Certbot apache or webroot failed to download the temporary challenge files

certbot 2.11.0

# apachectl -v
Server version: Apache/2.4.62 (Unix)

Operating system NetBSD 10.0
I admin the machine and have ssh access.

Can curl -L -k from a remote host to the files saved at the /var/letsencrypt/http_challenge directory.

$ httpd -S
VirtualHost configuration:
*:80                   myserver.tld (/usr/pkg/etc/httpd/httpd-vhosts.conf:23)
*:443                  myserver.tld (/usr/pkg/etc/httpd/httpd-vhosts.conf:42)
ServerRoot: "/usr/pkg"
Main DocumentRoot: "/var/www/htdocs"
Main ErrorLog: "/var/log/httpd/error_log"
Mutex default: dir="/var/run/" mechanism=default 
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www" id=1100 not_used
Group: name="www" id=1100 not_used

The apache virtual hosts section:

<VirtualHost *:80>
    ServerName mydomain.tld
    ServerAlias www.mydomain.tld
    ServerAdmin webmaster@mydomain.tld
    DocumentRoot "/var/www/wordpress"
    Redirect permanent / https://mydomain.tld/
</VirtualHost>
<VirtualHost *:443>
    ServerName mydomain.tld
    ServerAlias www.mydomain.tld
    ServerAdmin webmaster@mydomain.tld
    DocumentRoot "/var/www/wordpress"
    ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:///var/run/php-fpm/mydomain.tld.sock|fcgi://127.0.0.1:9000/var/www/wordpress timeout=300
    DirectoryIndex index.html index.php
    ErrorLog "/var/log/httpd/mydomain.tld-error_log"
    CustomLog "/var/log/httpd/mydomain.tld-access_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/letsencrypt/http_challenges/$1
    <directory /var/letsencrypt/http_challenges>
      AllowOverride None
      Require all granted
    </directory>
    <If "%{HTTP_HOST} == 'www.mydomain.tld'">
        Redirect permanent / https://mydomain.tld/
    </If>
    <Directory /var/www/wordpress>
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
    BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>

I ran several comands either with --apache or --webroot.
Last one:
certbot-3.12 certonly --webroot --agree-tos --no-eff-email --webroot-path /var/letsencrypt/http_challenges -d mydomain.tld -d www.mydomain.tld --dry-run

It produced this output:

