I have problems to renew certificate, again. I tried to renew a certificate using:
certbot renew
But I get an error: Attempting to renew cert (myadress.dynvpn.de) from /etc/letsencrypt/renewal/myadress.dynvpn.de.conf produced an unexpected error: Failed authorization procedure. myadress.dynvpn.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://myadress.dynvpn.de/.well-known/acme-challenge/DqNjd8p6eVc6BgGnP7R7mMb9AMrWhLfUiQtIIpxV3GI [xxx.xxx.50.114]: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/myadress.dynvpn.de/fullchain.pem (failure)
Port 443 und 80 are open and reachable from the internet. Nginx is running, webroot is /var/www/html
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
It produced this output: Attempting to renew cert (myadress.dynvpn.de) from /etc/letsencrypt/renewal/myadress.dynvpn.de.conf produced an unexpected error: Failed authorization procedure. myadress.dynvpn.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://myadress.dynvpn.de/.well-known/acme-challenge/DqNjd8p6eVc6BgGnP7R7mMb9AMrWhLfUiQtIIpxV3GI [xxx.xxx.50.114]: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/myadress.dynvpn.de/fullchain.pem (failure)
My web server is (include version):
nginx/1.14.2
The operating system my web server runs on is (include version):
Raspbian GNU/Linux 10 (buster)
My hosting provider, if applicable, is:
me
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0
The error is exactly what it states: when the verifier tried to check http-01 challenge by downloading https://myadress.dynvpn.de/.well-known/acme-challenge/DqNjd8p6eVc6BgGnP7R7mMb9AMrWhLfUiQtIIpxV3GI
it got HTTP code 403 Forbidden, so your server failed the challenge.
This means you should change configuration of your server so that this URL is accessible and serves the right challenge response.
Most likely, you have overly restrictive folder access rules that block .well-known/acme-challenge folder, I’d recommend adding the whole .well-known into the whitelist (and not using it for anything other than ACME verifications).
It’s not clear from that information whether you’re using Certbot’s webroot or nginx authentication.
If you’re currently using webroot, it may be the case that’s it’s misconfigured, in which case you could try out the nginx authenticator to see if that can work around it:
certbot renew --cert-name vdrblaubart.dynvpn.de -a nginx --dry-run