We have a reverse proxy redirecting to many internal websites.
For all sites we have no issue but for one each I time run certbot-auto I get this error :
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: "mywebsite.fr"
Type: unauthorized
Detail: Invalid response from
http://"mywebsite.fr"/.well-known/acme-challenge/joTDZKkyDRnMBMTD6YIar91hgpasWRvRG01NmeGcivQ:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"
I can’t explain what is the problem. For me it can’t be the reverse proxy as it works for many other sites and they are all based on the same template.
The real website is an Ubuntu 16.04 with Apache2.4.18, PHP7.0 and It’s accessible from outside.
I don’t really know how works certbot auto if there is any requirement to be sure that certbot auto works.
To add to @JuergenAuer's response, it seems highly likely that whatever server is sitting between nginx and the internet (called "Knstat/2.1.1") is interfering with the requests.
Google's Chinese to English translation is pretty bad, but it might have something to do with your site's ICP license.
Dear users, Hello:
Sorry, the site is temporarily unavailable. It may be caused by the following reasons:
Reason one
Your website has not yet been filed. According to the “Administrative Measures for Non-operating Internet Information Services,” the website needs to be accessed after being filed first. The Ministry of Industry and Information Management will enter the inquiry.
Reason two
The content of the website is inconsistent with the filing information or the filing information is inaccurate; according to the "Administrative Measures for the Filing of Non-operating Internet Information Services," the website content needs to be consistent with the filing information, and the filing information needs to be authentic and valid. It is recommended that webmasters modify the website information as soon as possible.
This page is the default prompt page. If there are any problems with the website, please handle it in time. Please contact your service provider for website filing.
@stevenzhu might be able to give a better explanation.
Thanks @_az . I didn’t realize it’s related to the ICP license problem cause I can curl the files on the machine. I switched to using TLS-SNI-01 to renew and the problem is solved. I was in fact been MITM attacked.
The thing with ICP is, you could (somehow) visit the website using https connection and not get blocked.
However, since your site doesn’t hold an valid ICP license, all http connection is going to be blocked by 光环新网 (which I never heard before) .
Please Consider apply for an ICP license or simply buy a Hong Kong hosting would resolve the blocking issue.
Unfortunatelly, it did not worked. But I’m not that surprised as 11 other sites behind this proxy are not impacted by this issue…
Could the real website be the problem?
certbot auto create the following challenge config :
<Directory /var/lib/letsencrypt/http_challenges>
Require all granted
</Directory>
<Location /.well-known/acme-challenge>
Require all granted
</Location>
And modify the virtual host config adding this :
Include /etc/apache2/le_http_01_challenge_post.conf
the issue is that my DocumentRoot is not set in my vhost as :
/var/lib/letsencrypt/http_challenges
As I’m on a reverse proxy I don’t mind to set it to anything as all requests are then redirected to the real server, so I just added this to my vhost conf and it worked like a charm:
DocumentRoot /var/lib/letsencrypt/http_challenges
<Directory /var/lib/letsencrypt/http_challenges>
Allow from All
</Directory>
May be something has changed in the last certbot-auto script as I never had to do this before.
Hope It’s clear enough and will help someone else.