Root logging level set at 10
Saving debug log to /var/letsencrypt/log/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x76a6704ea0c0>
Prep: True
Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x76a6704ea0c0> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/159537723', new_authzr_uri=None, terms_of_service=None), b387f4f0299c2f78e158aa03526ee71f, Meta(creation_dt=datetime.datetime(2024, 8, 15, 15, 43, 53, tzinfo=<UTC>), creation_host='loja.mydomain.tld', register_to_eff=None))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/11" 200 820
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:52 GMT
Content-Type: application/json
Content-Length: 820
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "l4sj4VUCPRQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Should renew, less than 30 days before certificate expiry 2024-11-13 14:35:31 UTC.
Certificate is due for renewal, auto-renewing...
Notifying user: Simulating renewal of an existing certificate for mydomain.tld and www.mydomain.tld
Simulating renewal of an existing certificate for mydomain.tld and www.mydomain.tld
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/11" 200 0
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:52 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: FW9SwLSL_8auA4SJhidK542D6X_0-hsguAB35A13qn-8hcoN9cE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: FW9SwLSL_8auA4SJhidK542D6X_0-hsguAB35A13qn-8hcoN9cE
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "mydomain.tld"\n    },\n    {\n      "type": "dns",\n      "value": "www.mydomain.tld"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiRlc5U3dMU0xfOGF1QTRTSmhpZEs1NDJENlhfMC1oc2d1QUIzNUExM3FuLThoY29OOWNFIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "ZD_2MLV43KPonVKAlxiTuhiO61V6wscWsvOdpEQzqbdHWIdNO2cZg_dMJRZsq9qF-V_9qd_PJYmatPfDxyrUNviQHqCIRJxSCfKDWi2JwB5MWSoaFpHJK4fS3bLk3zmWF6rW9O43vOxErm1WwPFoXm4JcSKrOM6_JN-3Uh1aA43f88iNY4SWEFWj3TV2tEmXPgb38KzW-X_LoKmExeI7_dXirnJzgwy_dXHH6RSX-jqqj4AbUmMxfO1QNocPt6Q7faA9zyC6Mi2z7KmLniv9e0JTmzrDNgxFU-3epW2VjCQNe6iKHnYrf15jae2tZlCsrIUI_Nucr9-NIl_7vuvgTw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInNhdWRlcmVub3ZhZGEucHQiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAid3d3LnNhdWRlcmVub3ZhZGEucHQiCiAgICB9CiAgXQp9"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/11" 201 519
Received response:
HTTP 201
Server: nginx
Date: Tue, 19 Nov 2024 22:35:52 GMT
Content-Type: application/json
Content-Length: 519
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/159537723/20630789153
Replay-Nonce: jDZhkUVkBxRKPKJt2EE7nWCJXUai1yDwVHfAIpnx9D38hIfEuss
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2024-11-26T22:35:52Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "mydomain.tld"
    },
    {
      "type": "dns",
      "value": "www.mydomain.tld"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140323",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140333"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/159537723/20630789153"
}
Storing nonce: jDZhkUVkBxRKPKJt2EE7nWCJXUai1yDwVHfAIpnx9D38hIfEuss
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140323:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiakRaaGtVVmtCeFJLUEtKdDJFRTduV0NKWFVhaTF5RHdWSGZBSXBueDlEMzhoSWZFdXNzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE1OTUzNzcyMy8xNDk5MzE0MDMyMyJ9",
  "signature": "I-1aKdO1kxlM6N9o6liM4bC5qSVuKVgAhJFyN3McAEfZ0COFbb5U9cKtR-2MxTrqvUuzL6JPIS9AjG2T-t1ipZr_eQuGYCqYSQ5N6aRfTHldzrCl7N3ijp-UVdh0yItne5hdW8YRrAezZl4dtLrHRWmbFv5FKggxc_pWwpyr3MUlVtbU3VDoC0iRIsVw5dZNLCSEcDS5eZRklbciBnuwpX7FrRT4_RpAYgAQXUNs8lmkGc49b94co-fqoNH0upfPZOQro2GXMKRh84LD2BOYzU9Le2vXHA4jRGnPDOiPMX3sybmZOTfQ8bscJ_-lzw4nLDPzqpfE8huW4m0NugDHSA",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/159537723/14993140323 HTTP/11" 200 842
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:52 GMT
Content-Type: application/json
Content-Length: 842
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: jDZhkUVk79OhTMzdzjEMfV8FfoiwgWoDkf1GTyfo1d-IQxaKlX4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.tld"
