CDN Generating 403 after SSL Renewed

I am using KeyCDN service, where I created a subdomain and added the SSL certificate a few months backs. Recently SSL certificate of subdomain as well renewed along with domain name SSL, but from that point, KeyCDN is unable to get the original files from my server. their support as well said the issue is at my server end.

One static file from CDN which gives 403 forbidden error
https://cdn.piacademy.co.uk/wp-content/uploads/2019/12/Logo-Christmas-11-Plus-GCSE-A-Level-Best-Tutors-PiAcademy-280x53.png

Used this tool to check for ‘cdn.piacademy.co.uk
https://www.digicert.com/help/
which shows the certificate renewed on 13/Mar/2020 (4 days back)

and I can see this in /etc/apache2/sites-available/000-default-le-ssl.conf

not sure what happened, Really need help! Please.

Thanks
Dinesh.

1 Like

Please show output of:
certbot certificates
[presuming you used certbot - adjust accordingly, if not]

And also the output of:
apachectl -S

1 Like

Thank you @rg305 for your reply!
ran both the commands and attached the output below.

Thanks for your help!

1 Like

There is only one cert and it has only one FQDN:
piacademy.co.uk
Your 403 error example is from another FQDN:
cdn.piacademy.co.uk
[not sure how the two are related to the problem]

The second output has an “interesting” entry:
*:80 206.189.20.100 (/etc/apache2/sites-enabled/000-default.conf:1)
I would like to see that file to better understand why an IP was used and see how it handles the challenge requests.

1 Like

yes, not sure why CDN subdomain SSL is not displayed, I am thinking due to this auto-renewal, cdn is getting 403 forbidden error or I might be wrong. Should the subdomain ssl also appear in the output?

when I checked the log files on server, less /etc/apache2/sites-available/000-default-le-ssl.conf got this response

[Tue Mar 17 06:27:48.547714 2020] [mpm_prefork:notice] [pid 1199] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Tue Mar 17 06:27:48.547742 2020] [core:notice] [pid 1199] AH00094: Command line: '/usr/sbin/apache2'
[Tue Mar 17 06:28:09.411316 2020] [authz_core:error] [pid 24227] [client [185.172.149.65:55652](http://185.172.149.65:55652/)] AH01630: client denied by server configuration: /var/www/html/wp-content/uploads/2019/02/question-33-6.png
[Tue Mar 17 06:28:13.233596 2020] [authz_core:error] [pid 24278] [client [185.172.149.65:60178](http://185.172.149.65:60178/)] AH01630: client denied by server configuration: /var/www/html/wp-content/uploads/2018/11/Edexcel-GCSE-Maths-Higher-Paper-2-Sample.pdf, referer: https://piacademy.co.uk/gcse/maths-edexcel-past-exam-papers/
[Tue Mar 17 06:28:13.603255 2020] [authz_core:error] [pid 24280] [client [185.172.149.65:60518](http://185.172.149.65:60518/)] AH01630: client denied by server configuration: /var/www/html/favicon.ico, referer: https://cdn.piacademy.co.uk/wp-content/uploads/2018/11/Edexcel-GCSE-Maths-Higher-Paper-2-Sample.pdf
[Tue Mar 17 06:28:26.187850 2020] [authz_core:error] [pid 24223] [client [185.172.149.65:20882](http://185.172.149.65:20882/)] AH01630: client denied by server configuration: /var/www/html/wp-content/uploads/2018/11/Edexcel-GCSE-Maths-Higher-Paper-2-Sample-Mark-Scheme.pdf, referer: https://piacademy.co.uk/gcse/maths-edexcel-past-exam-papers/
[Tue Mar 17 06:28:50.296010 2020] [authz_core:error] [pid 24227] [client [185.172.149.65:49680](http://185.172.149.65:49680/)] AH01630: client denied by server configuration: /var/www/html/wp-content/uploads/2020/01/St-Albans-School-11-Plus-Maths-Entrance-Exam-Paper-2019-Question-35-300x132.png
[Tue Mar 17 06:29:10.361210 2020] [authz_core:error] [pid 24224] [client [185.172.149.65:18786](http://185.172.149.65:18786/)] AH01630: client denied by server configuration: /var/www/html/wp-content/uploads/2018/11/Edexcel-GCSE-Maths-Higher-Paper-1-Sample.pdf, referer: https://piacademy.co.uk/gcse/maths-edexcel-past-exam-papers/
[Tue Mar 17 06:29:11.041502 2020] [authz_core:error] [pid 24223] [client [185.172.149.65:19362](http://185.172.149.65:19362/)] AH01630: client denied by server configuration: /var/www/html/favicon.ico, referer: https://cdn.piacademy.co.uk/wp-content/uploads/2018/11/Edexcel-GCSE-Maths-Higher-Paper-1-Sample.pdf
[Tue Mar 17 06:29:29.754280 2020] [authz_core:error] [pid 24280] [client [185.172.149.65:43380](http://185.172.149.65:43380/)] AH01630: client denied by server configuration: /var/www/html/wp-content/uploads/2019/12/Question-03-SPaG-KS2-SATs-Papers-2017-Year-6-English-Sample-Paper-1.png
[Tue Mar 17 06:30:15.411173 2020] [authz_core:error] [pid 24224] [client [185.172.149.65:40580](http://185.172.149.65:40580/)] AH01630: client denied by server configuration: /var/www/html/wp-content/uploads/2019/09/11-Plus-Verbal-Reasoning-Codes-Practice-Paper-4-Question-01.png, referer: https://www.google.com/
[Tue Mar 17 06:30:47.037045 2020] [authz_core:error] [pid 24350] [client [185.172.149.65:21532](http://185.172.149.65:21532/)] AH01630: client denied by server configuration: /var/www/html/wp-content/cache/min/1/6e830bbce58fcd9f430bd5f89ad51916.css, referer: https://piacademy.co.uk/login-access/

Please also check this link at the side of CDN service:
https://tools.keycdn.com/performance?url=https://cdn.piacademy.co.uk/wp-content/uploads/2019/12/Logo-Christmas-11-Plus-GCSE-A-Level-Best-Tutors-PiAcademy-280x53.png

So worried, Please help!

1 Like

Not likely, as they are at completely different IP addresses:

Name:    piacademy.co.uk
Address:  206.189.20.100

Name:    a-us00.kxcdn.com
Addresses:  2a0b:4d07:2::2
          2a0b:4d07:2::3
          2a0b:4d07:2::4
          2a0b:4d07:2::1
          68.70.205.4
          68.70.205.1
          68.70.205.2
          68.70.205.3
Aliases:  cdn.piacademy.co.uk
          piacademy-12d0c.kxcdn.com

I can’t replicate the errors shown in the log.

The link shows problems from certain areas to the cdn.piacademy.co.uk content.
Which can mean that the CDN is out-of-sync or maybe IPv6 is not providing the same results as IPv4.
Difficult to say for sure; as there are four IPv4 addresses and four IPv6 addresses involved.

And I still don’t see how the two sites are related.
https://piacademy.co.uk/
https://cdn.piacademy.co.uk/

1 Like

That should have produced an entirely different output.
One I would not mind looking at.
[might help to explain why “client denied by server configuration” is occurring]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.