Receiving 403 error trying to generate certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: smtp2.kidscarehh.com

I ran this command: “Request Certificate” from the Certify The Web program

It produced this output: Validation of the required challenges did not complete successfully. Invalid response from http://kidscarehh.com/.well-known/acme-challenge/FfnlTKZt7pdw9CRFfKGXi--C9QzqgU_DUria2sdrLEs [70.113.228.171]: “HTTP/1.1 403 Forbidden\nConnection: close\nContent-Length: 575\nContent-Type: text/html; charset=UTF-8\n\n\n\n<hea”

My web server is (include version): Windows Server 2019 Datacenter

The operating system my web server runs on is (include version): 2019, build 17763.1098

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

1 Like

Hi @BTomes

create these two subdirectories /.well-known/acme-challenge in the webroot of your website, then add permissions. Then add a test file (file name 1234) and try to load that file via

http://kidscarehh.com/.well-known/acme-challenge/1234

That must work.

1 Like

Thank you for your response, @JuergenAuer,
I can navigate to http://smtp2.kidscarehh.com/.well-known/acme-challenge/configcheck or to http://kidscarehh.com/.well-known/acme-challenge/configcheck from outside the server successfully.

1 Like

First works, second shows a 403.

Access Denied

PS: And the configuration is broken.

The output comes with the http headers:

HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 575
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Access Denied</title>
<style type="text/css">body {margin:0;font-family:verdana,sans-serif;} h1 {margin:0;padding:12px 25px;background-color:#343434;color:#ddd} p {margin:12px 25px;} strong {color:#E0042D;}</style>
</head>
<body>
<h1>Access Denied</h1>
<p>
<strong>You are attempting to access a forbidden site.</strong><br/><br/>
Please contact <a href="https://techteam.kidscarehh.com/helpdesk">Techteam </a>or your manager for assistance.
</p>
</body>
</html>>

And checking it manual there is a ServerProtocolViolation error. Something is broken.

1 Like

When I access the second link (http://kidscarehh.com/.well-known/acme-challenge/configcheck) from my laptop within the same domain as the server, I can reach it without any problem. When I tried that same link from my cell phone to try it from outside our domain, I get the same error that you receive. We have checked our firewall to see if we found any blocked packets from outside the network, but we did not find any. We have temporarily disabled HIPS protection on the antivirus software on the server itself. Do you have any suggestion where we might look next?

1 Like

@JuergenAuer,
It turns out that the problem was with our firewall. It was blocking the packets from outside our domain. Thank you for your help troubleshooting the problem. Your post put us on the right path to get it resolved. We have been able to get the new certificate now.

3 Likes

Yep, now the second link works correct.

Good to know that a firewall is able to create such a curious result.

Happy to read that it has worked :+1:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.