  },
  "status": "pending",
  "expires": "2024-11-26T22:35:52Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140323/1DVPeg",
      "status": "pending",
      "token": "mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8"
    },
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140323/5mrWAQ",
      "status": "pending",
      "token": "mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8"
    },
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140323/GycccQ",
      "status": "pending",
      "token": "mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8"
    }
  ]
}
Storing nonce: jDZhkUVk79OhTMzdzjEMfV8FfoiwgWoDkf1GTyfo1d-IQxaKlX4
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140333:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiakRaaGtVVms3OU9oVE16ZHpqRU1mVjhGZm9pd2dXb0RrZjFHVHlmbzFkLUlReGFLbFg0IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE1OTUzNzcyMy8xNDk5MzE0MDMzMyJ9",
  "signature": "DgavIDmMtmAiMXX-Kj9UNSOgBYZcm0tRsZJ4AGkUHg3A-avjk1Gp6MM4oHhwYivyjPmHqRuHQeT4CsMn3SQkiIsK_LJmNUqc_wrhXhBStTJ8IcoODvuDEU5Em_KXK0G_ULl48NaIr4XBnVBUMdKY5skBShYJqy3Hhz8_5V58iKEuApHzw9AuYOWesa9cflQoBvieiHkuggWbWGpQut5-fg14IYf_ZrWgKXP1Ajn0VNk8BhCCGX_KhEGNS9PF7398DUh9ctpwR_pgkeI9noFoGPha66jPMNtkRBK5ScW13C3U4EL-Dinvp_izI0yIZFzIugmNzonXsx0rdCqprZku6g",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/159537723/14993140333 HTTP/11" 200 846
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:52 GMT
Content-Type: application/json
Content-Length: 846
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: jDZhkUVkxetYDgh0zYvDsRW8V_qqqFqgeek2TLdPcazK_9qeFhk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.mydomain.tld"
  },
  "status": "pending",
  "expires": "2024-11-26T22:35:52Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/5scdNQ",
      "status": "pending",
      "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8"
    },
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/EsCHHw",
      "status": "pending",
      "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/DwN7hg",
      "status": "pending",
      "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8"
    }
  ]
}
Storing nonce: jDZhkUVkxetYDgh0zYvDsRW8V_qqqFqgeek2TLdPcazK_9qeFhk
Performing the following challenges:
http-01 challenge for mydomain.tld
http-01 challenge for www.mydomain.tld
Using the webroot path /var/letsencrypt/http_challenges for all unmatched domains.
Creating root challenges validation dir at /var/letsencrypt/http_challenges/.well-known/acme-challenge
Creating root challenges validation dir at /var/letsencrypt/http_challenges/.well-known/acme-challenge
Attempting to save validation to /var/letsencrypt/http_challenges/.well-known/acme-challenge/mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8
Attempting to save validation to /var/letsencrypt/http_challenges/.well-known/acme-challenge/hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8
JWS payload:
b'{}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140323/5mrWAQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiakRaaGtVVmt4ZXRZRGdoMHpZdkRzUlc4Vl9xcXFGcWdlZWsyVExkUGNhektfOXFlRmhrIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzE1OTUzNzcyMy8xNDk5MzE0MDMyMy81bXJXQVEifQ",
  "signature": "bBBySmfB1YBEOv3U9p_jIcmGz-_Q9RA_ivGmthpTtEgJYAZEEZ07nKsBUfIMnk0j60YToMI1dH4Eml196ZvK2EmJnfUn7OD6IxNSH5HqXHsqlTGdnBlbUZQGq1Q1Jb_U1On0wBfLY25dJMIoyippPoxNaH7h6XNGTMpp49O8BAvtU1R_maMjQCXnpk_FGqsE6lNibuq6Kzn_gGXzUg8IPbr202lCMldc8hcLxv-8IIa2B-SrPdQn9IKCdiXU-F_8qyQWHxDNz65djC2d15m9VvZ5FM1YwHzv_1HorckAghi0xQNMlG6iE-to-u0PjkAB_ucOaZh9EztnLKm19fMnGw",
  "payload": "e30"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall/159537723/14993140323/5mrWAQ HTTP/11" 200 201
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:52 GMT
Content-Type: application/json
Content-Length: 201
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140323>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140323/5mrWAQ
Replay-Nonce: FW9SwLSLRSpt28OxfKKZ8icHZN6dDuUzr9X25Hc5CHOEaUw9S8A
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140323/5mrWAQ",
