Status 403 When Trying to Implement Certificate

I cannot figure out how to get this cert implemented....it fails on a status 403.

My domain is: opcotest.regulatoryintelligence.com

I ran this command: tried to implement LE certificate from Plesk GUI

It produced this output:
Could not issue an SSL/TLS certificate for opcotest.regulatoryintelligence.com
Details
Could not issue a Let's Encrypt SSL/TLS certificate for opcotest.regulatoryintelligence.com.

The authorization token is not available at http://opcotest.regulatoryintelligence.com/.well-known/acme-challenge/1kYPAqd54fFQOuh_sEGK7x4Xbew9YK2nSakUKkKITuI.

To resolve the issue, make sure that the token file can be downloaded via the above URL.

See the related Knowledge Base article for details.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/396742205376.

Details:

Type: urn:ietf:params:acme:error:unauthorized

Status: 403

Detail: 144.202.185.220: Invalid response from http://opcotest.regulatoryintelligence.com/.well-known/acme-challenge/1kYPAqd54fFQOuh_sEGK7x4Xbew9YK2nSakUKkKITuI: 404

My web server is (include version): Apache 2.5/Nginx

The operating system my web server runs on is (include version): Ubuntu 22.04.4

My hosting provider, if applicable, is: TierPoint

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

That is the overall failure but the underlying reason is a "404" (HTTP Not Found). The Let's Encrypt Auth Server asked your server for the challenge token and you told LE you did not have it.

Did you review the related KB article? The Plesk system is likely not configured correctly to match your server. Which looks like nginx and not:

You would probably be better off asking your hosting service about this. They setup Plesk and your system and are better positioned to answer setup questions.

5 Likes

There is a certificate now.

Validity
Not Before: Aug 30 17:59:57 2024 GMT
Not After : Nov 28 17:59:56 2024 GMT
Subject: CN = opcotest.regulatoryintelligence.com
4 Likes

Believe it or not the order of the IP NATs was the issue. If the .221 NAT was ahead of the .220 NAT, in my firewall rules, it would not work. I never knew the IP order mattered.

2 Likes

Thanks for the final report. Good Luck!

4 Likes

Something sounds "off" with that.
Can you show the two NAT rules?

[sounds like you simply switched the problem from one IP to the other]

3 Likes

So I have two Plesk servers...one is my production server and one is my test server. Each server has multiple websites on it. Each server has an iteration of Nginx, for reverse proxy and this is where the issue lies. When a call comes in from one public IP each Nginx iteration wants to respond. I had one of two choices...move the Nginx process upstream to my firewall, so one Nginx process would handle both servers or have a second public IP and setup NAT rules for each server to use an independent public IP. I chose the second option.

My public IPs end in .220 and .221. .221 was already being used by the production server. I then setup NAT rules to associated .220 with my test server but it would never work. In reviewing this I noticed that the NAT rules for .221 were ahead of the rules for .220. I simply reversed the order and both now work just fine.

Not sure why this is but it works and I will take it.

Is the production server also accessible via those rules?
If so, then I can't explain what the rule order has to do with the previous errror.

hmm...
Except, maybe, do you have to restart the router for those rules to take effect?
If so, then maybe the rules you were looking at were not actually the rules being used.
That is my only possible explanation.

You could prove/disprove this theory by reversing the NAT rules once again and see if the problem returns.

5 Likes

Yes both servers are finally accessible over their individual IPs. Its soo weird but I think you hit the nail on the head. What was in the rules was not what was running, which I find soo strange bc when I apply any changes it immediately applies the config change.

I changed the order, just to make sure there is no issue, and yes both servers can still be accessed. Chalk it up to gremlins in my firewall...that surely makes me nervous!

3 Likes