Problem with auto-renew on apache

Hello, im trying to execute the following command: certbot renew --dry-run -v

My goal with this is to check my automatic renew is working fine.

I having the following problem answer:

Processing /etc/letsencrypt/renewal/example.example.com.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Simulating renewal of an existing certificate for example.example.com
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Challenge failed for domain example.example.com
http-01 challenge for example.example.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: example.example.com
Type: unauthorized
Detail: 3.224.140.186: Invalid response from http://example.example.com/.well-known/acme-challenge/BooXbwK_y6moaaFFgmSD1M8p_n5YR-_0EN0M3uWWzzo: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate example.example.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/example.example.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

It seems to show the 403 problem code, this is some kind of permission? Thanks
Obs: using example.example.com instead the orginal domain just for the ticket.

A 403 error with the --apache authenticator usually means a problem with the Apache config. In this case my first guess would be multiple VirtualHosts for port 80 with the same domain name.

Or, you are issuing the 403 in a firewall or similar for the incoming requests.

What does this show? Please don't redact the domain name. That will probably also hide the underlying problem.

sudo apache2ctl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443 misp.csdbr.com (/etc/apache2/sites-enabled/misp.csdbr.com-le-ssl.conf:2)
*:80 misp.csdbr.com (/etc/apache2/sites-enabled/misp.csdbr.com.conf:1)

the problem could be this plugin with "Installer None"?

No. That just means you originally used sudo certbot certonly --apache ... (or other method) to use --apache plugin only as authenticator. It is perfectly normal method.

Would you show contents of this file

/etc/apache2/sites-enabled/misp.csdbr.com.conf

Im did the following command:
certbot certonly --webroot -w /var/www/html -d misp.csdbr.com

This make me use the webroot to validade, for my surprise, this works fine and the simulate renew shown as "succeeded", now I will wait for the day of the auto renew and check. thanks for the support.

You may need to restart/reload anything that is using the renewed cert(s).

Good. You can re-try your sudo certbot renew --dry-run before that to check that it should work

The --apache authenticator would reload Apache so it saw fresh certs. Well, it probably would depending if you version supported it. But, --webroot does not without using a --deploy-hook.

If you have a current Certbot version you can add a deploy hook with:

sudo certbot reconfigure --cert-name misp.csdbr.com --deploy-hook 'systemctl reload apache2'

When asks if you want it run during --dry-run respond r for Run (yes).

I used systemctl reload apache2 as an example. Use your preferred command.