  "status": "pending",
  "token": "mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8"
}
Storing nonce: FW9SwLSLRSpt28OxfKKZ8icHZN6dDuUzr9X25Hc5CHOEaUw9S8A
JWS payload:
b'{}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/5scdNQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiRlc5U3dMU0xSU3B0MjhPeGZLS1o4aWNIWk42ZER1VXpyOVgyNUhjNUNIT0VhVXc5UzhBIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzE1OTUzNzcyMy8xNDk5MzE0MDMzMy81c2NkTlEifQ",
  "signature": "Blj9ofsYSNyncyM8pFPOkCbf8gk_L71k0tYxOTkaH6Kk5GsJHAi09RpakXLFak0wYuEYRWCFustuVf8myrvKIoD7Qbw63AP-qjUh1XGoPAvyBmHwDDT4o4dvZvxSWzQW_9iQxYJ7k69tglgDSY8BWWpCogP52IeHcxOTyYD0U34Z7-O6DCeeHnV8mSpSW3cd77Ho0nASV00xOSai3Vf3MrfrDjxABqDZwz0TUgE0NuizPIXWigPGalMQNW3tHmWuwMo-GCtBmp_ebnOyMCV8xfiCRqe58UWG6h10rVsW6yZ7ux5CKbjixF_43jvSmt9ZiP1Ub9_DY_zioC1giXaVUQ",
  "payload": "e30"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall/159537723/14993140333/5scdNQ HTTP/11" 200 201
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:53 GMT
Content-Type: application/json
Content-Length: 201
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140333>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/5scdNQ
Replay-Nonce: jDZhkUVkXIMKWaWB6Q0vi82j_Q3imHxYB6c83kfmaFatd5318rg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/5scdNQ",
  "status": "pending",
  "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8"
}
Storing nonce: jDZhkUVkXIMKWaWB6Q0vi82j_Q3imHxYB6c83kfmaFatd5318rg
Waiting for verification...
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140323:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiakRaaGtVVmtYSU1LV2FXQjZRMHZpODJqX1EzaW1IeFlCNmM4M2tmbWFGYXRkNTMxOHJnIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE1OTUzNzcyMy8xNDk5MzE0MDMyMyJ9",
  "signature": "HXuuyTMqkilqdWePsCvPGyA9EsknilyXQeG2duny6H-rIgSy7H32LA3XAWEYH9eAMWxMacvQt9fs9go0QJIVLs8isa_GSFJt8eMljJHSjC4yAEddKnjbfL2auFL_U5rmtv-HBaifnbgeXTkA_1U5N3-CnhfgsnB3MGj9yRfCKFKOkyOLXejdK4uUjc744tCB6ppHgG31sc4xGlidtCo66nZ8dq9XfEMJUfIbU3-ETHYUNDMYuj0z7_IaTqNhi05sR8epioEeZfD4HRRDzEBGCPlrar1_eOX4sgh74Jsr9VoEVGP9o5_JlNyBvlwVQ6KrNWXeEyJxLGnVWc0q1o4pkw",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/159537723/14993140323 HTTP/11" 200 1372
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:54 GMT
Content-Type: application/json
Content-Length: 1372
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: jDZhkUVk_kw4V440Ehno7LLvgLIrV63ZP2LKip_TmxXeIFsFc4E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.tld"
  },
  "status": "invalid",
  "expires": "2024-11-26T22:35:52Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140323/5mrWAQ",
      "status": "invalid",
      "validated": "2024-11-19T22:35:52Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "45.54.45.54: Fetching https://mydomain.tld/.well-known/acme-challenge/mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8: Error getting validation data",
        "status": 400
      },
      "token": "mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8",
      "validationRecord": [
        {
          "url": "http://mydomain.tld/.well-known/acme-challenge/mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8",
          "hostname": "mydomain.tld",
          "port": "80",
          "addressesResolved": [
            "45.54.45.54"
          ],
          "addressUsed": "45.54.45.54"
        },
        {
          "url": "https://mydomain.tld/.well-known/acme-challenge/mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8",
          "hostname": "mydomain.tld",
          "port": "443",
          "addressesResolved": [
            "45.54.45.54"
          ],
          "addressUsed": "45.54.45.54"
        }
      ]
    }
  ]
}
Storing nonce: jDZhkUVk_kw4V440Ehno7LLvgLIrV63ZP2LKip_TmxXeIFsFc4E
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140333:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiakRaaGtVVmtfa3c0VjQ0MEVobm83TEx2Z0xJclY2M1pQMkxLaXBfVG14WGVJRnNGYzRFIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE1OTUzNzcyMy8xNDk5MzE0MDMzMyJ9",
