for about a year know I am running LE and certbot automatically. But all of a sudden it stopped automatically renewing my certificate.
certbot version: 0.28.0
OS: Ubuntu Server 14.04
Webserver: Apache 2.4.7
I ran “sudo certbot certonly --apache --dry-run” with produced the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): flugsim.org Obtaining a new certificate Performing the following challenges: http-01 challenge for flugsim.org Waiting for verification... Cleaning up challenges Failed authorization procedure. flugsim.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://flugsim.org/.well-known/acme-challenge/tuZpzbDLbsxmMeqqiWV8ilKKYfv8hFbWBkb3KHryeMQ: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p" IMPORTANT NOTES: - The following errors were reported by the server: Domain: flugsim.org Type: unauthorized Detail: Invalid response from http://flugsim.org/.well-known/acme-challenge/tuZpzbDLbsxmMeqqiWV8ilKKYfv8hFbWBkb3KHryeMQ: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
Apache’s error.log gave me a hint:
[Sun Feb 10 18:23:37.718059 2019] [access_compat:error] [pid 12209] [client 188.8.131.52:39860] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/tuZpzbDLbsxmMeqqiWV8ilKKYfv8hFbWBkb3KHryeMQ
Indeed /var/lib/letsencrypt belonged to root and I changed it to root:www-data recursively without success.
Interestingly certbot never created a .well-known directory inside /var/www. So I would expect a 404 and no 403.
Does anybody have any ideas what to try next?
BTW, how can I upload log files?