Certbot apache or webroot failed to download the temporary challenge files

I don't see why your Apache returns a 403. Can you show contents of this file? Maybe there are multiple copies?

/usr/pkg/etc/httpd/httpd-vhosts.conf

Otherwise you will need to ask the support for whoever provides that package you use.

2 Likes

In /usr/pkg/etc/httpd.conf there are only these includes:

Include etc/httpd/httpd-vhosts.conf
Include etc/httpd/httpd-ssl.conf

The contents of the file `

<VirtualHost *:80>
    ServerName sauderenovada.pt
    ServerAlias www.sauderenovada.pt
    ServerAdmin webmaster@sauderenovada.pt
    DocumentRoot /var/www/wordpress
    <If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
        Redirect permanent / https://sauderenovada.pt/
    </If>
</VirtualHost>
<VirtualHost *:443>
    ServerName sauderenovada.pt
    ServerAlias www.sauderenovada.pt
    ServerAdmin webmaster@sauderenovada.pt
    DocumentRoot "/var/www/wordpress"
    ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:///var/run/php-fpm/sauderenovada.pt.sock|fcgi://127.0.0.1:9000/var/www/wordpress timeout=300
    DirectoryIndex index.html index.php
    SSLEngine on
    SSLCertificateFile    /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/cert.pem
    SSLCertificateKeyFile /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/privkey.pem
    ErrorLog "/var/log/httpd/sauderenovada.pt-error_log"
    CustomLog "/var/log/httpd/sauderenovada.pt-access_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/letsencrypt/http_challenges/$1
    <directory /var/letsencrypt/http_challenges>
      AllowOverride None
      Require all granted
    </directory>
    <If "%{HTTP_HOST} == 'www.sauderenovada.pt'">
        Redirect permanent / https://sauderenovada.pt/
    </If>
    <Directory /var/www/wordpress>
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
    BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>
1 Like

We need to see the Apache error log for that to know the reason. It is still puzzling as this is the same VirtualHost you had earlier except for the IF statement.

Look in the default error log file for reasons for the 403. If you don't have a default error log, change your VirtualHost to look like this. Restart Apache, try an HTTP request to that domain and then show content of that error log file.

<VirtualHost *:80>
    ServerName sauderenovada.pt
    ServerAlias www.sauderenovada.pt
    ServerAdmin webmaster@sauderenovada.pt
    ErrorLog "/var/log/httpd/sauderenovada.pt80-error_log"     # NEW line
    DocumentRoot /var/www/wordpress
    <If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
        Redirect permanent / https://sauderenovada.pt/
    </If>
</VirtualHost>
2 Likes

Tried to access it again curl http://sauderenovada.pt.

In the generic apache access log:

my.ip.at.remote - - [26/Nov/2024:18:47:31 +0000] "GET / HTTP/1.1" 403 199

The generic error.log shows:

[Tue Nov 26 18:47:31 2024] [authz_core:error] [pid 7458:tid xxxxxx] [client my.ip.at.remote:55671] AH01630: client denied by server configuration
: /var/www/wordpress/

In the specific logs for the virtual host, there are no entries related to my http request, just for others trying to gain some information.

Yeah, I don't know why you would need this now and did not before but change your port 80 Virtual host to be like this

<VirtualHost *:80>
    ServerName sauderenovada.pt
    ServerAlias www.sauderenovada.pt
    ServerAdmin webmaster@sauderenovada.pt
    ErrorLog "/var/log/httpd/sauderenovada.pt80-error_log"  
    <Directory /var/www/wordpress/>
        AllowOverride None
        Require all granted
    </Directory>
    DocumentRoot /var/www/wordpress
    <If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
        Redirect permanent / https://sauderenovada.pt/
    </If>
</VirtualHost>

Then try:

sudo certbot renew --dry-run

If that works re-run that without --dry-run

4 Likes

There's these setting at httpd.conf:

<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/htdocs"
<Directory "/var/www/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>

We cross-posted. Please see my post just before yours.

2 Likes

Hi @MikeMcQ, sorry for the late response, but have limited time available.

You nailed it!

$ curl http:/ 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://sauderenovada.pt/">here</a>.</p>
</body></html>

And when simulating the renewal:

# certbot-3.12  renew --dry-run
Saving debug log to /var/letsencrypt/log/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/pkg/etc/letsencrypt/renewal/www.sauderenovada.pt.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.sauderenovada.pt and sauderenovada.pt

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thank you very much for your great support, @MikeMcQ!

1 Like

You are welcome but I don't think this was my best result :slight_smile: Usually they don't take so long

There are still a couple steps to get you running properly.

The first is to run without dry-run so you get a production cert. That was just a test.

sudo certbot renew

Once that works we need to fix the certificate config in your port 443 host. It is currently:

SSLCertificateFile    /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/cert.pem

But should be this (note fullchain.pem instead of cert.pem)

SSLCertificateFile    /usr/pkg/etc/letsencrypt/live/www.sauderenovada.pt/fullchain.pem

And one final step about auto-reloading Apache which I will describe after these are done.

3 Likes

I made it difficult for you! ah ah

The certificate is renewed and the fullchain.pem line was inserted instead of the cert.pem one.

2 Likes

Excellent. I see you got a fresh production cert today. But, your Apache is not yet using it.

Run the command to gracefully reload your Apache and let me know what that command is. We can then describe how to reload that automatically when the cert renews.

I am not certain what it would be with your somewhat non-standard config. Thanks

3 Likes

The command used was apachectl graceful.
It's working fine, now.

2 Likes

Excellent. Yes, your Apache is now using the latest cert and properly validates because of fullchain.pem (see: https://decoder.link/sslchecker/sauderenovada.pt/443)

One last thing is to adjust the Certbot renewal profile so that it will automatically reload Apache each time it gets a fresh cert. It is not required but otherwise you must regularly reload (or restart) Apache so it sees that latest one.

To update the profile do:

sudo certbot reconfigure --cert-name www.sauderenovada.pt --deploy-hook 'apachectl graceful'

When asks if you want it run during --dry-run respond r for Run (yes).

4 Likes

Should I use just this, or have something for sauderenovada.pt as well?

1 Like

Just that name. It is the name of the certificate "profile" that Certbot uses. It is not the actual domain name. It was shown in your prior commands like:

But, when using with --cert-name you leave off the .conf

That single profile is for your cert that has both domain names in it

4 Likes

It's done, it ran successfully.

Successfully updated configuration.
Changes will apply when the certificate renews.

Thank you very much @MikeMcQ, you have been of great help!
Hope you'll get double help in life of what you have just given me.

4 Likes

You are very welcome. I appreciate your nice attitude throughout.

4 Likes