  "signature": "atxs2ZH1LqFZ4lkxlpS9F6JyGqrx4MxWi5YDiXj_Z5NqFBBX9IUd1D-rxMSjE3op92LzPFvJiHVX6uGpU4BJmBCRurnB3oEydX3cU_RPkS_FQb_4BPsjOK4DRVoHHCBb7S6UKGYJKNVhzCLckagC82jUlDKp7IrxFYfTIvFurFqRJub2arBx5zFnwp0tZeJ6JTHwdI20yberTtnNWcLON70y40DbGsAH503mRmxXztzF9co1nv7CsBKf9Ya7dpu-SLCaz3Ww7sZTRfyYaCEW1DD5ABYz2SUjGFvryKOD6-intwwHcfv8EnTUIMBZ2fpSQ_ssHYiz-e_bzk70bcOrhA",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/159537723/14993140333 HTTP/11" 200 846
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:54 GMT
Content-Type: application/json
Content-Length: 846
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: jDZhkUVkI8KAYI4AXbhhPif4LTv5cfbTv-T7RPBHAk_yM6PhQk0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.mydomain.tld"
  },
  "status": "pending",
  "expires": "2024-11-26T22:35:52Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/DwN7hg",
      "status": "pending",
      "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8"
    },
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/EsCHHw",
      "status": "pending",
      "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8"
    },
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/5scdNQ",
      "status": "pending",
      "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8"
    }
  ]
}
Storing nonce: jDZhkUVkI8KAYI4AXbhhPif4LTv5cfbTv-T7RPBHAk_yM6PhQk0
Challenge failed for domain mydomain.tld
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/159537723/14993140333:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTk1Mzc3MjMiLCAibm9uY2UiOiAiakRaaGtVVmtJOEtBWUk0QVhiaGhQaWY0TFR2NWNmYlR2LVQ3UlBCSEFrX3lNNlBoUWswIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE1OTUzNzcyMy8xNDk5MzE0MDMzMyJ9",
  "signature": "fMBx4Y9-DCPRELDmn9DD9xbz7okfxlzqWsf9tdC307duE78gOUpXptN3MILI0rEifwJq5UEHXh5d-C81khHQibfdlhYLrpRtHHI_Tyoiv7SIp0hBGpZgoUoNS5CmYBrryl1M_AotvJTWvUgqInOyWzlk2XXCO2hcwTVk54quAyh4o-1_IPGZm5wH1OXOgEumMC4UnDoUVV-rHGNwfkS7c1MkAAouklSUFubCjyngb6jLhoChYFt8HiIdlhReFvYWFvOAHYkf6HKIm-EuMLh00lRRuj3Tai4WIYd0UslH8MoiIT2JdQJSlq29IEUde2DMudSUnzex3i9YNFmBMK-QbA",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/159537723/14993140333 HTTP/11" 200 1384
Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 22:35:57 GMT
Content-Type: application/json
Content-Length: 1384
Connection: keep-alive
Boulder-Requester: 159537723
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: jDZhkUVkiK4x_xbEq9JLTH1kNHNMo5cPHj0xYIP8CVKb7K8MWHU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.mydomain.tld"
  },
  "status": "invalid",
  "expires": "2024-11-26T22:35:52Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/159537723/14993140333/5scdNQ",
      "status": "invalid",
      "validated": "2024-11-19T22:35:53Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "45.54.45.54: Fetching https://mydomain.tld/.well-known/acme-challenge/hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8: Error getting validation data",
        "status": 400
      },
      "token": "hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8",
      "validationRecord": [
        {
          "url": "http://www.mydomain.tld/.well-known/acme-challenge/hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8",
          "hostname": "www.mydomain.tld",
          "port": "80",
          "addressesResolved": [
            "45.54.45.54"
          ],
          "addressUsed": "45.54.45.54"
        },
        {
          "url": "https://mydomain.tld/.well-known/acme-challenge/hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8",
          "hostname": "mydomain.tld",
          "port": "443",
          "addressesResolved": [
            "45.54.45.54"
          ],
          "addressUsed": "45.54.45.54"
        }
      ]
    }
  ]
}
Storing nonce: jDZhkUVkiK4x_xbEq9JLTH1kNHNMo5cPHj0xYIP8CVKb7K8MWHU
Challenge failed for domain www.mydomain.tld
http-01 challenge for mydomain.tld
http-01 challenge for www.mydomain.tld
Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: mydomain.tld
  Type:   connection
  Detail: 45.54.45.54: Fetching https://mydomain.tld/.well-known/acme-challenge/mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8: Error getting validation data

