Error 403 using --expand


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.gesundetiere.de

I ran this command:
certbot-auto --expand -d tierfundus.de,www.tierfundus.de,gesundetiere.de,www.gesundetiere.de

It produced this output:

terminal:
Domain: www.gesundetiere.de
Type: unauthorized
Detail: Invalid response from . . .
http://www.gesundetiere.de/

letsencrypt.log:

  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized", . . .
   "detail": "Invalid response from http://www.gesundetiere.de
    "status": 403

My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 14.04

My hosting provider, if applicable, is: ionos.de

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.30.2

Hello,
I have been using a let’s encrypt certificate for the domains tierfundus.de and www.tierfundus.de for years. Now you want to add the domains gesundetiere.de and www.gesundetiere.de.
I try to accomplish this by using --expand as shown above.
For both new domains, error 403 occurs.

Many thanks in advance for advices


#2

Which authenticator is Certbot using for this certificate?

This detail is included in the full output of Certbot.


#3

I cannot find anything like authenticator in then letsencrypt.log.
Is that anywhere else or how can I find what you are looking for?


#4

It should be there, somewhere at the top when the command is ran.

You can also paste it here, preferably through sites such as pastebin.


#5

In the meantime I found what you mean:
DEBUG:certbot.plugins.selection:Requested authenticator None and installer None

And here you find the complete log:
https://pastebin.com/z7Rb8wvC


#6

Hi @khg

do these domains (later) have different content? Or have they all the same webroot in your webserver-configuration?

You have old certificates from 2016-07-17, so perhaps you have used the deprecated tls-sni-validation.

Checking /.well-known/acme-challenge/random-filename your gesundetiere.de has a good http status 404, your tierfundus.de has a forbidden.

So check your Apache to find your “DocumentRoot”. But before running the next command it’s important to know if all domains have the same DocumentRoot.


#7

they have different DocumentRoot:

 DocumentRoot /var/www/wordpress
 ServerName www.gesundetiere.de
 ServerAlias gesundetiere.de

www.tierfundus.de is connected to a Java-EE application:

            ServerName www.tierfundus.de
	#ServerAlias tierfundus.de

DocumentRoot /var/www/tierfundus

             JkMount /* ajp13_worker

#8

Oh, is it really a good idea to create one certificate with both domain names?

Use your current certificate with gesundetiere.de and create a second certificate with the new domain name.


#9

OK, I didn’t expect problems with one certificate. But I will now create a second one.

Thank you


#10

PS: tierfundus.de has already a Letsencrypt certificate:

CN=tierfundus.de
	20.01.2019
	20.04.2019
	tierfundus.de, www.tierfundus.de - 2 entries

But now your other domain has the wrong certificate.

One or two hours earlier I saw another thing - tierfundus was blocked, gesundetiere worked.

Does your Jave-App use the same webroot?


#11

Apache’s mod_jk uses a custom network transport to talk to the Java application.

OP would need to use --apache authenticator to make it work, but even then I’m not sure how compatible it is with mod_jk.


#12

tierfundus.de and gesundetiere.de point to total different sites (Wordpress and JavaEE).
Therefore, I agree with you, it is better to create two different certificates.