Cannot satisfy letsencrypt?

Help
1

Hi. I cannot understand why my certbot no longer works?
I have tried, but still get "unauthorized"?
certbot renew --force-renewal

I am trying to force a renewal (expires in 19 days) for my certs which I have had since Jan 2020, without incidents like this.

I am seeing:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Renewing an existing certificate for blog.ingber.com and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: blog.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://blog.ingber.com/.well-known/acme-challenge/TvURY3PMXv67GeAlKdUKZHmtG2U3z3R1Y232ZjN_KsI: 403

Domain: default.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://default.ingber.com/.well-known/acme-challenge/pss3mrOz-Y8o-txmpFyWPQv_sCjXQl9L-pobUnY50dk: 403

Domain: ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://ingber.com/.well-known/acme-challenge/NEtt4InrXgBa9qEOYcLXFkDZEP2HIeD2VbUV_WrdE5I: 403

Domain: lester.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lester.ingber.com/.well-known/acme-challenge/nAvwU-PTrlwvIEX8SmylEstJlPDLiwCKJoK_hDRiczo: 403

Domain: lin.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lin.ingber.com/.well-known/acme-challenge/6mbAcUhWBGkXlI6HSeLp8h-O0mq180toi4XhH-rXkvo: 403

Domain: lin6.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lin6.ingber.com/.well-known/acme-challenge/EwJZ3BEBMlVesw512dz15zY6Z5tElRYyjkRk1FhtwJE: 403

Domain: www.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://www.ingber.com/.well-known/acme-challenge/CGim6tUr42n2ZbWPVlY0xF9AR2aerTKtKb74hdd4oto: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.ingber.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I am logged in as root, so I should be able to force any commands?

Thanks.
Lester

1 Like
2

I am using Linode for my VPS.

3

I can reproduce the "403" error using curl. The error looks caused by htaccess file. It does not affect HTTP requests to your "home" page. But, it does the acme-challenge path for some reason

# Original HTTP request redirects to HTTPS
curl -i http://blog.ingber.com/.well-known/acme-challenge/Test404
HTTP/1.1 302 Found
Server: Apache
Location: https://blog.ingber.com/.well-known/acme-challenge/Test404

# Following that gets 403
curl -i https://blog.ingber.com/.well-known/acme-challenge/Test404
HTTP/1.1 403 Forbidden
Date: Thu, 15 Aug 2024 18:55:11 GMT
Server: Apache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.
Server unable to read htaccess file, denying access to be safe</p>
</body></html>
6 Likes
4

This will never help you.

Your issue isn't with something on your server where root access would help, it's that the Let's Encrypt server can't connect to yours to validate that you in fact control those domain names.

6 Likes
5
4 Likes
6

And shown is a different way with curl

Attempting the ACME Challenge on HTTP, and is redirects us to HTTPS

$ curl -Ii http://blog.ingber.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Fri, 16 Aug 2024 01:55:52 GMT
Server: Apache
Location: https://blog.ingber.com/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

Following the redirect to HTTPS
Typically one would want to return Not Found instead of Forbidden

$ curl -k -i https://blog.ingber.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Date: Fri, 16 Aug 2024 01:56:55 GMT
Server: Apache
Content-Length: 261
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe</p>
</body></html>
4 Likes
7

I'm getting a 403 also. ;@(

4 Likes
8

And check here for HTTP Response Close

3 Likes
9

Something has changed within the HTTP server block for those domains.
Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

4 Likes
10

Using the comment by rg305:

I see:

