Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: soulsurfer.ddns.net
I ran this command: certbot -v
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for soulsurfer.ddns.net
Performing the following challenges:
http-01 challenge for soulsurfer.ddns.net
Waiting for verification...
Challenge failed for domain soulsurfer.ddns.net
http-01 challenge for soulsurfer.ddns.net
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: soulsurfer.ddns.net
Type: unauthorized
Detail: 87.123.125.228: Invalid response from http://soulsurfer.ddns.net/.well-known/acme-challenge/xZl9E4pGJVUSVNSb36cPtZU0fyMK0gyle_ERI4Nqh9I: 403
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
My web server is (include version): Apache 2.4.52
The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS - jammy
My hosting provider, if applicable, is: selfhosted
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 1.21.0
I had no problems for years, but I found that some Ubuntu update blocked http on port 80.
having fixed this, I can access the .well-known/... files via http:
curl http://soulsurfer.ddns.net/.well-known/acme-challenge/letsdebug-test -v
- processing: http://soulsurfer.ddns.net/.well-known/acme-challenge/letsdebug-test
- Trying 87.123.125.228:80...
- Connected to soulsurfer.ddns.net (87.123.125.228) port 80
GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1
Host: soulsurfer.ddns.net
User-Agent: curl/8.2.1
Accept: /
< HTTP/1.1 200 OK
< Date: Thu, 25 Apr 2024 20:22:30 GMT
< Server: Apache/2.4.52
< X-Content-Type-Options: nosniff
< X-Frame-Options: sameorigin
< Strict-Transport-Security: max-age=15552000;includeSubdomains
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: strict-origin-when-cross-origin
< X-Robots-Tag: “none”
< X-Download-Options: “noopen”
< X-Permitted-Cross-Domain-Policies: “none”
< Last-Modified: Thu, 25 Apr 2024 20:21:14 GMT
< ETag: "49-616f1875f2738"
< Accept-Ranges: bytes
< Content-Length: 73
<
The status code for missing files is 404, as expected. But certbot gets 403 for the http-01 renewal check.
I have a nextcloud server, version 28, and php-8.1 installed since 2016.
The apache log states the forbidden access:
AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/8fUCnNLytzOOpYCU7xV2Sm5jpljPMXnO0FyK7qgc-Gg
The file accesses are set like this:
ls -l /var/lib/letsencrypt/http_challenges/
drwxrwxr-x 2 root www-data 4096 Apr 25 23:32 ./
drwxrwxr-x 4 root www-data 4096 Apr 25 23:32 ../
I'm grateful for any hints ...