Cannot renew certs, status 403


#1

The case:

we have server that has certbot and generates certificates (manually) for first.ourdomain and second.ourdomain.
In a half of the year, something was wrong with this server. Also In this time certificates were not renewed. We recovered this server from backup from January and then problems with generating certifcates begun.

Every try ends with:

urn:ietf:params:acme:error:unauthorized
The key authorization file from the server did not match this challenge
Status: 403

Challenge method is http-01.

There was no changes in system settings, FW, DNS or certbot settings…


#2

403 is generally an required authentication erro.
Does your site require login to reach the /.well-known/acme-challenge/ folder?
Maybe the http now redirects to https…
And the https site requires login?


#3

The 403 might just be referring to the ACME error code, which is included regardless of the actual HTTP response code:

acme: error code 403 "urn:ietf:params:acme:error:unauthorized"

Anyway, probably too hard to answer this one without a lot more detail (Certbot logs, real domain, etc). We don’t even know what authenticator is used.


#4

@_az is correct: the 403 status here is not the relevant part. This is the relevant part:

The key authorization file from the server did not match this challenge

@vivi, please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#5

My guess is still a guess.
It may not be the correct answer nor even the best guess.
But given the lack of information, I think we can all agree that guessing was all that one could do.
— unless one is psychic —


#6

Fair enough. :slight_smile: In this case I was basing my answer on some additional knowledge: When Boulder gets a non-200 response during validation, it gives the error “Invalid response from http://example.com/.well-known/1234 [1.2.3.4]: 403”. See https://github.com/letsencrypt/boulder/blob/f72c371bdc76c194af222953c6f8600f021d4372/va/va.go#L548-L552 for details.

Also, the particular error message here comes from a different place: https://github.com/letsencrypt/boulder/blob/f72c371bdc76c194af222953c6f8600f021d4372/va/va.go#L737-L741:

 		problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
			challenge.ProvidedKeyAuthorization, payload)

Which does not include the status. But mostly I was basing that on an intuition based on the types of errors I’ve seen posted in the forum.

With time and practice, we can all increase the number of situations we can recognize on first glance without having to guess. I appreciate your ongoing hard work on helping people out!


#7

Thanks.
It is soo much easier when they provide ample information :slight_smile:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.