Renew failes 403 Forbidden for AuthType Basic

maxhewitt · 2018-12-02 23:15:44 UTC

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: demo.texasschooltools.com

I ran this command: /usr/local/sbin/certbot-auto renew --rsa-key-size 4096 --renew-hook “apachectl -k graceful”

It produced this output:

Domain: demo.texasschooltools.com
Type: unauthorized
Detail: Invalid response from
http://demo.texasschooltools.com/.well-known/acme-challenge/Ap5C2LnjA43GI1kATXG91sFPklHjfjpUgVM29His5m0:
“\n\n403
Forbidden\n\n

Forbidden

\n<p”

My web server is apache 2.2:

The operating system my web server runs on is Debian Wheezy:

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no’’

Hi guys,

I have letsencrypt set up on a debian wheezy, apache2.2 platform and renewals are coming up. Auths are failing for sites where I am restricting access (demo, development, stats), but appear to work fine for unrestricted sites.

Below is the apache2 config file for the demo site I’d like to tackle first:

<VirtualHost *:80>
ServerName demo.texasschooltools.com
Redirect / https://demo.texasschooltools.com/
</VirtualHost>
<VirtualHost *:443>
ServerName demo.texasschooltools.com
DocumentRoot “/var/www/demo”
php_admin_flag engine on
php_admin_value upload_tmp_dir /var/www/demo/upload
php_flag display_errors off
php_admin_value open_basedir /var/www/demo/:/var/www/config/:/var/www/addons/:/var/www/tmp/:/var/www/upload/:/tmp/

SSLEngine on
SSLProtocol -ALL -SSLv3 -SSLv2 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
SSLCertificateKeyFile /etc/letsencrypt/live/multidomain/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/multidomain/cert.pem
</IfModule>
LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” combined
CustomLog “/var/log/apache2/demo/access.log” combined env=!dontlog
ErrorLog “/var/log/apache2/demo/error.log”
<Directory “/var/www/demo”>
Options -Indexes
AuthType Basic
AuthName “You have accessed a restricted site. Please log in.”
AuthUserFile “/etc/apache2/authfiles/.htpasswd”
Require valid-user
AllowOverride All
Order allow,deny
Satisfy Any
DirectoryIndex index.html index.php login.php
</Directory>
<Directory “/var/www/demo/.well-known/acme-challenge”>
Options -Indexes
Order allow,deny
Allow from all
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/multidomain/chain.pem
</VirtualHost>

I’ve used a watch and can verify that the authorization file is in fact being loaded to the ./well-known/acme-challenge folder. I have also tried placing a test.html file in that same folder and it cannot be accessed without the login name and password.

So my question is, how do I properly set up the Directory for the .well-known/acme-challenge folder so that it is unrestricted?

I’ve tried adding several versions of .htaccess (and enabling AllowOverride), with no luck.

Any ideas where I might be going wrong?

_az · 2018-12-02 23:20:29 UTC

One way could be just to address it directly in your port 80 handler:

<VirtualHost *:80>
        ServerName demo.texasschooltools.com
        DocumentRoot /var/www/demo/
        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
        RewriteRule (.*) https://demo.texasschooltools.com$1
</VirtualHost>

maxhewitt · 2018-12-03 00:14:03 UTC

Still no dice. I changed the 80 handler to what you’ve got and I still get a 403 Forbidden error trying to access the http://demo.texasschooltools.com/.well-known/acme-challenge/test.html page.

I removed all .htaccess files in the webroot, and in the acme-challenge folders, just to make sure they aren’t affecting anything. Any other ideas?

maxhewitt · 2018-12-03 00:24:07 UTC

Out of curiosity, I changed the folder permissions for the .well-known folder (and subfolders) to 777 and viola! I have access to the test.html file now. So…what SHOULD the permissions be for that folder?

chmod 777 -R /var/www/demo/.well-known

_az · 2018-12-03 00:44:17 UTC

The permission of directories should generally be 0755.

403 isn’t related to your basic auth (which would be 401), something else is causing that.

Perhaps try putting this in the port 80 one as well:

Alias /.well-known/acme-challenge/ /var/www/acme

and seeing if using a different directory avoids the problem.

maxhewitt · 2018-12-03 01:57:24 UTC

Thanks _az. I think it mustve been related to the folder permissions. Everything works fine now and some of the folders in other secured websites did not have the same issues that I resolved with the update to the config file for the demo site.

So, one point to remember, check the folder permissions on .well-known (and its subfolders) and set to 0755 if all else fails. After making this chmod for all of my .well-known folders (various websites), renewal worked just fine and certs are now extended.

I’ll take a look at the Alias option yet, but I’d done some reading both for and against that workaround.