  Domain: www.mydomain.tld
  Type:   connection
  Detail: 45.54.45.54: Fetching https://mydomain.tld/.well-known/acme-challenge/hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.


Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: mydomain.tld
  Type:   connection
  Detail: 45.54.45.54: Fetching https://mydomain.tld/.well-known/acme-challenge/mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8: Error getting validation data

  Domain: www.mydomain.tld
  Type:   connection
  Detail: 45.54.45.54: Fetching https://mydomain.tld/.well-known/acme-challenge/hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Encountered exception:
Traceback (most recent call last):
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Removing /var/letsencrypt/http_challenges/.well-known/acme-challenge/mehmFbD37afIy0wZT1QXiAjbB7CTywl_q4PCnTpCSM8
Removing /var/letsencrypt/http_challenges/.well-known/acme-challenge/hkrZYgfXS9i4glS59oJPf8VNa_rEksCCkRul8PVCHC8
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/pkg/bin/certbot-3.12", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/pkg/lib/python3.12/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/pkg/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/letsencrypt/log/letsencrypt.log or re-run Certbot with -v for more details.

Really, cannot understand what's wrong.
Three months ago the certificates could be installed, but cannot renew them now. They are expired since a couple days ago.

The HTTP requests are being redirected to HTTPS.
The HTTPS server block doesn't include a certificate...
Does HTTPS to your site work?

2 Likes

Maybe it's not the best thing to do, but I want my wordpress site to be available only through https.
Is it possible to serve the acme challenge through port 80 not redirected and have everything else redirected to 443?

It doesn't include now, because the three month period of the last certificate ended without a renewal.
I commented the SSL lines not to have errors in Apache.

It used to work until some days ago while the certificate was valid.

I'm not too familiar with Apache but does it really throw errors when the certificate is expired?

Note that Let's Encrypt doesn't check the validity of certificates when plain http requests are being redirected to https. Be it if the server's certificate is an expired or a self-signed one.

2 Likes

Yes, the --apache option does exactly that. It places temp config changes into your Apache to handle it in your port 80 VirtualHost

Or, with the --webroot option you can configure your VirtualHost to do that.

What is the output of this (it is just a test)

sudo certbot certonly --apache --dry-run -d (domain1) -d (domain2) 

We can sort out your Apache problem with port 443 later.

4 Likes

Tried that command with the three SSL lines commented, and afterwards with them uncommented. Same result.

Saving debug log to /var/letsencrypt/log/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Could not find configuration root')

Oh, that error happens with non-standard Apache config. There are additional settings that probably allow that to work. But, --webroot may be easier. And, this means you probably did not use --apache option to get your earlier cert.

There should be a renewal conf file in this folder:

/etc/letsencrypt/renewal

Would you post contents of that? You can redact the account number if you want.

2 Likes

Sure. It's:

# renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /usr/pkg/etc/letsencrypt/archive/www.mydomain.tld
cert = /usr/pkg/etc/letsencrypt/live/www.mydomain.tld/cert.pem
privkey = /usr/pkg/etc/letsencrypt/live/www.mydomain.tld/privkey.pem
chain = /usr/pkg/etc/letsencrypt/live/www.mydomain.tld/chain.pem
fullchain = /usr/pkg/etc/letsencrypt/live/www.mydomain.tld/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 49jdsalj349uujds3r8934ea86
authenticator = webroot
webroot_path = /var/www/wordpress,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
mydomain.tld = /var/www/wordpress
www.mydomain.tld = /var/www/wordpress

I suggest changing your VirtualHost for port 80 to look like this

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin webmaster@mydomain.tld
    DocumentRoot /var/www/wordpress
    <If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
        Redirect permanent / https://example.com/
    </If>
</VirtualHost>

Of course, change example.com and www.example.com to your domain names. And, the ServerAdmin to match your actual too.

Then, try this and let us know result

sudo certbot renew --dry-run
3 Likes
# certbot-3.12  renew --dry-run
Saving debug log to /var/letsencrypt/log/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/pkg/etc/letsencrypt/renewal/www.mydomain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.mydomain.tld and mydomain.tld

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: mydomain.tld
  Type:   unauthorized
  Detail: 33.44.55.66: Invalid response from http://mydomain.tld/.well-known/acme-challenge/VBIb4lakjasdfHHKJLHo_PiczrspcJbUEdyp6MGss: 403

  Domain: www.mydomain.tld
  Type:   unauthorized
  Detail: 33.44.55.66: Invalid response from http://www.mydomain.tld/.well-known/acme-challenge/AH8LTjU4NymCajlaHHf438ReyVRp-OJXLObBKIEjBM: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from t
he provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.mydomain.tld with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /usr/pkg/etc/letsencrypt/live/www.mydomain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Good. Making progress. The 403 is a "Forbidden" response from your server. But note there is now an HTTP URL in the error so it is being handled in that port 80 VirtualHost. This is what we want.

There was nothing in the VirtualHost you showed that would deny such a request with 403.

Do you know why it might do that? What happens if you try to reach your "home" page using HTTP? Does it also fail with 403? Because then something else has changed in your system as HTTP requests were getting through before (we saw them get redirected).

Have you change a firewall or something like that?

3 Likes

Hi @MikeMcQ, sorry for the delay.

curl http://mydomain.tld returns a 403, indeed.
curl -k https://mydomain.tld is able to return the decoded index.php.

