Certbot Renew Got 403 Error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: arena.csc.ncsu.edu

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/arena.csc.ncsu.edu.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for arena.csc.ncsu.edu
Waiting for verification…
Challenge failed for domain arena.csc.ncsu.edu
http-01 challenge for arena.csc.ncsu.edu
Cleaning up challenges
Attempting to renew cert (arena.csc.ncsu.edu) from /etc/letsencrypt/renewal/arena.csc.ncsu.edu.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/arena.csc.ncsu.edu/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/arena.csc.ncsu.edu/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)


My web server is (include version): Apache 2.4.34

The operating system my web server runs on is (include version): Mac OS X, 10.14.5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.35.1

I already read several posts online but still cannot figure out how to resolve this. The .well-known folder does not exist under my web document root. I created one under the web document root and tried to create a test file under .well-known/acme-challenge. I don’t have trouble getting access to the test file via: http://arena.csc.ncsu.edu/.well-known/acme-challenge/oWiXYcfl1Rb.

Can someone guide me to solve this problem? Thank you! I got this issue after updating the Mac OS system.

1 Like

Hi @zebrarabbit

if you have such an error and if you use the apache authenticator: That authenticator adds a temporary location definition, there is access required.

But your test file works and your configuration is good ( https://check-your-website.server-daten.de/?q=arena.csc.ncsu.edu ):

Domainname Http-Status redirect Sec. G
http://arena.csc.ncsu.edu/ 200 0.426 H
https://arena.csc.ncsu.edu/ 200 4.570 B
http://arena.csc.ncsu.edu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.424 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

Port 80 is open, there is the expected http status 404 - Not Found.

So use the webroot you have already found. The directory with the subdirectory /.well-known.

certbot run -a webroot -i apache -w yourWebRoot -d arena.csc.ncsu.edu
1 Like

Hi @JuergenAuer, thank you for the quick response! The command you suggested works well. I have renewed successfully. Thank you so much!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.