Invalid response from x.x.x 403 Forbidden

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.cloud.kisioanalysis.io
    Type: unauthorized
    Detail: Invalid response from
    https://www.cloud.kisioanalysis.io/.well-known/acme-challenge/BaBmPI9ph8P3S8ysjZK9_PyZepBderuOFMEzAuW46xE
    [52.47.118.142]: “\r\n403
    Forbidden\r\n\r\n

    403
    Forbidden

    \r\n
    nginx/1.16.1</ce”

    Domain: cloud.kisioanalysis.io
    Type: unauthorized
    Detail: Invalid response from
    https://cloud.kisioanalysis.io/.well-known/acme-challenge/W7PLdaVD7epiGknmiY-eVb0Uc8LTkPsdPEldG0FK8LE
    [52.47.118.142]: “\r\n403
    Forbidden\r\n\r\n

    403
    Forbidden

    \r\n
    nginx/1.16.1</ce”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • My web server is (include version):
    nginx version: nginx/1.16.1

  • The operating system my web server runs on is (include version):
    NAME=“Amazon Linux AMI”
    VERSION=“2018.03”

  • My hosting provider, if applicable, is:
    amazon web services

  • I can login to a root shell on my machine (yes or no, or I don’t know):
    yes

  • I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
    no

  • The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
    certbot 1.2.0


Hello everyone,
I’m pretty new to ssl certificates and overall in web administration, and i was wondering why can not i renew an existing certificate using letsencrypt command. I have multiple domains , where i do not have any issues renewing certificates but this one seems to have some. I tried multiple things such as modifying my nginx conf file, but nothing seems to work.

I’m already sorry if it is such a stupid and simple problem, but as i said i’m really new to all this, and still learning.
I would appreciate some support and feedbacks, and thank you for your time reading this.

Best regards,

1 Like

Hi @mluczak,

Did you literally type /path/to/webroot (from the documentation), or did you replace this with the real path to your own webroot?

Have you tried renewing this certificate with certbot renew instead of certbot certonly? How did you originally get the certificate before?

I see two reasons in the output that I think the command you showed us is at least slightly different from the one that you really ran on your server. :slight_smile:

2 Likes

I will note that the response is 403, not 404, which indicates a directory/file permissions issue or nginx config parameters.

2 Likes

Hello @schoen
I replaced /path/to/webroot with the real path to my web server , that is /var/www/webserver should have mentionned it sorry!
For the “renew” part, I tried the renew command aswell and it displayed almost the same output. Here it is:

"certbot renew" output

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.cloud.kisioanalysis.io-0001.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.kisioanalysis.io
http-01 challenge for www.cloud.kisioanalysis.io
Using the webroot path /var/www/webserver for all unmatched domains.
Waiting for verification…
Challenge failed for domain www.cloud.kisioanalysis.io
Challenge failed for domain cloud.kisioanalysis.io
http-01 challenge for www.cloud.kisioanalysis.io
http-01 challenge for cloud.kisioanalysis.io
Cleaning up challenges
Attempting to renew cert (www.cloud.kisioanalysis.io-0001) from /etc/letsencrypt/renewal/www.cloud.kisioanalysis.io-0001.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/www.cloud.kisioanalysis.io.conf


Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 63, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 465, in init
self._check_symlinks()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 532, in _check_symlinks
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/www.cloud.kisioanalysis.io/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/www.cloud.kisioanalysis.io.conf is broken. Skipping.


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.cloud.kisioanalysis.io-0001/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/www.cloud.kisioanalysis.io.conf (parsefail)

1 renew failure(s)

IMPORTANT NOTES:

Finally, I am not sure how did we get the original certificate since it was already there when I started working on the server, but i’m pretty sure the command i posted earlier was also the one used to get the certificate ( /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/webserver -d www.cloud.kisioanalysis.io -d cloud.kisioanalysis.io

@ZetaRevan do you mean I am running the command under a user not having enough permissions on the server files/directory ? I’ll check the nginx conf file.

Can’t thank you enough for your quick replies, it helps me a lot !

1 Like

Well looks like the issue came from nginx conf file. After few researches, found out that my server had issues accessing .well-known for the http challenges.
For those interested, I added

location ^~ /.well-known/acme-challenge/ {

location ^~ /.well-known/acme-challenge/ { // the usual settings }

in nginx site-enabled conf file, tried to renew my cert and it worked!
thank you again for your support really appreciated it

1 Like