Error 403 - forbidden after adding letsencrypt

Help
1

Hi, I made my first deployment recently with an ec2 instance and wanted to make the website https, I decided to use let'sEncrypt for the ssl certificates but after running the command to make the keys, I'm now getting a 403 forbidden error, my logs show that I don't have access to my files anymore even though I have full permissions on every folder.

Here is my nginx.conf :

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    client_max_body_size 8M;

    # HTTP server block to redirect all HTTP traffic to HTTPS
    server {
        listen 80;
        server_name lydiapp.site www.lydiapp.site;

        # Redirect all HTTP traffic to HTTPS
        return 301 https://$host$request_uri;
    }

    # HTTPS server block to serve your website over HTTPS
    server {
        listen 443 ssl;
        server_name lydiapp.site www.lydiapp.site;

        ssl_certificate /etc/letsencrypt/live/lydiapp.site/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/lydiapp.site/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        # Your website's root directory
        root /var/www/Lydiapp/;
	index index.html index.htm index.nginx-debian.html;

        # Additional configuration for serving your website's content
        # ...

        # Error pages
        error_page 404 /404.html;
        location = /404.html {
            root /usr/share/nginx/html;
            internal;
        }
    }
}

I believe the problem could come from the nginx.conf file, does anyone know what I should change in order to fix the 403 error ?

My domain is: lydiapp.site

I ran this command: sudo certbot --nginx -d lydiapp.site -d www.lydiapp.site

It produced this output: HTTPS block in the .conf file

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

2

Hi @Hautzii, and welcome to the LE community forum :slight_smile:

You are not showing enough information to be certain about what is going wrong.
Please answer all the questions provided when you open a HELP topic:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes
3

The site seems secure:
SSL Server Test: www.lydiapp.site (Powered by Qualys SSL Labs)

The HTTP vhost redirects all to HTTPS.
HTTPS uses:

Is that the correct root for your site content?

3 Likes
4

Yes, I didn't change the root before using let'sEncrypt and it worked perfectly

5

Since you haven't answered any of the questions...
Show us:

nginx -T

And maybe we can fix was it broken therein - NOT because certbot broke anything in your config.
The nignx config is likely too strict with HTTPS access.
All that certbot may have done is redirect HTTP to HTTPS.

1 Like
6

I did answer your questions, I edited the first post, here is the nginx -T :

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    client_max_body_size 8M;

    # HTTP server block to redirect all HTTP traffic to HTTPS
    server {
        listen 80;
        server_name lydiapp.site www.lydiapp.site;

        # Redirect all HTTP traffic to HTTPS
        return 301 https://$host$request_uri;
    }

    # HTTPS server block to serve your website over HTTPS
    server {
        listen 443 ssl;
        server_name lydiapp.site www.lydiapp.site;

        ssl_certificate /etc/letsencrypt/live/lydiapp.site/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/lydiapp.site/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        # Your website's root directory
        root /var/www/Lydiapp/;
	index index.html index.htm index.nginx-debian.html;

        # Additional configuration for serving your website's content
        # ...

        # Error pages
        error_page 404 /404.html;
        location = /404.html {
            root /usr/share/nginx/html;
            internal;
        }
    }
}


# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/Lydiapp:
server {
    listen 80;
    listen [::]:80;
    server_name localhost;
    root /var/www/Lydiapp/public;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    index index.php;
    charset utf-8;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    error_page 404 /index.php;
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
    }
    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
7

I wasn't aware of your edit.
Let me review that now.

1 Like
8

Is there anything actually in there that isn't being shown?

Also, this could use an update:

1 Like
9

No, nothing in there, I ended up removing it. Will update certbot.
Just tried to update it and I'm getting this message :
certbot is already the newest version (1.21.0-1build1).

10

You may need to replace that version with the snap version to get to the latest version.
See installation instructions:
Certbot (eff.org)

1 Like
11

It worked fine when I first installed it but it replaced my whole site with the welcome to nginx page, it broke when I tried to put my website instead of that welcome page

12

ran sudo snap install --classic certbot and I'm still on version 1.21.0

13

Try replacing this section as:

    server {
        listen 80;
        server_name lydiapp.site www.lydiapp.site;
        root /var/www/Lydiapp/;
    }
1 Like
14

Then you have two versions installed.
Don't skip the "remove the current version" step.