16:00:30 ingber@linode# ~: apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
173.255.212.226:80 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:8)
port 80 namevhost www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:8)
alias ingber.com
alias www.ingber.com
port 80 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/000-default.conf:22)
port 80 namevhost louise.ingber.com (/etc/apache2/sites-enabled/000-default.conf:35)
port 80 namevhost blog.ingber.com (/etc/apache2/sites-enabled/000-default.conf:48)
port 80 namevhost lester.ingber.com (/etc/apache2/sites-enabled/000-default.conf:61)
port 80 namevhost lin.ingber.com (/etc/apache2/sites-enabled/000-default.conf:74)
port 80 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/000-default.conf:87)
173.255.212.226:443 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:13)
port 443 namevhost www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:13)
alias ingber.com
alias www.ingber.com
port 443 namevhost louise.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:52)
port 443 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:90)
port 443 namevhost blog.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:128)
port 443 namevhost lester.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:166)
port 443 namevhost lin.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:204)
port 443 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:242)
*:80 default.ingber.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 default.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
16:01:10 ingber@linode# ~:

11

We should have a look at this file:

And perhaps, also this file:

3 Likes
12

MikeMcQ:

(1) What should I be looking for in my .htaccess file?
(2) If the ordering is incorrect, as rg305 suggested, how would I fix that?
(3) Should I have to uninstall and reinstall Letsencrypt?

Thanks.
Lester

1 Like
13

Here details on Apache can be found in documentation and forums:

4 Likes
14

My /etc/apache2/sites-enabled files:

000-default.conf:

<VirtualHost _default_:80>
  ServerName default.ingber.com
  <Location />
  Require all denied
  </Location>
</VirtualHost>
#<VirtualHost 173.255.212.226:80 [2600:3c01::f03c:91ff:fe93:e6f3]:80>
<VirtualHost 173.255.212.226:80>
        ServerName www.ingber.com
        ServerAlias ingber.com www.ingber.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
</VirtualHost>
#<VirtualHost 173.255.212.226:80 [2600:3c01::f03c:91ff:fe93:e6f3]:80>
<VirtualHost 173.255.212.226:80>
        ServerName creekhouse.ingber.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
</VirtualHost>
#<VirtualHost 173.255.212.226:80 [2600:3c01::f03c:91ff:fe93:e6f3]:80>
<VirtualHost 173.255.212.226:80>
        ServerName louise.ingber.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
</VirtualHost>
#<VirtualHost 173.255.212.226:80 [2600:3c01::f03c:91ff:fe93:e6f3]:80>
<VirtualHost 173.255.212.226:80>
        ServerName blog.ingber.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
</VirtualHost>
#<VirtualHost 173.255.212.226:80 [2600:3c01::f03c:91ff:fe93:e6f3]:80>
<VirtualHost 173.255.212.226:80>
        ServerName lester.ingber.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
</VirtualHost>
#<VirtualHost 173.255.212.226:80 [2600:3c01::f03c:91ff:fe93:e6f3]:80>
<VirtualHost 173.255.212.226:80>
        ServerName lin.ingber.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
</VirtualHost>
#<VirtualHost 173.255.212.226:80 [2600:3c01::f03c:91ff:fe93:e6f3]:80>
<VirtualHost 173.255.212.226:80>
        ServerName lin6.ingber.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>

default-ssl.conf:

