Status 403 When Trying to Renew Certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Prefer not to list

I ran this command: auto cert renewal

It produced this output: status 403

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: Self Hosted with CloudFlare DDNS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ACME V2.1.20

Not sure what change was made recently if it was Cloudflare or LetsEncrypt but I always used Cloudflare with Proxying on to protect my public IP on my WebHost... Never had issues with auto cert renewal before. I have a dynamic IP and I'm using Cloudflare's DDNS tool to keep my DNS up to date with Cloudflare. I verified my IP address is reflecting properly on Cloudflare and locally. The auto-renewal script is failing with the Status 403 error. I rechecked all my DNS settings no issues were found. As a test, I removed one of my sites from Proxing IP and attempted to renew again. This time it worked.

It appears Cloudflare Proxying is preventing renewals from working, however no changes were made on my end. Why is this only starting to happen now? My renewals have been working for over two years now with zero issues?... See image below. it appears to be unable to find the challenge directory. However, clearly 80 and 443 are open and again, it works fine with Cloudflare Proxing turned off.


Update. I figured out the issue. Some how Cloudlfare SSL/TLS option got changed from "Flexiable" to "Full" I dont know when/why this was changed and I also dont know why "Full" would cause it to stop renewing when you are literally just renewing the cert used for Cloudflare to Server connection. (maybe since the cert isnt uploaded directly to Cloudflare so it doesn't know it from the server side?)

In either case it appears to be working now and all certs are renewed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.