Getting 403 forbidden error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.livingstonpet.com

I ran this command: certbot certonly --webroot -d livingstonpet.com -d www.livingstonpet.com --email info@livingstonpet.com -w /var/www/_letsencrypt -n --agree-tos --force-renewal

It produced this output:
getting 403 error
My web server is (include version): nginx 1.26

The operating system my web server runs on is (include version): ubuntu 25.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.11

2

I got this command from Digitalocean, I think I was supposed to run /var/www/magento instead of /var/www/_letsencrypt correct?

3

You already have gotten multiple certificates issued for your domain very recently, including today: crt.sh | livingstonpet.com

Why are you forcibly trying to renew an existing certificate?

4

I keep getting the 403 error so I am assuming it’s the certificate is wrong.

5

The well-known directory not present by the way

6

Why would you assume such a thing?

The 403 forbidden error is served by nginx and it's actually communicated from the server to the webbrowser securely with a Let's Encrypt certificate. You assumed incorrectly.

You need to look at your nginx configuration or, if it's not nginx itself, whatever is being served by nginx.

1 Like
7

Ok, doesn’t the certbot make the well-known directory? It’s not present that’s why I was assuming the certificate wasn’t installed correctly

9

I would like to recommend you to stop and read/learn a lot more about webservers, certificates and ACME. From what you're mentioning now, and I don't mean this in a hurtful way, you don't seem to even grasp the most basic things about configuring/running a webserver.

10

I'm curious as to how this is working anyhow given that the webroot authenticator is being used and apparently no installer. I suppose the existing configuration could already be pointing to the symlink. Manually configured?

I concur with @Osiris that the certificate is installed properly and thus this isn't a certificate problem.

2 Likes
11

The current attempts to "fix" the 403 might not be the same command as initially used. Their first certificate was 5 days ago.

Wondering why they didn't hit the 5 duplicate certs per week rate limit though :thinking:Nevermind, due to a change in LE's method of timing. No longer a sliding window of 7 days, but "The ability to request new certificates for the same exact set of identifiers refills at a rate of 1 certificate every 34 hours."

1 Like
12

Was trying to confirm the identifiers on the issued certs, but crt.sh isn't cooperating with me. :face_with_diagonal_mouth:

https://crt.sh/?q=livingstonpet.com

2 Likes
13

Looks like some apex and www together and some separate.

3 Likes
14

Ok, thanks I will look into my nginx settings. Thanks

1 Like
15

Possibly a directory permission issue for some content.

3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.