<VirtualHost _default_:443>
  ServerName default.ingber.com
  <Location />
  Require all denied
  </Location>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
</VirtualHost>
#<VirtualHost 173.255.212.226:443 [2600:3c01::f03c:91ff:fe93:e6f3]:443>
<VirtualHost 173.255.212.226:443>
                ServerName www.ingber.com
                ServerAlias ingber.com www.ingber.com
                ServerAdmin webmaster
                DocumentRoot /var/www-ssl
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www-ssl/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        Require all denied
        </Directory>
        SSLEngine on
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.pem
#       SSLCertificateFile /etc/ssl/cloudflare/ingber.com.crt
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.key
#       SSLCertificateKeyFile /etc/ssl/cloudflare/origin-pull-ca.pem
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
#       SSLCertificateFile /etc/certs/MyKey.key
#       SSLCertificateKeyFile /etc/certs/MyCertificate.crt
        SSLCertificateFile /etc/letsencrypt/live/www.ingber.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.ingber.com/privkey.pem
</VirtualHost>
#<VirtualHost 173.255.212.226:443 [2600:3c01::f03c:91ff:fe93:e6f3]:443>
<VirtualHost 173.255.212.226:443>
                ServerName louise.ingber.com
                ServerAdmin webmaster
                DocumentRoot /var/www-ssl/louise
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www-ssl/louise/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        Require all denied
        </Directory>
        SSLEngine on
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.pem
#       SSLCertificateFile /etc/ssl/cloudflare/ingber.com.crt
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.key
#       SSLCertificateKeyFile /etc/ssl/cloudflare/origin-pull-ca.pem
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
#       SSLCertificateFile /etc/certs/MyKey.key
#       SSLCertificateKeyFile /etc/certs/MyCertificate.crt
        SSLCertificateFile /etc/letsencrypt/live/www.ingber.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.ingber.com/privkey.pem
</VirtualHost>
#<VirtualHost 173.255.212.226:443 [2600:3c01::f03c:91ff:fe93:e6f3]:443>
<VirtualHost 173.255.212.226:443>
                ServerName creekhouse.ingber.com
                ServerAdmin webmaster
                DocumentRoot /var/www-ssl/creekhouse
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www-ssl/creekhouse/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        Require all denied
        </Directory>
        SSLEngine on
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.pem
#       SSLCertificateFile /etc/ssl/cloudflare/ingber.com.crt
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.key
#       SSLCertificateKeyFile /etc/ssl/cloudflare/origin-pull-ca.pem
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
#       SSLCertificateFile /etc/certs/MyKey.key
#       SSLCertificateKeyFile /etc/certs/MyCertificate.crt
        SSLCertificateFile /etc/letsencrypt/live/www.ingber.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.ingber.com/privkey.pem
</VirtualHost>
#<VirtualHost 173.255.212.226:443 [2600:3c01::f03c:91ff:fe93:e6f3]:443>
<VirtualHost 173.255.212.226:443>
                ServerName blog.ingber.com
                ServerAdmin webmaster
                DocumentRoot /var/www-ssl/blog
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www-ssl/blog/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        Require all denied
        </Directory>
        SSLEngine on
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.pem
#       SSLCertificateFile /etc/ssl/cloudflare/ingber.com.crt
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.key
#       SSLCertificateKeyFile /etc/ssl/cloudflare/origin-pull-ca.pem
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
#       SSLCertificateFile /etc/certs/MyKey.key
#       SSLCertificateKeyFile /etc/certs/MyCertificate.crt
        SSLCertificateFile /etc/letsencrypt/live/www.ingber.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.ingber.com/privkey.pem
</VirtualHost>
#<VirtualHost 173.255.212.226:443 [2600:3c01::f03c:91ff:fe93:e6f3]:443>
<VirtualHost 173.255.212.226:443>
                ServerName lester.ingber.com
                ServerAdmin webmaster
                DocumentRoot /var/www-ssl/lester
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www-ssl/lester/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        Require all denied
        </Directory>
        SSLEngine on
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.pem
#       SSLCertificateFile /etc/ssl/cloudflare/ingber.com.crt
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.key
#       SSLCertificateKeyFile /etc/ssl/cloudflare/origin-pull-ca.pem
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
#       SSLCertificateFile /etc/certs/MyKey.key
#       SSLCertificateKeyFile /etc/certs/MyCertificate.crt
        SSLCertificateFile /etc/letsencrypt/live/www.ingber.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.ingber.com/privkey.pem
</VirtualHost>
#<VirtualHost 173.255.212.226:443 [2600:3c01::f03c:91ff:fe93:e6f3]:443>
<VirtualHost 173.255.212.226:443>
                ServerName lin.ingber.com
                ServerAdmin webmaster
                DocumentRoot /var/www-ssl/lin
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www-ssl/lin/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        Require all denied
        </Directory>
        SSLEngine on
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.pem
#       SSLCertificateFile /etc/ssl/cloudflare/ingber.com.crt
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.key
#       SSLCertificateKeyFile /etc/ssl/cloudflare/origin-pull-ca.pem
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
#       SSLCertificateFile /etc/certs/MyKey.key
#       SSLCertificateKeyFile /etc/certs/MyCertificate.crt
        SSLCertificateFile /etc/letsencrypt/live/www.ingber.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.ingber.com/privkey.pem
</VirtualHost>
#<VirtualHost 173.255.212.226:443 [2600:3c01::f03c:91ff:fe93:e6f3]:443>
<VirtualHost 173.255.212.226:443>
                ServerName lin6.ingber.com
                ServerAdmin webmaster
                DocumentRoot /var/www-ssl/lin6
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www-ssl/lin6/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SetEnvIf Remote_Addr "::1" dontlog
        SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!dontlog
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        Require all denied
        </Directory>
        SSLEngine on
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.pem
#       SSLCertificateFile /etc/ssl/cloudflare/ingber.com.crt
#       SSLCertificateKeyFile /etc/ssl/cloudflare/ingber.com.key
#       SSLCertificateKeyFile /etc/ssl/cloudflare/origin-pull-ca.pem
#       <IfModule mod_cloudflare.c>
#               DenyAllButCloudFlare
#       </IfModule>
#       SSLCertificateFile /etc/certs/MyKey.key
#       SSLCertificateKeyFile /etc/certs/MyCertificate.crt
        SSLCertificateFile /etc/letsencrypt/live/www.ingber.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.ingber.com/privkey.pem
</VirtualHost>
#</IfModule>

