Certbot renewal was working, and now fails with 403

jonnyu · February 7, 2025, 9:36pm

I had letsenctrypt installed, and renewing certificates for quite some time, and it has stopped renewing with a 403 error. Rebooted server as a check, not sure what has changed/how to troubleshoot from here.

My domain is: messageboard.tapeop.com

I ran this command:
certbot renew

It produced this output:
Renewing an existing certificate for messageboard.tapeop.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: messageboard.tapeop.com
Type: unauthorized
Detail: 172.232.175.80: Invalid response from http://messageboard.tapeop.com/.well-known/acme-challenge/mhntrGzCF7BiyY8LBEswc_XaR6TFE2-3qqcmkxOv4Pc: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate messageboard.tapeop.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/messageboard.tapeop.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

here is the contents of the renewal conf file:
more /etc/letsencrypt/renewal/messageboard.tapeop.com.conf

renew_before_expiry = 30 days

version = 1.21.0
archive_dir = /etc/letsencrypt/archive/messageboard.tapeop.com
cert = /etc/letsencrypt/live/messageboard.tapeop.com/cert.pem
privkey = /etc/letsencrypt/live/messageboard.tapeop.com/privkey.pem
chain = /etc/letsencrypt/live/messageboard.tapeop.com/chain.pem
fullchain = /etc/letsencrypt/live/messageboard.tapeop.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = dee772eacb5d31638468f269b5c86027
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

My web server is (include version):
Apache/2.4.52 running phpbb
The operating system my web server runs on is (include version):
ubuntu 22.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Bruce5051 · February 7, 2025, 10:16pm

Hello @jonnyu, welcome to the Let's Encrypt community.

Please show the output of sudo apachectl -t -D DUMP_VHOSTS and sudo certbot certificates

jonnyu · February 7, 2025, 10:32pm

Hello, thanks for your reply, here is the output of those commands:

sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 messageboard.tapeop.com (/etc/apache2/sites-enabled/messageboard-le-ssl.conf:2)
*:80 messageboard.tapeop.com (/etc/apache2/sites-enabled/messageboard.conf:1)

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: messageboard.tapeop.com
Serial Number: 4092e1f458dd24fc7b5e1785a44c04dfad7
Key Type: RSA
Domains: messageboard.tapeop.com
Expiry Date: 2025-02-26 06:20:27+00:00 (VALID: 18 days)
Certificate Path: /etc/letsencrypt/live/messageboard.tapeop.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/messageboard.tapeop.com/privkey.pem

Bruce5051 · February 8, 2025, 4:12am

As I know very little about Apache,
Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

MikeMcQ · February 8, 2025, 4:22am

Would you post the contents of this file?

jonnyu · February 8, 2025, 4:58am

Hi Mike,

messageboard.conf:

<VirtualHost *:80>
    ServerAdmin tombmod@gmail.com
    ServerName messageboard.tapeop.com
    ServerAlias www.messageboard.tapeop.com
    DocumentRoot /var/www/messageboard
    ErrorLog ${APACHE_LOG_DIR}/mb_error.log
    CustomLog ${APACHE_LOG_DIR}/mb_access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.messageboard.tapeop.com [OR]
RewriteCond %{SERVER_NAME} =messageboard.tapeop.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost"
</VirtualHost>

MikeMcQ · February 8, 2025, 5:03am

My guess is the SetHandler line is causing the trouble.

Has that always been in your VirtualHost for port 80?

I am not sure why you'd need it in this VHost given you redirect everything to HTTPS anyway.

Try commenting it out and see what happens.

jonnyu · February 8, 2025, 5:13am

Hi Mike,

Thanks so much for your help. It has always been there, but it was likely there before ssl was setup, and the overall redirection put in place.

I'm not sure what would cause it to break after a few months (possibly 6 or so), but I take the always moving forward approach.

The site was setup largely from many pieced together tutorials, so I don't claim a lot of knowledge about apache configuration. I'm double checking the site functionality to make sure nothing has broken, but running certbot renew --dry-run is now successful, so letsencrypt is fixed, which is what I am here for.

thanks again both of you

Regards

Jon

system · March 10, 2025, 5:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal problems after upgrading certbot Help	13	1888	March 18, 2019
Certbot Renew Fails The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet Help	8	2112	May 18, 2024
Problem with auto-renew on apache Help	7	36	January 1, 2025
Issues renewing a domain with proxypass and certbot-apache Help	3	1013	May 4, 2021
Auto renew fails for Apache + Ubuntu + certbot 0.31.0 Help	6	1943	November 30, 2021

Certbot renewal was working, and now fails with 403

renew_before_expiry = 30 days

Options used in the renewal process

Related topics