Invalid response 403 forbidden

My domain is: clearcenter-clearshare.poweredbyclear.com

I ran this command: certbot renew --standalone --max-log-backups 200 --preferred-challenges http-01

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing
/etc/letsencrypt/renewal/clearcenter-clearshare.poweredbyclear.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for clearcenter-clearshare.poweredbyclear.com
Performing the following challenges:
http-01 challenge for clearcenter-clearshare.poweredbyclear.com
Waiting for verification...
Challenge failed for domain clearcenter-clearshare.poweredbyclear.com
http-01 challenge for clearcenter-clearshare.poweredbyclear.com
Cleaning up challenges
Failed to renew certificate clearcenter-clearshare.poweredbyclear.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/clearcenter-clearshare.poweredbyclear.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: clearcenter-clearshare.poweredbyclear.com
   Type:   unauthorized
   Detail: 209.90.117.194: Invalid response from
   http://clearcenter-clearshare.poweredbyclear.com/.well-known/acme-challenge/DN0wuv3-AlLLKmJwCInMylKh052bhL-uGbCkn6K3eOU:
   403

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): not installed

The operating system my web server runs on is (include version): ClearOS 7.9 (binary compatible with Centos 7.9)

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

There are no errors on Let's Debug

I will point out that there is no webserver installed at all but certbot is running in standalone mode so should be providing its own webserver.

Do you know why this is not working?

Welcome back @NickJH

Hmmm. Looking at your link to Let's Debug I see that an Apache server was replying with an http code 403 (below). This is the same error as shown in your post.

But, if Apache was running I would have expected to see an error about the standalone server not being able to open port 80 so it could listen.

Right now I can't reach anything at that domain name. Which makes sense if you have no server. Has anything changed since you posted just a few minutes ago? Are you sure the IP address 209.90.117.194 is correct for your domain?

(from the Verbose section on your Let's Debug info)

Request to: clearcenter-clearshare.poweredbyclear.com/209.90.117.194, 
Result: [Address=209.90.117.194,Address Type=IPv4,Server=Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips,HTTP Status=403], Issue:
Trace:
@0ms: Making a request to http://clearcenter-clearshare.poweredbyclear.com/.well-known/acme-challenge/letsdebug-test (using initial IP 209.90.117.194)
@0ms: Dialing 209.90.117.194
@106ms: Server response: HTTP 403 Forbidden
3 Likes
[root@clearcenter-clearshare ~]# curl ifconfig.co
209.90.117.194

There is a 'sandboxed' webserver (apache) but it is only listening on ports 81-83. netstat -npl shows nothing on port 80.

I've tried stopping the sandboxed webserver and I get the same response. I wonder if the system is behind a reverse proxy? I'll try asking some questions but the system is in Utah behind a setup that no one really knows and I am in the UK.

1 Like

That is most likely. The standalone method is harder to debug and even more so with your older certbot version. But, there is a way to test access. I was just going to post those instructions but I think checking with Utah is a good next step.

As further info, I see the Let's Debug test still replying with Apache server header. Oddly, I get timeouts trying your domain even when using the same user-agent as Let's Encrypt server. The user-agent is sometimes used by firewalls to block access. I am trying from an AWS region in US East Coast. Most of the Let's Encrypt servers are also in AWS regions across the world. Perhaps there is other firewall rules blocking access or affecting the routing. Like maybe a geographic based rule which affects UK differently than US?

Here is what I see just to add to this puzzle

curl -I -m10 http://clearcenter-clearshare.poweredbyclear.com/.well-known/acme-challenge/ForumTest123
curl: (28) Connection timed out after 10001 milliseconds

curl -I -m10 http://clearcenter-clearshare.poweredbyclear.com/.well-known/acme-challenge/ForumTest123 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (28) Connection timed out after 10000 milliseconds
3 Likes

Hmm, if I run tcpdump on port 80 on the server then browse to clearcenter-clearshare.poweredbyclear.com from home, nothing hits the server. I think there is something in the way.

2 Likes