Invalid response 403

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
wx.schamschula.com, solar.schamschula.com, test.schamschula.com

I ran this command:
sudo certbot renew --dry-run

It produced this output:


Processing /usr/local/etc/letsencrypt/renewal/temp3.conf


Simulating renewal of an existing certificate for solar.schamschula.com and 2 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: solar.schamschula.com
Type: unauthorized
Detail: 173.26.107.252: Invalid response from http://solar.schamschula.com/.well-known/acme-challenge/qx-76It5n3HJ1u7PYkHAAGcXU_nTd8i1PM20XxU9Gf4: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate temp3 with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/usr/local/etc/letsencrypt/live/temp3/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Name : apache24
Version : 2.4.54

The operating system my web server runs on is (include version):
FreeBSD mars 13.1-RELEASE-p2 FreeBSD 13.1-RELEASE-p2 GENERIC amd64

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.29.0

Note: test.schamschula.com was added to work around a renewal problem. I would like to get rid of it along with solar.schamschula.com (which I haven't actively used in several years). The only cert that should remain is wx.schamschula.com.

1 Like

Note: the problem with solar.schamschula.com likely is that it is a proxy to my inverter. I cannot keep editing vhosts.conf every time I need to renew my certs, or have alternate vhosts.conf files to switch between. Hence, it is best to do away with it.

1 Like

I was able to update the one domain that I want to keep using

sudo certbot certonly -d wx.schamschula.com

Now how do I get rid of the unwanted ones so that the auto renew script doesn't keep trying to update them?

1 Like

It looks like this created a new renewal wx.schamschula.com.conf file. I moved out the old temp3.conf file. Hopefully, that fixes future renewals. I'll have to revisit the renewal script, as the new system uses the apache plugin, rather than the standalone web serve I've used in the past.

1 Like

First run certbot certificates
That will show you all your certificates.
Double check the names of the certs you want to delete. There should be a cert for each of solar.schamschula.com and test.schamschula.com you want deleted (as well as the one you want to keep).
Run certbot delete --cert-name solar.schamschula.com --cert-name test.schamschula.com

Restart your server and you're all set.

5 Likes

Thanks for the hint. certbot certificates only shows the desired certificate. I had to edit http-vhost.conf to update the certificate paths and do service apache24 restart.

2 Likes