Apache throws 403

QNo · December 18, 2023, 11:47pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pmadmin.qno.de

I ran this command: certbot certonly --apache

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: pmadmin.qno.de
Type: unauthorized
Detail: 2a01:4f9:3b:25b0:9:6:1:a02: Invalid response from http://pmadmin.qno.de/.well-known/acme-challenge/ZThU8E-b7FMWPiRHJevvYzRPbE1eEPJCZt83Hy627Qo: 403

My web server is (include version): apache2 2.4.52-1ubuntu4.7

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

rg305 · December 19, 2023, 12:00am

Hi @QNo, and welcome to the LE community forum

Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

and the log file, normally found at:
/var/log/letsencrypt/letsencrypt.log

rg305 · December 19, 2023, 12:05am

Oddly enough, I get 404 when I try that URL [via IPv6 and IPv4].
So, it may not be an Apache configuration issue...
Do you use anything that would block access based on source IP?
OR
Have you since made a change that would explain the 403 / 404 discrepancy?

QNo · December 19, 2023, 12:15am

root@bywater /etc/apache2/sites-available # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
[2a01:4f9:3b:25b0:9:6:1:a02]:80 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
65.21.136.15:80        pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)

Logfile: http://pmadmin.qno.de/letsencrypt.log

QNo · December 19, 2023, 12:19am

Strange. Apache runs on a Hetzner server wide wide away, and i can access pmadmin.qno.de and pmadmin.qno.de/letsencrypt.log both from safari on iPad from my home wlan. So i get a connection from outward through nftables without further authentification. Port 80 is definetly open.

Direct access by ip will not work as it’s a name virtual host.

rg305 · December 19, 2023, 12:22am

Is there a reason for using the IP in the vhost declaration?
Normally, we see:
https://httpd.apache.org/docs/2.4/vhosts/examples.html

rg305 · December 19, 2023, 12:31am

The problem is cause [indirectly] by the use of the --apache plugin:

2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: pmadmin.qno.de in: /etc/apache2/sites-enabled/a02-phpmyadmin.conf
2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/000-default.conf
2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

I suspect that something in the overall code is conflicting with the [temporary] modifications that certbot makes.

Let's have a look at this file:
/etc/apache2/sites-enabled/a02-phpmyadmin.conf

Then you can retry with:
certbot certonly --apache --debug-challenges

And show us the file while it has been modified.

QNo · December 19, 2023, 12:31am

Is there a reason for using the IP in the vhost declaration?
Yes. While the ipv4 address is for all vhosts, every vhost has its own ipv6 address.

rg305 · December 19, 2023, 12:33am

I'm confused...
Was this the entire output?:

root@bywater /etc/apache2/sites-available # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
[2a01:4f9:3b:25b0:9:6:1:a02]:80 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
65.21.136.15:80        pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)

QNo · December 19, 2023, 12:34am

Original a02-phpmyadmin.conf:

<VirtualHost 65.21.136.15:80 [2a01:04f9:003b:25b0:0009:0006:0001:0a02]:80>
    ServerAdmin webmaster@qno.de
    DocumentRoot  /srv/phpmyadmin_html
    ServerName pmadmin.qno.de
    ErrorLog /var/log/apache2/a02_phpmyadmin/error.log
    CustomLog /var/log/apache2/a02_phpmyadmin/access.log combined
    AddDefaultCharset UTF-8
    AddOutputFilterByType DEFLATE text/html text/plain text/xml
    DirectoryIndex index.php index.html

    <Directory /srv/phpmyadmin_html>
        AllowOverride All
        Require all granted
    </Directory>
#    RewriteRule        (.*).html$      /$1.php [QSA]


# phpMyAdmin default Apache configuration
Alias /pma /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php

    # limit libapache2-mod-php to files and directories necessary by pma
    <IfModule mod_php7.c>
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
    </IfModule>
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
</VirtualHost>

QNo · December 19, 2023, 12:34am

Yes. More VHosts will come as soon as i get certbot running.

rg305 · December 19, 2023, 12:36am

I don't seen anything wrong with that config.

I would try using --webroot

Like:
certbot certonly --webroot -w /srv/phpmyadmin_html -d pmadmin.qno.de

QNo · December 19, 2023, 12:37am

Additionally as last line before

Include /etc/apache2/le_http_01_challenge_post.conf

rg305 · December 19, 2023, 12:38am

Please show where it put that line.

QNo · December 19, 2023, 12:39am

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
Include /etc/apache2/le_http_01_challenge_post.conf
</VirtualHost>

QNo · December 19, 2023, 12:40am

/srv/phpmyadmin_html/.well-known/acme-challenge is empty while waiting for Enter to continue

rg305 · December 19, 2023, 12:40am

hmm...
That should have worked there.

rg305 · December 19, 2023, 12:40am

continue please

rg305 · December 19, 2023, 12:42am

OK, that may be part of the original problem.

QNo · December 19, 2023, 12:42am

continue please

Did. New log file with the old link. Same 403.

Topic		Replies	Views
Failed authorization procedure. Multiple virtualhosts apache Help	76	5724	August 21, 2018
Challenge failed for domain - Invalid response (404) Help	29	5043	December 17, 2020
Invalid response? Help	48	1977	March 24, 2020
Certbot apache or webroot failed to download the temporary challenge files Help	37	332	December 29, 2024
Certbot: Challenge failed for domain Help	57	34890	November 8, 2020

Apache throws 403

Related topics