Apache2 client denied by server configuration

Help
1

Hello,

I am fairly new to certificates and I am having some issues I don't understand. Hope someone can help me out or push me in the right direction.

My domain is:

nederheim.nl

I ran this command:

sudo certbot certonly --apache -v --dry-run

It produced this output:

Performing the following challenges:
http-01 challenge for nederheim.nl
http-01 challenge for www.nederheim.nl
Waiting for verification...
Challenge failed for domain nederheim.nl
Challenge failed for domain www.nederheim.nl
http-01 challenge for nederheim.nl
http-01 challenge for www.nederheim.nl

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: nederheim.nl
  Type:   unauthorized
  Detail: 92.108.177.33: Invalid response from http://nederheim.nl/.well-known/acme-challenge/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s: 403

  Domain: www.nederheim.nl
  Type:   unauthorized
  Detail: 92.108.177.33: Invalid response from http://www.nederheim.nl/.well-known/acme-challenge/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version):

Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 22.04.1 LTS

My hosting provider, if applicable, is:

TransIP

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.32.0

Log from apache2

[Fri Dec 02 09:57:49.699509 2022] [access_compat:error] [pid 790742] [client 3.17.74.78:53568] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s
[Fri Dec 02 09:57:49.873331 2022] [access_compat:error] [pid 790743] [client 54.202.242.235:12338] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s
[Fri Dec 02 09:57:49.906330 2022] [access_compat:error] [pid 790744] [client 23.178.112.107:19374] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s
[Fri Dec 02 09:57:49.939463 2022] [access_compat:error] [pid 790745] [client 3.17.74.78:53578] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
[Fri Dec 02 09:57:50.147336 2022] [access_compat:error] [pid 790746] [client 54.202.242.235:12352] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
[Fri Dec 02 09:57:50.169706 2022] [access_compat:error] [pid 790742] [client 23.178.112.106:26592] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o

/etc/sites-available settings

<VirtualHost <server ip>:80>
    ServerName www.nederheim.nl
    ServerAlias nederheim.nl

    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/lib/letsencrypt/http_challenges>
        Require all granted
    </Directory>
    <Location /.well-known/acme-challenge>
        Require all granted
    </Location>
</VirtualHost>


<VirtualHost <server ip>:443>
    ServerName www.nederheim.nl
    ServerAlias nederheim.nl

    DocumentRoot /var/www/html
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/lib/letsencrypt/http_challenges>
    	Require all granted
    </Directory>
    <Location /.well-known/acme-challenge>
        Require all granted
    </Location>

</VirtualHost>

I am not sure if it makes sense to add the directory and location settings to both the virtual host settings of port 80 and 443 as I said I am fairly new to this :slight_smile:

2

I just noticed my site is not reachable to the public which makes sense why letsencrypt cannot make any connection. I think it is only reachable for certain IP adresses (such as my own) which why I didn't notice it before.

3

Hi @Davidoffo and welcome to the forum.
If it helps any, I can reach your site on both port(s) 80 and 443.
HTTPS is serving a LE Certificate valid until Thu, 02 Mar 2023 10:41:05 GMT

2
21035×189 12.6 KB

1
11600×900 158 KB

So at least you know others can access your site at this time. (I am in Oregon USA)
As for the

 AH01797: client denied by server configuration

It looks like that is a permissions issue that needs to be resolved for sure. I am certain another volunteer here would help you with your Apache configuration even though it is a bit out of scope for this forum.
Personally I suspect this directive may have something to do with the issue.

Take a read here:

ALSO if you share the output of the following commands it will help.

apache2ctl -S
apache2ctl -t -D DUMP_VHOSTS
7 Likes
4

Hey thanks for your reply!

I was able to fix my issue to add this to my virtual host file:

<Location />
    Allow from all
</Location>

After this is was able to reach the site with certbot and a certificate was successfully installed :slight_smile:

If you think this is wrong let me know!

1 Like
5

Doesn't seem like the proper responses are being sent for the HTTP-01 Challenges

$ curl -I http://nederheim.nl/.well-known/acme-challenge/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s
HTTP/1.1 302 Found
Date: Fri, 02 Dec 2022 15:29:05 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://www.nederheim.nl.well-known/acme-challenge/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s
Content-Type: text/html; charset=iso-8859-1

$ curl -I http://www.nederheim.nl/.well-known/acme-challenge/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
HTTP/1.1 302 Found
Date: Fri, 02 Dec 2022 15:29:26 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://www.nederheim.nl.well-known/acme-challenge/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
Content-Type: text/html; charset=iso-8859-1
4 Likes
6

We are dealing with Apache.
Take nothing for granted.

6 Likes
7

Sorry for my late response. You are right there is still something wrong. See the output:

AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/nederheim-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/nederheim.nl/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.

I am not sure why it is giving this message, because the file does exist at the given location.