1 Like
15

What is the start file and location of your site?

1 Like
17

It didn't prompt me whether I wanted to remove the current version or not, it just installed itself

18

That would be index,php located in the public folder, although changing the path to /var/www/Lydiapp/public doesn't change anything

19

What shows?:
ls -l /var/www/Lydiapp/
ls -l /var/www/Lydiapp/public/
find / -name public
find / -name index.php

1 Like
20 
ls -l /var/www/Lydiapp :

-rwxr-xr-x   1 www-data www-data   4109 Apr 25 13:18 README.md
drwxr-xr-x   6 www-data www-data   4096 Apr 25 13:19 app
-rwxr-xr-x   1 www-data www-data    350 Apr 25 12:08 artisan
drwxr-xr-x   3 www-data www-data   4096 Apr 25 13:18 bootstrap
-rwxr-xr-x   1 www-data www-data  68949 Apr 25 12:08 bun.lockb
-rwxr-xr-x   1 www-data www-data   2043 Apr 25 13:18 composer.json
-rwxr-xr-x   1 www-data www-data 332184 Apr 25 13:18 composer.lock
drwxr-xr-x   2 www-data www-data   4096 Apr 25 13:18 config
drwxr-xr-x   5 www-data www-data   4096 Apr 25 13:19 database
drwxr-xr-x 127 www-data www-data   4096 Apr 28 20:57 node_modules
-rwxr-xr-x   1 www-data www-data  97668 Apr 28 20:57 package-lock.json
-rwxr-xr-x   1 www-data www-data    412 Apr 25 13:18 package.json
-rwxr-xr-x   1 www-data www-data   1191 Apr 25 13:18 phpunit.xml
-rwxr-xr-x   1 www-data www-data     93 Apr 25 13:18 postcss.config.js
drwxr-xr-x   6 www-data www-data   4096 Apr 25 13:19 public
drwxr-xr-x   5 www-data www-data   4096 Apr 25 13:19 resources
drwxr-xr-x   2 www-data www-data   4096 Apr 25 13:19 routes
drwxr-xr-x   5 www-data www-data   4096 Apr 25 13:19 storage
-rwxr-xr-x   1 www-data www-data    541 Apr 25 13:18 tailwind.config.js
drwxr-xr-x   4 www-data www-data   4096 Apr 25 13:19 tests
drwxr-xr-x  47 www-data www-data   4096 Apr 25 12:18 vendor
-rwxr-xr-x   1 www-data www-data    310 Apr 25 13:18 vite.config.js

ls -l var/www/Lydiapp/public

drwxr-xr-x 3 www-data www-data   4096 Apr 29 08:21 build
drwxr-xr-x 2 www-data www-data   4096 Apr 29 08:21 css
-rwxr-xr-x 1 www-data www-data      0 Apr 25 13:18 favicon.ico
-rwxr-xr-x 1 www-data www-data    468 Apr 25 13:18 index.php
-rwxr-xr-x 1 www-data www-data     24 Apr 25 13:18 robots.txt
-rwxr-xr-x 1 www-data www-data  30990 Apr 25 13:18 sasucat.ico
-rwxr-xr-x 1 www-data www-data 100760 Apr 25 13:18 sasucat.png
drwxr-xr-x 2 www-data www-data   4096 Apr 25 13:18 svg
drwxr-xr-x 2 www-data www-data   4096 Apr 25 14:03 uploads

find / -name public

/var/www/Lydiapp/storage/app/public
/var/www/Lydiapp/node_modules/tailwindcss/src/public
/var/www/Lydiapp/node_modules/tailwindcss/lib/public
/var/www/Lydiapp/public

find / -name index.php 

/var/www/Lydiapp/public/index.php
21

I think the HTTP vhost change now shows HTTP access is not a problem.
I now see:

image
image478×614 28.8 KB

[and that it is using the correct root]

1 Like