Apache throws 403

Help
22

Let's have a look at this file:
/etc/apache2/sites-enabled/000-default.conf

1 Like
23 
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>
24

If you aren't using that vhost config file, please disable its' use.
a2dissite /etc/apache2/sites-enabled/000-default.conf
OR
At least, use a ServerName in it:

[use a name that you would never serve - like: ServerName not-for-use]

1 Like
25

Disabled now. Same result.

26

What does the Apache error log file show us?

1 Like
28

Place a test text file in that challenge location:
echo "test" /srv/phpmyadmin_html/.well-known/acme-challenge/Test_File-1234

Then we try:
http://pmadmin.qno.de/.well-known/acme-challenge/Test_File-1234

1 Like
29

From apache2 error.log:

[Tue Dec 19 01:49:24.285268 2023] [mpm_prefork:notice] [pid 847586] AH00171: Graceful restart requested, doing restart
[Tue Dec 19 01:49:24.301882 2023] [mpm_prefork:notice] [pid 847586] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Tue Dec 19 01:49:24.301891 2023] [core:notice] [pid 847586] AH00094: Command line: '/usr/sbin/apache2'
[Tue Dec 19 01:49:29.590890 2023] [mpm_prefork:notice] [pid 847586] AH00171: Graceful restart requested, doing restart
[Tue Dec 19 01:49:29.609858 2023] [mpm_prefork:notice] [pid 847586] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Tue Dec 19 01:49:29.609871 2023] [core:notice] [pid 847586] AH00094: Command line: '/usr/sbin/apache2'

From phpmyadmins error.log:

[Tue Dec 19 01:49:28.791132 2023] [core:error] [pid 895364] (13)Permission denied: [client 2600:1f16:269:da02:4906:1c01:c613:b698:18948] AH00035: access to /.well-known/acme-challenge/X9pKM0GuSYsyaCyYfiOjIC9iR_ia9azny9xduMqNrkw denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path
[Tue Dec 19 01:49:29.141287 2023] [core:error] [pid 895365] (13)Permission denied: [client 2600:3000:1511:200::85:57681] AH00035: access to /.well-known/acme-challenge/X9pKM0GuSYsyaCyYfiOjIC9iR_ia9azny9xduMqNrkw denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path
[Tue Dec 19 01:49:29.191480 2023] [core:error] [pid 895367] (13)Permission denied: [client 2600:1f14:804:fd01:c0ba:2a71:c2ef:8fa9:52726] AH00035: access to /.well-known/acme-challenge/X9pKM0GuSYsyaCyYfiOjIC9iR_ia9azny9xduMqNrkw denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path
30

Done now

31

Well there is the problem!

PHP no likey!

1 Like
32

certbot is run as root, and root makes new files with root:root 640

In the path, everything has www-data:www-data u+rw(x) g+r(x) o-rwx

33

-v plz

34

Where is this in your Apache config?:
/var/lib/letsencrypt/http_challenges

1 Like
35

How does this work?????
curl http://pmadmin.qno.de/.well-known/acme-challenge/Test_File-1234
test
Isn't that file also root:root ???

1 Like
36

Changed the file to www-data:www-data

38

Please don't make changes without saying anything - that is not good teamwork :frowning:
I'm trying to help you.
You need to help me help you.
I don't get paid by the hour and want this to take longer so I can charge you more - LOL
I volunteer my time here FOR FREE - so, I want this to go quickly!

1 Like
39

Nowhere. Now that you mention this, i understand why it should be there. But where? Why isn’t it in /etc/letsencrypt/options-ssl-apache.conf? And i do not find it in the docs.

40

grep for it within the apache directory - it must exist somewhere!
also check:
set | grep -i challenges

1 Like
41

Maybe it exists somewhere in PHP ? ? ?

1 Like
42 
root@bywater /etc/apache2 # find . -exec grep /var/lib/letsencrypt {} \; -print

shows all dirs and files but no match.

set | grep -i challenges

empty

43

I added to a02-phpmyadmin.conf

<Directory /var/lib/letsencrypt/http_challenges>
   AllowOverride All
   Require all granted
</Directory>

And now i have too much requests and have to wait for an hour or so :frowning: