Invalid Response 403 from acme-challenge

Help
1

My domain is:
colbyjack.xyz

I ran this command:
sudo certbot --apache -v

It produced this output:

super@nova:~$ sudo certbot --apache -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: colbyjack.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Requesting a certificate for colbyjack.xyz
Performing the following challenges:
http-01 challenge for colbyjack.xyz
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain colbyjack.xyz
http-01 challenge for colbyjack.xyz

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: colbyjack.xyz
  Type:   unauthorized
  Detail: 91.195.240.19: Invalid response from http://www.colbyjack.xyz/.well-known/acme-challenge/68jh2fTGK5jQTskd8o1WBc4xzUKRuDDNgM5W75A2ga4: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache/2.4.58 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 24.04 LTS x86_64

My hosting provider, if applicable, is:
Self-Hosting

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.11.0 (snap package)

2

Hello @muffinjets,

Your www is a CNAME to a namecheap parking page

which is what is failing above

image
image2315×1096 194 KB

Edit
Note the redirect to www

$ curl -Ii http://colbyjack.xyz/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Sun, 18 Aug 2024 23:29:36 GMT
Connection: keep-alive
Location: http://www.colbyjack.xyz/.well-known/acme-challenge/sometestfile
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
2 Likes
3

@muffinjets Just adding to what Bruce notes ...

Your DNS is using the NameCheap URL redirect service. Please disabled that and set your DNS A record to the public IP for your Apache server. Also set AAAA record if you support IPv6

3 Likes
4

And you can find your server’s public IP Addresses using

curl -4 ifconfig.me
curl -6 ifconfig.me

and/or

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io
1 Like
5

So, I looked back over my original message's prompts and I realize I accidentally lied because I misunderstood the question, I'm admittedly an absolute beginner at this kind of project.

In terms of "Are you working out of a control panel?" The answer is yes, I obviously got the domain from namecheap, but am not intending to use the tools provided there. Not knowing that namecheap has a dynamic DNS service, I set up my DDNS through Dynu, so I do have and intend to use the tools there.

In response to Bruce, I did clear out the CNAME record as well as the URL redirect settings from namecheap's side, and then added the A and AAAA IPv4/IPv6 records to the Dynu control panel. Now when I attempt to run sudo certbot --apache -v:

super@nova:~$
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: colbyjack.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Requesting a certificate for colbyjack.xyz
Performing the following challenges:
http-01 challenge for colbyjack.xyz
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain colbyjack.xyz
http-01 challenge for colbyjack.xyz

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: colbyjack.xyz
  Type:   dns
  Detail: no valid A records found for colbyjack.xyz; no valid AAAA records found for colbyjack.xyz

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
1 Like
6

Hi @muffinjets,

Presently there are no IP Addresses for the domain name.

image
image2318×941 170 KB

Edit
unboundtest shows no IPv4 Address for www.colbyjack.xyz nor colbyjack.xyz


Query results for A Www.colbyjack.xyz

Response:
;; opcode: QUERY, status: NXDOMAIN, id: 7661
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;Www.colbyjack.xyz.	IN	 A

;; AUTHORITY SECTION:
colbyjack.xyz.	0	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1724029140 43200 3600 604800 3601

----- Unbound logs -----


Query results for A colbyjack.xyz

Response:
;; opcode: QUERY, status: NOERROR, id: 14675
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;colbyjack.xyz.	IN	 A

;; AUTHORITY SECTION:
colbyjack.xyz.	0	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1724029140 43200 3600 604800 3601

----- Unbound logs -----

Edit
These are the authoritative name servers

$ nslookup -q=ns colbyjack.xyz dns1.registrar-servers.com.
Server:         dns1.registrar-servers.com.
Address:        156.154.132.200#53

colbyjack.xyz   nameserver = dns1.registrar-servers.com.
colbyjack.xyz   nameserver = dns2.registrar-servers.com.
1 Like
7

You also need to set the NS records at your registrar (NameCheap) to be the ones for Dynu. Their docs are not the clearest for using custom domain names but you should review this page. Contact their support if you need more help setting that up.

The key part of that page is

To avail our dynamic DNS service, you must list one or more Dynu name servers for your domain name. If you registered your domain name( yourodomain.com ) with Dynu, Dynu name servers are already listed for your domain name. If your domain is with some other registrar, you need to change the name servers at your current registrar.

2 Likes
8

Sorry, I don't think I quite understand. I understand that I need to add name server listings on namecheap's side to connect to Dynu, and I believe I'm looking at the correct option to input the name server, but I can't find a clear answer elsewhere as to what to input there.

I believe I should take the nameservers listed on Dynu's end:
(I'd include a picture of Dynu's nameserver records here but I'm still a new user)

And list a few of them on namecheap's end:

image
image790×169 8.38 KB

(previously, this was filled with "Namecheap BasicDNS" in the dropdown with no addresses listed)

But clearly I'm still doing something wrong here:

super@nova:~$ ping colbyjack.xyz
ping: colbyjack.xyz: No address associated with hostname
9

For clarity's sake, I do believe the A/AAAA records are set correctly, as these were set automatically by Dynu when I signed up:

image
image1063×250 26.7 KB

10

Perhaps so. Use a site like https://unboundtest.com to see what the public DNS says your A and AAAA records are. Then compare those to what you think they should be. This is not related specifically to Let's Encrypt. Anyone trying to reach your server from the public internet needs those to be correct. Any problems with this are best directed to dynu support. I see both A and AAAA record values.

Once you know those are correct you need to ensure your server processes incoming requests properly. A test site like https://letsdebug.net is excellent for that. Right now it cannot connect to your server with IPv4 (A) or IPv6 (AAAA). Check your router's NAT or port forwarding, any firewall settings on it or your server and any other network config. Make sure your ISP allows incoming connections on port 80. Again, this affects anyone trying to connect to you not just Let's Encrypt. For the HTTP Challenge you need to reply to HTTP (port 80) requests properly.

It is best to test from the public internet rather than from a device on your local network. Use a mobile phone with wifi disabled if you must to use the carrier network. Or, use Let's Debug until you get an "OK" result.

4 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.