Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: demo.texasschooltools.com
I ran this command: /usr/local/sbin/certbot-auto renew --rsa-key-size 4096 --renew-hook "apachectl -k graceful"
It produced this output:
Domain: demo.texasschooltools.com
Type: unauthorized
Detail: Invalid response from
http://demo.texasschooltools.com/.well-known/acme-challenge/Ap5C2LnjA43GI1kATXG91sFPklHjfjpUgVM29His5m0:
"\n\n403
Forbidden\n\n
Forbidden
\n<p"My web server is apache 2.2:
The operating system my web server runs on is Debian Wheezy:
My hosting provider, if applicable, is: self-hosted
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: no''
Hi guys,
I have letsencrypt set up on a debian wheezy, apache2.2 platform and renewals are coming up. Auths are failing for sites where I am restricting access (demo, development, stats), but appear to work fine for unrestricted sites.
Below is the apache2 config file for the demo site I'd like to tackle first:
<VirtualHost *:80>
ServerName demo.texasschooltools.com
Redirect / https://demo.texasschooltools.com/
</VirtualHost>
<VirtualHost *:443>
ServerName demo.texasschooltools.com
DocumentRoot "/var/www/demo"
php_admin_flag engine on
php_admin_value upload_tmp_dir /var/www/demo/upload
php_flag display_errors off
php_admin_value open_basedir /var/www/demo/:/var/www/config/:/var/www/addons/:/var/www/tmp/:/var/www/upload/:/tmp/
SSLEngine on
SSLProtocol -ALL -SSLv3 -SSLv2 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
SSLCertificateKeyFile /etc/letsencrypt/live/multidomain/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/multidomain/cert.pem
</IfModule>
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" combined
CustomLog "/var/log/apache2/demo/access.log" combined env=!dontlog
ErrorLog "/var/log/apache2/demo/error.log"
<Directory "/var/www/demo">
Options -Indexes
AuthType Basic
AuthName "You have accessed a restricted site. Please log in."
AuthUserFile "/etc/apache2/authfiles/.htpasswd"
Require valid-user
AllowOverride All
Order allow,deny
Satisfy Any
DirectoryIndex index.html index.php login.php
</Directory>
<Directory "/var/www/demo/.well-known/acme-challenge">
Options -Indexes
Order allow,deny
Allow from all
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/multidomain/chain.pem
</VirtualHost>
I've used a watch and can verify that the authorization file is in fact being loaded to the ./well-known/acme-challenge folder. I have also tried placing a test.html file in that same folder and it cannot be accessed without the login name and password.
So my question is, how do I properly set up the Directory for the .well-known/acme-challenge folder so that it is unrestricted?
I've tried adding several versions of .htaccess (and enabling AllowOverride), with no luck.
Any ideas where I might be going wrong?