[Solved] Invalid response 403 forbidden


#1

Hi,

We have a reverse proxy redirecting to many internal websites.
For all sites we have no issue but for one each I time run certbot-auto I get this error :

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: "mywebsite.fr"
    Type:   unauthorized
    Detail: Invalid response from
    http://"mywebsite.fr"/.well-known/acme-challenge/joTDZKkyDRnMBMTD6YIar91hgpasWRvRG01NmeGcivQ:
    "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p"
    

I can’t explain what is the problem. For me it can’t be the reverse proxy as it works for many other sites and they are all based on the same template.

The real website is an Ubuntu 16.04 with Apache2.4.18, PHP7.0 and It’s accessible from outside.
I don’t really know how works certbot auto if there is any requirement to be sure that certbot auto works.

Any help would be very appreciated.

Many thanks


#2

It’s not possible for us to guess at the cause without knowing the domain or at least seeing a redacted /var/log/letsencrypt/letsencrypt.log .

Maybe try run it through letsdebug.net, might catch a possible cause.


#3

I am having the same issue.

Nginx is reporting to return 200, but in letsencrypt.log, the server said it received 403.

64.78.149.164 - - [13/Jun/2018:18:28:19 +0800] “GET /.well-known/acme-challenge/AzpO6Xzp5UejsQiyv3F-zQHVRo9wHXW5FsrFx594SyY HTTP/1.1” 200 0 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” “-”

Here’s the /var/log/letencrypt/letsencrypt.log https://gist.github.com/chentmin/93d29cfbdcacd5211ccc0234c26ccbc8


#4

Hi @chentmin

your authorization url is:

https://acme-v01.api.letsencrypt.org/acme/authz/9MdFdePTrh2j70GQcE7N5-t3t20mlu-902EQZoiJ3qM

There

“Invalid response from http://animal2018.lightpaw.com/.well-known/acme-challenge/AzpO6Xzp5UejsQiyv3F-zQHVRo9wHXW5FsrFx594SyY: “\n\t\n\t\t<meta http-equiv=“Content-Type” content=“textml;charset=GB2312” />\n\t\tbody{background-color:#FFFFFF}</sty””


Your server sends html-code, not the key authorization

AzpO6Xzp5UejsQiyv3F-zQHVRo9wHXW5FsrFx594SyY.a8DUPPLJTseyYz3nQXfDbCvfqh8RGeFQOiMCjdLAqzI

FireFox says:

http://animal2018.lightpaw.com/.well-known/acme-challenge/AzpO6Xzp5UejsQiyv3F-zQHVRo9wHXW5FsrFx594SyY

404 Not found.

Checking the url direct there is a strange error (never seen before):

D:\download http://animal2018.lightpaw.com/.well-known/acme-challenge/AzpO6Xzp5UejsQiyv3F-zQHVRo9wHXW5FsrFx594SyY -h
Error (1): Der Server hat eine Protokollverletzung ausgeführt… Section=ResponseStatusLine
ServerProtocolViolation

Section=ResponseStatusLine


#5

To add to @JuergenAuer’s response, it seems highly likely that whatever server is sitting between nginx and the internet (called “Knstat/2.1.1”) is interfering with the requests.

Google’s Chinese to English translation is pretty bad, but it might have something to do with your site’s ICP license.

Dear users, Hello:

Sorry, the site is temporarily unavailable. It may be caused by the following reasons:
Reason one

Your website has not yet been filed. According to the “Administrative Measures for Non-operating Internet Information Services,” the website needs to be accessed after being filed first. The Ministry of Industry and Information Management will enter the inquiry.
Reason two

The content of the website is inconsistent with the filing information or the filing information is inaccurate; according to the “Administrative Measures for the Filing of Non-operating Internet Information Services,” the website content needs to be consistent with the filing information, and the filing information needs to be authentic and valid. It is recommended that webmasters modify the website information as soon as possible.
This page is the default prompt page. If there are any problems with the website, please handle it in time. Please contact your service provider for website filing.

@stevenzhu might be able to give a better explanation.


#6

Thanks @_az . I didn’t realize it’s related to the ICP license problem cause I can curl the files on the machine. I switched to using TLS-SNI-01 to renew and the problem is solved. I was in fact been MITM attacked.


#7

Hi,

I’m afriad that’s actually not the issue.

The thing with ICP is, you could (somehow) visit the website using https connection and not get blocked.

However, since your site doesn’t hold an valid ICP license, all http connection is going to be blocked by 光环新网 (which I never heard before) .

Please Consider apply for an ICP license or simply buy a Hong Kong hosting would resolve the blocking issue.

Thank you


#8

Hi,

here is my log :

Supressed : not related to the problem.

I don’t know why, this is the only site behind my reverse proxy that give that issue.

Many thanks by advance for your help.


#9

I don’t see a reason why it’s failing.

Could you show /etc/apache2/sites-enabled/ged.conf and check that the domain doesn’t appear twice in:

apachectl -S

#10

Hi,

me neither I don’t see any reason…
The site appear once with in the output of : apachectl -S

here is the ged.conf, very simple:

Suppressed: not related to the problem

Thank you


#11

Try putting this above the other ProxyPass directives:

ProxyPass "/.well-known/acme-challenge" "!"

It’s possible that the challenge requests are being passed incorrectly to the next server.


#12

Unfortunatelly, it did not worked. But I’m not that surprised as 11 other sites behind this proxy are not impacted by this issue…
Could the real website be the problem?


#13

Hi,

Finally found where the issue come from.

certbot auto create the following challenge config :

<Directory /var/lib/letsencrypt/http_challenges>
        Require all granted
    </Directory>
    <Location /.well-known/acme-challenge>
        Require all granted
    </Location>

And modify the virtual host config adding this :

Include /etc/apache2/le_http_01_challenge_post.conf 

the issue is that my DocumentRoot is not set in my vhost as :

 /var/lib/letsencrypt/http_challenges

As I’m on a reverse proxy I don’t mind to set it to anything as all requests are then redirected to the real server, so I just added this to my vhost conf and it worked like a charm:

    DocumentRoot /var/lib/letsencrypt/http_challenges
    <Directory /var/lib/letsencrypt/http_challenges>
            Allow from All
    </Directory>

May be something has changed in the last certbot-auto script as I never had to do this before.
Hope It’s clear enough and will help someone else.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.