Http-01 challenge fails because of 403 error, but path is accessible via browser

My domain is: geroceramica.com / www.geroceramica.com

I ran this command:
/usr/local/bin/certbot-auto --apache --apache-server-root /opt/apache --apache-ctl /opt/apache/bin/apachectl --apache-challenge-location /opt/apache/conf/

It produced this output:

The following errors were reported by the server:

   Domain: geroceramica.com
   Type:   unauthorized
   Detail: Invalid response from
   http://geroceramica.com/.well-known/acme-challenge/KLcYpSAq3YwWpmn9gE4k57z6cp0U9IcIuX-43WGemCw
   [138.36.237.7]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: www.geroceramica.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.geroceramica.com/.well-known/acme-challenge/e2ufXQKram0HVRoGwuWTlDAZ6u9olC8PznVNpkPnbHE
   [138.36.237.7]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache/2.4.39

The operating system my web server runs on is (include version): CentOS 6.10 (Final)

My hosting provider, if applicable, is: DonWeb

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.3.0

As you can see, this server doesn’t have a standard setup when it comes to Apache paths, so my best guess is that it’s related to that (but to be honest, at this point I’m not sure).

I’ve tried checking if the verification URL is accesible, and to my surprise, it is (I left a test file at https://geroceramica.com/.well-known/acme-challenge/index.html and https://geroceramica.com/.well-known/acme-challenge/test) so I’m not sure what is causing the verification error.

I’m not sure if it makes a difference, but currently there’s another SSL certificate installed from another vendor which is about to expire and that’s why I’m looking to install a Let’s Encrypt certificate.

Any help on the matter would be appreciated. Please let me know if there’s anything else (such as Apache config files or Lets Encrypt log) I can provide.

Thanks in advance!

1 Like

Hi @iasueiro

if you use --apache, there is a location definition added. And you see:

http is checked, not https.

So if you have a working test file, switch to --webroot and use the root of your /.well-known/acme-challenge subdirectory.

Non-standard configuration -> webroot should work.

1 Like

Thanks @JuergenAuer ! It was my understanding that the verification process followed redirects (it also confused me the 403 error, since the response I was expecting was either the followed redirect or a 301 header).

I ran the command without the apache flags and using webroot instead and the certificates were issued without problem.

1 Like

That’s correct.

But if you use --apache or --nginx, your port 80 config is changed, so /.well-known/acme-challenge/random-filename uses another directory or the content is created on the fly.

That may work. But with a non-standard configuration, that may be the problem.

So the error message shows, that Letsencrypt sees a http answer -> no redirect.

--webroot ignores the config and doesn’t require config changes on the fly.

4 Likes

Got it. Thanks for your help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.