Hello there,

I execute following command and got following error and so I cannot renew certificate.

sudo letsencrypt renew --dry-run

• The following errors were reported by the server:

  Domain: meotool.white-link.com
  Type: unauthorized
  Detail: Invalid response from
  https://meotool.white-link.com/.well-known/acme-challenge/dGU7B3J8hbrOowguSq3yV1gv3m5lrAwqZG5Jruo7Z34
  [157.7.94.203]: “\n\n403
  Forbidden\n\n

  Forbidden

  \n<p”

  Domain: meotool-101.white-link.com
  Type: unauthorized
  Detail: Invalid response from
  http://meotool-101.white-link.com/.well-known/acme-challenge/PwNCCg_Bm2bfgfdMeI6y9yd4hMawExhGbZR7ywEJh84
  [150.95.199.195]: “\n\n403
  Forbidden\n\n

  Forbidden

  \n<p”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My domain is:
“meotool.white-link.com”
“meotool-101.white-link.com”

OS: Ubuntu 18.04
Apache: 2.4.29

http://meotool.white-link.com/ forwards all traffic to https://
Neither of which seem to make any special handling for the requests to /.well-known/acme-challenge/

Please try placing a test file in the /.well-known/acme-challenge/ folder and see if it is accessible from the Internet.
[and to keep things as close as possible to the auth requests, make the test file without any extension]
[something like: http://meotool.white-link.com/.well-known/acme-challenge/test123 ]

Thank you for quick reply.

I created test123 and it is accessible from the internet.

However, I still cannot renew the certificate.

@bmw could this be an instance of the now-fixed bug about permissions under /var?

Thanks for the suggestion.

I did already chmod 777 /myDocumentRoot/public/.well-known/acme-challenge.

But, it did not work.

Here is my conf.

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/meotool-101.white-link.com
cert = /etc/letsencrypt/live/meotool-101.white-link.com/cert.pem
privkey = /etc/letsencrypt/live/meotool-101.white-link.com/privkey.pem
chain = /etc/letsencrypt/live/meotool-101.white-link.com/chain.pem
fullchain = /etc/letsencrypt/live/meotool-101.white-link.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 201908130cd1e3b372d8519091432ba4
authenticator = webroot
webroot_path = /var/vhost/meo_free_tool/public,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
meotool.white-link.com = /var/vhost/meo_free_tool/public                                                                                                                          
meotool-101.white-link.com = /var/vhost/meo_free_tool/public

@rg305
Just wondring.

If we set redirect like port 80 to port 443, would this be problem for letsencrypt?

Do your web server logs explain why the 403 error is being returned?

Does it have anything that blocks certain IP addresses? Bots, hosting company ranges, “automated” clients…? Rate limiting?

I can access your site from home and from one VPS, but I too get a 403 Forbidden error from an Amazon EC2 instance.

@mnordhoff
Dose letsencryt use AWS?

I did not know about that.

Our server gets lots of assess from AWS and so we decided to block all requests from them.

The Let’s Encrypt staging environment currently validates from Let’s Encrypt’s normal servers and from AWS.

The production environment currently makes requests from both, but currently does not rely on the results from AWS.

Let’s Encrypt’s policy is that they may validate from anywhere and servers need to allow any IP addresses to access /.well-known/acme-challenge/.

Now we can renew the certificate.

Thank you very much for your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.