Apache throws 403

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pmadmin.qno.de

I ran this command: certbot certonly --apache

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: pmadmin.qno.de
Type: unauthorized
Detail: 2a01:4f9:3b:25b0:9:6:1:a02: Invalid response from http://pmadmin.qno.de/.well-known/acme-challenge/ZThU8E-b7FMWPiRHJevvYzRPbE1eEPJCZt83Hy627Qo: 403

My web server is (include version): apache2 2.4.52-1ubuntu4.7

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

Hi @QNo, and welcome to the LE community forum :slight_smile:

Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

and the log file, normally found at:
/var/log/letsencrypt/letsencrypt.log

2 Likes

Oddly enough, I get 404 when I try that URL [via IPv6 and IPv4].
So, it may not be an Apache configuration issue...
Do you use anything that would block access based on source IP?
OR
Have you since made a change that would explain the 403 / 404 discrepancy?

2 Likes
root@bywater /etc/apache2/sites-available # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
[2a01:4f9:3b:25b0:9:6:1:a02]:80 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
65.21.136.15:80        pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)

Logfile: http://pmadmin.qno.de/letsencrypt.log

Strange. Apache runs on a Hetzner server wide wide away, and i can access pmadmin.qno.de and pmadmin.qno.de/letsencrypt.log both from safari on iPad from my home wlan. So i get a connection from outward through nftables without further authentification. Port 80 is definetly open.

Direct access by ip will not work as it’s a name virtual host.

Is there a reason for using the IP in the vhost declaration?
Normally, we see:
https://httpd.apache.org/docs/2.4/vhosts/examples.html
image

2 Likes

The problem is cause [indirectly] by the use of the --apache plugin:

2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: pmadmin.qno.de in: /etc/apache2/sites-enabled/a02-phpmyadmin.conf
2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/000-default.conf
2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2023-12-19 00:08:24,087:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

I suspect that something in the overall code is conflicting with the [temporary] modifications that certbot makes.

Let's have a look at this file:
/etc/apache2/sites-enabled/a02-phpmyadmin.conf

Then you can retry with:
certbot certonly --apache --debug-challenges

And show us the file while it has been modified.

2 Likes

Is there a reason for using the IP in the vhost declaration?
Yes. While the ipv4 address is for all vhosts, every vhost has its own ipv6 address.

I'm confused...
Was this the entire output?:

root@bywater /etc/apache2/sites-available # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
[2a01:4f9:3b:25b0:9:6:1:a02]:80 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
65.21.136.15:80        pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
1 Like

Original a02-phpmyadmin.conf:

<VirtualHost 65.21.136.15:80 [2a01:04f9:003b:25b0:0009:0006:0001:0a02]:80>
    ServerAdmin webmaster@qno.de
    DocumentRoot  /srv/phpmyadmin_html
    ServerName pmadmin.qno.de
    ErrorLog /var/log/apache2/a02_phpmyadmin/error.log
    CustomLog /var/log/apache2/a02_phpmyadmin/access.log combined
    AddDefaultCharset UTF-8
    AddOutputFilterByType DEFLATE text/html text/plain text/xml
    DirectoryIndex index.php index.html

    <Directory /srv/phpmyadmin_html>
        AllowOverride All
        Require all granted
    </Directory>
#    RewriteRule        (.*).html$      /$1.php [QSA]


# phpMyAdmin default Apache configuration
Alias /pma /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php

    # limit libapache2-mod-php to files and directories necessary by pma
    <IfModule mod_php7.c>
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
    </IfModule>
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
</VirtualHost>

Yes. More VHosts will come as soon as i get certbot running.

I don't seen anything wrong with that config.

I would try using --webroot

Like:
certbot certonly --webroot -w /srv/phpmyadmin_html -d pmadmin.qno.de

1 Like

Additionally as last line before

Include /etc/apache2/le_http_01_challenge_post.conf

Please show where it put that line.

1 Like
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
Include /etc/apache2/le_http_01_challenge_post.conf
</VirtualHost>

/srv/phpmyadmin_html/.well-known/acme-challenge is empty while waiting for Enter to continue

hmm...
That should have worked there.

1 Like

continue please

1 Like

OK, that may be part of the original problem.

1 Like

continue please

Did. New log file with the old link. Same 403.