set apache2 to LogLevel Debug and attempted to access the challenge through a browser. The log yielded the following lines

[Tue Apr 09 16:49:46.859177 2019] [ssl:info] [pid 8295] [client myip:16191] AH01964: Connection to child 0 established (server domain:443)
[Tue Apr 09 16:49:46.860021 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(2139): [client myip:16191] AH02043: SSL virtual host for servername domain found
[Tue Apr 09 16:49:46.860246 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(2139): [client myip:16191] AH02043: SSL virtual host for servername domain found
[Tue Apr 09 16:49:46.860366 2019] [core:debug] [pid 8295] protocol.c(2257): [client myip:16191] AH03155: select protocol from , choices=h2,http/1.1 for server domain
[Tue Apr 09 16:49:46.896611 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(2067): [client myip:16191] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Tue Apr 09 16:49:46.918325 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(377): [client myip:16191] AH02034: Initial (No.1) HTTPS request received for child 0 (server domain:443)
[Tue Apr 09 16:49:46.918669 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of Require all denied: denied
[Tue Apr 09 16:49:46.918784 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of <RequireAny>: denied
[Tue Apr 09 16:49:46.918907 2019] [authz_core:error] [pid 8295] [client myip:16191] AH01630: client denied by server configuration: /var/www/html/.well-known/acme-challenge/test.txt
[Tue Apr 09 16:49:47.071186 2019] [ssl:debug] [pid 8295] ssl_engine_kernel.c(377): [client myip:16191] AH02034: Subsequent (No.2) HTTPS request received for child 0 (server domain:443)
[Tue Apr 09 16:49:47.071466 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of Require all granted: granted
[Tue Apr 09 16:49:47.071623 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of <RequireAny>: granted
[Tue Apr 09 16:49:47.071870 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of Require all granted: granted
[Tue Apr 09 16:49:47.071983 2019] [authz_core:debug] [pid 8295] mod_authz_core.c(809): [client myip:16191] AH01626: authorization result of <RequireAny>: granted
[Tue Apr 09 16:49:47.086175 2019] [ssl:debug] [pid 8295] ssl_engine_io.c(1103): [client myip:16191] AH02001: Connection closed to child 0 with standard shutdown (server domain:443) 

Looking at the log, it looks like there’s two conflicting authz_core rules going on here. I checked this Apache thread about upgrading from 2.2 to 2.4 and how the config lines change in how they name directives. To get around the issue for now, I loaded mod_authz_compat.

More Context:
Here are the contents of my .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/(.*)
</IfModule>

Credit to this thread for the last line in this config. Helped me with half of the issue

Also, yes the directory and it’s file at .well-known/acme-challenge/test.txt has been 755'd.

I think that my solution is found in the answer to this question: is the best way to go about finding the authz rule that is impeding access to the ACME challenge?

You are missing where the web server needs to allow access to that file/directory.

Can you elaborate just a little bit? I’m not sure what exactly you’re referencing

Certbot with webroot relies on whichever web server you are using to allow access to the required file.
Which is, as per your instructions, placed in folder:
/var/www/html/.well-known/acme-challenge/
The URL accessed is something like:
http://your.domain/.well-known/acme-challenge/some-agreed-file-name
It seems that your web server is NOT liking that path.
It doesn’t want to allow access to:
/var/www/html/.well-known/acme-challenge/test.txt
This is NOT an action of certbot.
It is an action of the web server (configuration).

Hi everyone. It turned out that I wasn’t shutting down my apache2 instance before initiating the certbot renew command. Shutting down apache2 solved this issue. Please mark as closed/solved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.