Certbot ./acme-challange forbidden

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ssternnetwork.com

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: linearcapitalplc.com
2: www.linearcapitalplc.com
3: ssternnetworks.com
4: www.ssternnetworks.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): I pressed enter


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ssternnetworks.com.conf)

It contains these names: ssternnetworks.com

You requested these names for the new certificate: linearcapitalplc.com,
www.linearcapitalplc.com, ssternnetworks.com, www.ssternnetworks.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: E
Renewing an existing certificate for linearcapitalplc.com and 3 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: linearcapitalplc.com
Type: unauthorized
Detail: Invalid response from https://linearcapitalplc.com/.well-known/acme-challenge/L_VOwSTepQPIlY3VQ1U38f7zuZsKDh370vODzKWaAFw [2606:4700:3031::6815:3654]: "\n\n403 Forbidden\n\n

Forbidden

\n<p"

Domain: www.linearcapitalplc.com
Type: unauthorized
Detail: Invalid response from https://www.linearcapitalplc.com/.well-known/acme-challenge/cSIPsuIucF3r8sdGExmESAyRSyuyD_0hOUblqpa7j8o [2606:4700:3031::6815:3654]: "\n\n403 Forbidden\n\n

Forbidden

\n<p"

Domain: www.ssternnetworks.com
Type: unauthorized
Detail: Invalid response from http://www.ssternnetworks.com/.well-known/acme-challenge/s37DU18B8g2nnu1bLHAp9Hk-Z0FnuNaNKApvgOFSd9g [2606:4700:3036::ac43:8f0a]: "\n\n403 Forbidden\n\n<h 1>Forbidden\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: Godaddy

I can log in to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

Hi @sy425191 and welcome to the LE community forum :slight_smile:

Are you using CloudFlare CDN?

---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
   i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
 1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---

Name:      www.linearcapitalplc.com
Addresses: 2606:4700:3031::6815:3654
           2606:4700:3033::ac43:88fc
           104.21.54.84
           172.67.136.252
1 Like

Yeah, I am using Cloudflare,
But before using Cloudflare, the problem was same

Then there may be two problems, but we can't see the first one now.

CloudFlare CDN ("CF") is already doing the client side cert for your domains.
They can also provide you with a server side cert as well.
[but it won't be trusted by the general public]

Do you require a globally trusted cert for the server side connections (from CF to your server)?

1 Like

yes,
I changed the permission of some directory and now I am getting this error
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: linearcapitalplc.com
2: www.linearcapitalplc.com
3: ssternnetworks.com
4: www.ssternnetworks.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ssternnetworks.com.conf)

It contains these names: ssternnetworks.com

You requested these names for the new certificate: linearcapitalplc.com,
www.linearcapitalplc.com, ssternnetworks.com, www.ssternnetworks.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: E
Renewing an existing certificate for linearcapitalplc.com and 3 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ssternnetworks.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ssternnetworks.com/privkey.pem
This certificate expires on 2022-01-25.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for linearcapitalplc.com to /etc/apache2/sites-available/linear-le-ssl.conf
Successfully deployed certificate for www.linearcapitalplc.com to /etc/apache2/sites-available/linear-le-ssl.conf
Successfully deployed certificate for ssternnetworks.com to /etc/apache2/sites-available/000-default-le-ssl.conf
Successfully deployed certificate for www.ssternnetworks.com to /etc/apache2/sites-available/000-default-le-ssl.conf
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 31 of /etc/apache2/sites-enabled/000-default.conf:
Name duplicates previous WSGI daemon definition.

We were unable to install your certificate, however, we successfully restored your server to its prior configuration.

NEXT STEPS:

  • The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
    certbot install --cert-name ssternnetworks.com

Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 31 of /etc/apache2/sites-enabled/000-default.conf:
Name duplicates previous WSGI daemon definition.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

If this is the error you mention:

That is likely because there is an include that defines it and has been included more than once.
In any case, it is not a certbot induced problem.

Try:
grep -Ri WSGI /etc/apache2/

[likely only in two active files: apache.conf & 000-default.conf]

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.