Forbidden 403 after running certbot-auto

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kingbiscuitblues.com

I ran this command:
sudo /opt/certbot/certbot-auto

It produced this output:
403 forbidden

My web server is (include version):

nginx
The operating system my web server runs on is (include version):
ubuntu 18.04 LTS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.37.1

Hi @fugee

good news: You have created some new certificates ( https://check-your-website.server-daten.de/?q=kingbiscuitblues.com#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-08-14 2019-11-12 *.kingbiscuitblues.com, kingbiscuitblues.com
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-13 2019-11-11 bluegrasscounty.com, homerobotdepot.com, ignatzmouse.com, jazznouvel.com, kingbiscuitblues.com, mandopopnews.com, roboticadepot.com, rythmreview.com, servicemouse.com, sockpublicist.com, thekidslepthere.com, www.bluegrasscounty.com, www.homerobotdepot.com, www.ignatzmouse.com, www.jazznouvel.com, www.kingbiscuitblues.com, www.mandopopnews.com, www.roboticadepot.com, www.rythmreview.com, www.servicemouse.com, www.sockpublicist.com, www.thekidslepthere.com, www.xingfushou.com, xingfushou.com
24 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-08-13 2019-11-11 bluegrasscounty.com, homerobotdepot.com, ignatzmouse.com, jazznouvel.com, kingbiscuitblues.com, mandopopnews.com, roboticadepot.com, rythmreview.com, servicemouse.com, sockpublicist.com, thekidslepthere.com, www.bluegrasscounty.com, www.homerobotdepot.com, www.ignatzmouse.com, www.jazznouvel.com, www.kingbiscuitblues.com, www.mandopopnews.com, www.roboticadepot.com, www.rythmreview.com, www.servicemouse.com, www.sockpublicist.com, www.thekidslepthere.com, www.xingfushou.com, xingfushou.com
24 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-07-19 2019-10-17 bluegrasscounty.com, homerobotdepot.com, ignatzmouse.com, jazznouvel.com, kingbiscuitblues.com, mandopopnews.com, roboticadepot.com, rythmreview.com, servicemouse.com, sockpublicist.com, thekidslepthere.com, www.bluegrasscounty.com, www.homerobotdepot.com, www.ignatzmouse.com, www.jazznouvel.com, www.kingbiscuitblues.com, www.mandopopnews.com, www.roboticadepot.com, www.rythmreview.com, www.servicemouse.com, www.sockpublicist.com, www.thekidslepthere.com, www.xingfushou.com, xingfushou.com
24 entries

But that’s curious, one certificate with 24 domain names, one wildcard certificate.

You use the certificate with 24 domain names:

CN=bluegrasscounty.com
	14.08.2019
	12.11.2019
expires in 90 days	
bluegrasscounty.com, homerobotdepot.com, ignatzmouse.com, jazznouvel.com, 
kingbiscuitblues.com, mandopopnews.com, roboticadepot.com, rythmreview.com, 
servicemouse.com, sockpublicist.com, thekidslepthere.com, www.bluegrasscounty.com, 
www.homerobotdepot.com, www.ignatzmouse.com, www.jazznouvel.com, www.kingbiscuitblues.com, 
www.mandopopnews.com, www.roboticadepot.com, www.rythmreview.com, www.servicemouse.com, 
www.sockpublicist.com, www.thekidslepthere.com, www.xingfushou.com, 
xingfushou.com - 24 entries

But bad news: There is really a http status 403:

Domainname Http-Status redirect Sec. G
http://kingbiscuitblues.com/
70.23.17.48 301 https://kingbiscuitblues.com/ 0.246 A
http://www.kingbiscuitblues.com/
70.23.17.48 301 https://www.kingbiscuitblues.com/ 0.247 A
https://kingbiscuitblues.com/
70.23.17.48 403 3.990 M
Forbidden
https://www.kingbiscuitblues.com/
70.23.17.48 403 3.804 M
Forbidden

Looks like certbot has created a new vHost.

What says

nginx -T

Perhaps you have two vHosts. One old, working. One new, now with the wrong root without permissions.

Perhaps change the root of your vHost.

What do you mean by 2 vHosts Do you mean in my one nginx.conf file? They’re all vhosts sudo nginx -T reports tnhat my nginx.conf is valid

I thought I was allowed to have 2 one for http which will redirect, one for ssl

Please share the output of nginx -T.

Google lists a lot of content of your domain. Is this your content? If yes, you should fix the 403. Or are you a new domain owner?

It’s my content Shouldn’t I be able to use certbot-auto? Why should I have to do it manually for each domain?

Could you indicate the complete certbot-auto command that you’re running here on the server?

sudo /opt/certbot/certbot-auto

How can running a certbot command result in 403 forbidden It doesn’t make sense for me to look at permissions when it was returning expired certificate before running certbot

It’s not certbot, it’s your wrong configured webserver.

My website’s directories should be owned by who (for nginx) ?

What was the exact and full error message you got?

No such file or directory

Can you paste the command you ran and its complete output?

Certbot invites a bot from the Let’s Encrypt CA to check the proof that it’s created that you control the domain. The bot will connect to your web service. If it encounters an error, like a 403, it will tell Certbot about the error and then Certbot will tell you.

Certbot is in that case just reporting what an external bot saw when it tried to connect in order to validate your control over the domain.

It seems the problem is nginx doesn’t understand I’m serving a Ruby On Rails application because it’s looking for resource paths under public