I'm installing Nextcloud following these instructions on an Ubuntu server VM on Proxmox. I'm not a Linux expert, but everything went fine untill I tried to get a SSL certificate.
It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: nextcloud.vanregteren.net
Type: unauthorized
Detail: During secondary validation: 84.245.10.94: Invalid response from Login – Nextcloud 403
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
My web server is (include version):
Apache 2.4.52
The operating system my web server runs on is (include version):
Ubuntu server 22.04
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.32.0
Your system is rejecting requests due to a Threat Prevention. You should review your firewall and network gear to allow HTTP requests to your domain. Or, change to use a DNS Challenge instead of the HTTP Challenge used by --apache plug-in (info here)
For example, a request from my own test server to your home page also gets the 403 error you show
curl -i http://nextcloud.vanregteren.net
HTTP/1.1 403 Forbidden
Content-Length: 316
Content-Type: text/html
Connection: Close
<HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD>
<BODY><center><b>Threat Prevention</b></center>
<p>This site is blocked because it violates network policy.</p>
<p>Host: nextcloud.vanregteren.net</p>
<p>URI: /</p>
<p>Reason: Threat reputation No reputation</p>
<p>Please contact your network administrator</p></BODY></HTML>[TEST ~]>
Seems to be geographically linked. From NL I can perfectly reach the Nextcloud instance. The fact the primary location can validate the challenge from the US, but the secondary somewhere else in the world cannot corroborates that.
Not sure it's geographic as this test also fails NL (but worked from Australia).
In any case, they need to review their security settings. Let's Debug will show OK when testing this domain but looking at the Verbose Info you'll see the 403. And, the 403 from the Let's Encrypt staging server. That is a better way to test this than repeating --apache against production servers.
That was the quickest response I've ever had to a question!
That was the solution; I'm running the Untangle firewall. I've disabled it and reran the certbot command.
Worked like a charm!
You might want to look if it can selectively allow the path /.well-known/acme-challenge/ if you want to keep it enabled. Let's Encrypt is meant to be automated and disable your firewall every 60 days for renewal manually is cumbersome.