I'm not yet using a firewall for this site.

My current httpd-vhosts.conf file has:

<VirtualHost *:80>
    ServerName mydomain.tld
    ServerAlias www.mydomain.tld
    ServerAdmin webmaster@mydomain.tld
    DocumentRoot /var/www/wordpress
    <If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
        Redirect permanent / https://mydomain.tld/
    </If>
</VirtualHost>
<VirtualHost *:443>
    ServerName mydomain.tld
    ServerAlias www.mydomain.tld
    ServerAdmin webmaster@mydomain.tld
    DocumentRoot "/var/www/wordpress"
    ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:///var/run/php-fpm/mydomain.tld.sock|fcgi://127.0.0.1:9000/var/www/wordpress timeout=300
    DirectoryIndex index.html index.php
    SSLEngine on
    SSLCertificateFile    /usr/pkg/etc/letsencrypt/live/www.mydomain.tld/cert.pem
    SSLCertificateKeyFile /usr/pkg/etc/letsencrypt/live/www.mydomain.tld/privkey.pem
    ErrorLog "/var/log/httpd/mydomain.tld-error_log"
    CustomLog "/var/log/httpd/mydomain.tld-access_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/letsencrypt/http_challenges/$1
    <directory /var/letsencrypt/http_challenges>
      AllowOverride None
      Require all granted
    </directory>
    <If "%{HTTP_HOST} == 'www.mydomain.tld'">
        Redirect permanent / https://mydomain.tld/
    </If>
    <Directory /var/www/wordpress>
	AllowOverride All
	Order allow,deny
	Allow from all
	Require all granted
    </Directory>
    BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>

The webroot has permissions:
# ls -ld wordpress/ drwxr-x--- 5 myuser www 1024 Nov 20 23:30 wordpress/

As far as I understand, Wordpress recommends the webroot not to be writable by the www user of Apache. Could it be this the issue?

No, the 403 Forbidden occurs with any request to your domain. There is nothing being written. Something is trying to be read. Besides, the DocumentRoot for your port 80 VHost is the same as port 443.

I discovered your domain in part of the log you showed earlier. The 403 is not unique to Let's Encrypt. It looks like your Apache or perhaps WordPress system is blocking any HTTP request. Which is odd because it was redirecting requests before so something changed.

You will need to show the domain name for further help. It is too difficult to help with these kinds of problems without that. The results to your actual domain are below but I redacted the name until you provide it explicitly.

Requests for your "home" page

# HTTPS (port 443) is fine (except for expired cert)
curl -Ik https://example.pt
HTTP/1.1 200 OK
Server: Apache/2.4.62 (Unix) OpenSSL/3.0.12
X-Powered-By: PHP/8.3.8
Cache-Control: max-age=3, must-revalidate

# HTTP (port 80) is not
curl -Ik http://example.pt
HTTP/1.1 403 Forbidden
Server: Apache/2.4.62 (Unix) OpenSSL/3.0.12
Content-Type: text/html; charset=iso-8859-1
2 Likes

You did? My greps don't show anything. Or was it encoded in some token?

The domain is 'saude renovada onedot pt'. :slight_smile:

Okay good. Yes, I can readily reproduce failures to that domain even using Let's Debug

What happens if you try HTTP to your domain from the public internet? Like using a mobile phone with wifi disabled?

2 Likes

It's a forbidden response.
That curl I used before was from the Internet as well (403 error).

Yes, you have to find out why your system sends out a 403 for an HTTP request to your home page.

What does this show

sudo httpd -t -D DUMP_VHOSTS

Maybe you have multiple VirtualHosts now?

Please don't retract the domain anymore. It might cause us to miss the underlying reason for failure.

2 Likes

There are no more virtual hosts.

# httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   sauderenovada.pt (/usr/pkg/etc/httpd/httpd-vhosts.conf:23)
*:443                  sauderenovada.pt (/usr/pkg/etc/httpd/httpd-vhosts.conf:46)

Maybe something in the main httpd.conf?

Maybe. What about a .htaccess file. Is there one of those? You may need to hunt around for it.

2 Likes

At the webroot (/var/www/wordpress), there's this .htaccess file with contents:

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
        RewriteBase /
        RewriteRule ^index\.php$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]
</IfModule>