My server has been applying for certificates fine for a while now using tls-sni-01 but since that is no longer supported new domains are using http-01 which was failing with a 403 error. I couldn’t find the solution anywhere obvious so I thought I’d share how I fixed it in case it helps anybody else.
It turns out certbot is (correctly) adding “Require all granted” to the config file for the “http_challenges” folder where it serves the challenges from but my apache configuration dates back around 10 years and uses the old apache 2.2 access control settings, “Require all granted” is the new 2.4 access control setting. Mixing the two setting styles gives incorrect results as the 2.2 settings take priority. http://httpd.apache.org/docs/current/upgrading.html
So the solution is to remove all the old settings and replace them with 2.4 settings and then certbot works again.
To check the settings are all gone disable the “access_compat” module (on ubuntu/debian run “a2dismod access_compat” then run “apachectl configtest” if that passes restart apache then re-run certbox.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.