~
~
~
~

</VirtualHost>
1 Like
15

I minimized all entries to fit into this window. I may have cut off some entries, but I can download files fine.

Lester

16

Hello @lingber,

Using the online tool Let's Debug yields these results https://letsdebug.net/ingber.com/2196497

UnexpectedHttpResponse
Warning
Sending an ACME HTTP validation request to ingber.com results in unexpected HTTP response 403 Forbidden. This indicates that the webserver is misconfigured or misbehaving.
403 Forbidden

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe</p>
</body></html>


Trace:
@0ms: Making a request to http://ingber.com/.well-known/acme-challenge/letsdebug-test (using initial IP 173.255.212.226)
@0ms: Dialing 173.255.212.226
@345ms: Server response: HTTP 302 Found
@345ms: Received redirect to https://ingber.com/.well-known/acme-challenge/letsdebug-test
@345ms: Dialing 173.255.212.226
@859ms: Server response: HTTP 403 Forbidden

HTTP shows a redirect to HTTPS
And shows HTTP/1.1 302 Found;
typically one more often would respond HTTP/1.1 301 Moved Permanently

$ curl -Ii http://ingber.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Sat, 24 Aug 2024 16:10:00 GMT
Server: Apache
Location: https://ingber.com/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

HTTPS is still showing HTTP/1.1 403 Forbidden

$ curl -Ii https://ingber.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Date: Sat, 24 Aug 2024 16:10:12 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1
4 Likes
17

Bruce5051:

I do not see any "Forbidden" entries in those files, or in .well-known?
I change permissions?

Lester

18

Here are a few links to help with Markdown

3 Likes
19

It may not be a permission but how the webserver is responding that might need correcting.

4 Likes
20

I would look in your Apache ErrorLog for further explanation of the 403
ErrorLog ${APACHE_LOG_DIR}/error.log

Has something changed with your network equipment lately? Because you have previously had problems with the syntax you use for VirtualHost. We have recommended you change that in the past. If your syntax is not working properly Apache will use your Default VirtualHost. Your Default VHost denies everything (with 403).

Note your Default VirtualHost does NOT use this IP:Port syntax like all your others.

Specifically, statements like this ...

Could (should) ALL be replaced with just
<VirtualHost *:443>

And same for your port 80 VHosts:
<VirtualHost *:80>

4 Likes