8

Need to use sudo for those like:

sudo apache2ctl -S
sudo apache2ctl -t -D DUMP_VHOSTS

Lack of permissions prevent Apache from reading the cert files

3 Likes
9

A yes. Here the output with sudo rights:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using <serverip>. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
<serverip>     is a NameVirtualHost
         default server jan.upcycle.nederheim.nl (/etc/apache2/sites-enabled/jan.upcycle-ssl.conf:1)
         port 443 namevhost jan.upcycle.nederheim.nl (/etc/apache2/sites-enabled/jan.upcycle-ssl.conf:1)
                 alias www.jan.upcycle.nederheim.nl
         port 443 namevhost  (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost gitlab.nederheim.nl (/etc/apache2/sites-enabled/gitlab-ssl.conf:1)
                 alias www.gitlab.nederheim.nl
         port 443 namevhost mattermost.nederheim.nl (/etc/apache2/sites-enabled/mattermost-ssl.conf:1)
                 alias www.mattermost.nederheim.nl
         port 443 namevhost www.nederheim.nl (/etc/apache2/sites-enabled/nederheim-ssl.conf:1)
                 alias nederheim.nl
         port 443 namevhost jandirk.upcycle.nederheim.nl (/etc/apache2/sites-enabled/jandirk.upcycle-ssl.conf:1)
                 alias www.jandirk.upcycle.nederheim.nl
192.168.178.27:80      is a NameVirtualHost
         default server jan.upcycle.nederheim.nl (/etc/apache2/sites-enabled/jan.upcycle.conf:1)
         port 80 namevhost jan.upcycle.nederheim.nl (/etc/apache2/sites-enabled/jan.upcycle.conf:1)
                 alias www.jan.upcycle.nederheim.nl
         port 80 namevhost gitlab.nederheim.nl (/etc/apache2/sites-enabled/gitlab.conf:1)
         port 80 namevhost mattermost.nederheim.nl (/etc/apache2/sites-enabled/mattermost.conf:1)
         port 80 namevhost www.nederheim.nl (/etc/apache2/sites-enabled/nederheim.conf:1)
                 alias nederheim.nl
         port 80 namevhost jandirk.upcycle.nederheim.nl (/etc/apache2/sites-enabled/jandirk.upcycle.conf:1)
                 alias www.jandirk.upcycle.nederheim.nl
10

Can you show us the contents of this file. We'll start here to fix the problem with the redirect.

Also, do you have any .htaccess file in use? If so, please show that too

4 Likes
11

Contents of the "/etc/apache2/sites-enabled/nederheim.conf" file:

<VirtualHost <serverip>:80>
    ServerName www.nederheim.nl
    ServerAlias nederheim.nl
    ServerAdmin <email>
    Redirect / https://www.nederheim.nl
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <Location />
	Allow from all
    </Location>
</VirtualHost>

I should not have a .htaccess file in use.

12

You need to add a / after .nl
You will see a missing / in the Location response header from Bruce's example in post #5 if you look carefully.

Also, I recommend removing all the IP addresses from your VirtualHost so they are like:

<VirtualHost *:80>
and 
<VirtualHost *:443>

It is very rare these days to need the IP address and it makes you vulnerable to changes in IP values.

You must change them all so they are the same though. Can't just do one at a time.

3 Likes
13

That is a difficult one to see thanks! I changed the redirect in the config to:

Redirect / https://www.nederheim.nl/

But unfortunately I still have a similar response as seen from Bruce's example:

curl -I http://www.nederheim.nl/.well-known/acme-challenge/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
HTTP/1.1 302 Found
Date: Fri, 09 Dec 2022 15:40:56 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://www.nederheim.nl/.well-known/acme-challenge/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
Content-Type: text/html; charset=iso-8859-1
14

No, it is different because the Location is now correct :slight_smile:

Bruce's post: (note it is .nl.well-known)

curl -I http://nederheim.nl/.well-known/acme-challenge/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s
HTTP/1.1 302 Found
Location: https://www.nederheim.nl.well-known/acme-challenge/3IgHPBz_9SnWclnot5w9btJe29OVy4zBxdalz4eu68s

Yours is now .nl/.well-known as it should be:

curl -I http://www.nederheim.nl/.well-known/acme-challenge/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
HTTP/1.1 302 Found
Location: https://www.nederheim.nl/.well-known/acme-challenge/-SSCoBf6SMdLHWb0-dIIMMajj4x04pMV6VqPis1gi2o
2 Likes
15

You are right! Thanks for the quick responses. I learned a lot :slight_smile:

3 Likes
16

Did you make that change?

3 Likes
17

This file has no server name:
[if not used, it should be removed/deleted]

port 443 namevhost  (/etc/apache2/sites-enabled/default-ssl.conf:2)

These files lack the "www" alias [which are being used in the HTTPS vhost]:

port 80 namevhost gitlab.nederheim.nl (/etc/apache2/sites-enabled/gitlab.conf:1)
port 80 namevhost mattermost.nederheim.nl (/etc/apache2/sites-enabled/mattermost.conf:1)
3 Likes
18

I understand the recommendation and advantages to remove the IP addresses as MikeMcQ said. But for now I like it to be as specific as possible for learning and understanding a bit more what I am doing if that makes sense.

I added the serverAlias for the files gitlab.conf and mattermost.conf thank you. I am still working on those files. Both of them have a reverse proxy to ngix. I am still trying to figure out how this works with letsencrypt. At the moment letsencrypt can not reach these websites. Which makes sense because of the reverse proxy.

Edit:
Nevermind I just did a --dry-run and letsenecrypt now seems to be able to reach it! Could this be the case of the missing alias or any other changes I did?

1 Like
19

Unless your system has multiple IPs and you are binding certain sites only to certain IPs, NO, that doesn't make much sense. All you are doing is overcomplicating things.
Binding to ALL IPs:port = Bind to IP#1:port [when only IP#1 exists]
*:80 = 10.11.12.13:80

Moreso, when using IPs in the network 127.0.0.0/8, you run into the situation where they can't be reached from any IP outside of that network [i.e. Outside that system].

2 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.