The DNS query to "x" for the DCV challenge returned no TXT record that matches the value "x" with the following error: 403 (Forbidden)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: test.myobjectives.com

AutoSSL certificate expiry on 10/24/18 UTC. AutoSSL did not renew the certificate for “test.myobjectives.com”. You must take action to keep this site secure. The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems: DNS DCV: The DNS query to “_cpanel-dcv-test-record.myobjectives.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=UPWDWWC9vSNvaNvmCstap0a9S4emriermIV2HGE4mzBQ762PKm2JuaOR21V3kpTu”.; HTTP DCV: The system queried for a temporary file at “http://test.myobjectives.com/.well-known/acme-challenge/MDYAEZAURRBNPXZWPRIIMMXHBJR5QNP7”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

Note: We have a half-dozen websites on this VPS using Let’s Encrypt SSLs, all auto-renewed; only this one did not renew for some reason. We do have a temporary IP lock on this URL as it is a development site (it will probably show “host unreachable” if you try to reach this url from your location). Don’t understand the SSL renewal error though, it’s not the only site we have the IP-lock on and the other sites renewed, any help is appreciated!

My web server is (include version): CENTOS 6.10 v74.0.9

The operating system my web server runs on is (include version): Linux + Apache CGI PHP 7.2

My hosting provider, if applicable, is: Bluehost

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes / full WHM & cPanel


#2

Hi,

Do you own the cPanel? (Do you have root access to that server?)

If so, please check on your WHM -> AutoSSL logs. (also could you please check if “route all challenges to a system .well-known folder” is enabled?)

Thank you


#3

Thank you for the response Steven, I appreciate your time sir.

I do have access to the cpanel & WHM. The AutoSSL logs are full of errors for all the domains. Here’s a copy of the AutoSSL logs related to the domain in question:

8:09:05 PM Analyzing “test.myobjectives.com” …
8:09:05 PM ERROR TLS Status: Defective
ERROR Certificate expiry: 10/24/18, 2:04 AM UTC (1.96 days from now)
ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon. WARN Local HTTP DCV error (test.myobjectives.com): The system queried for a temporary file at “http://test.myobjectives.com/.well-known/acme-challenge/7C6Q0V5SJWSTH__7VMU6EO1PC9XRGT-O”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

The warning mirrors what we saw in the email, I do not understand what it is saying. We are able to access the website just fine.

(also could you please check if “route all challenges to a system .well-known folder” is enabled?)

Can you tell me where I can enable this? I’m in the “Manage AutoSSL” option in WHM and do not see this option. We use Bluehost, they have their own version of cPanel. I can manage my SSLs from here and inside this module I can see my SSL but no option to enable routing all challenges to .well-known folder.

Thanks again!


#4

Additional information if it’s helpful: The site is running WordPress and we’re using the Really Simple SSL plugin to force https.


#5

To simplify things, this plugin should exclude http requests to the /.well-known/acme-challenge/ folder.


#6

To simplify things, this plugin should exclude http requests to the /.well-known/acme-challenge/ folder.

I don’t believe Really Simple SSL goes that deep. It’s an “install, turn it on and forget it” type of plugin.

The only options it has are:

  • Auto replace mixed content (enabled)
  • Enable WordPress 301 redirection to SSL (enabled)
  • Enable 301 .htaccess redirect (disabled)
  • Enable Javascript redirection to SSL (disabled)
  • Debug (disabled)
  • Stop editing the .htaccess file (disabled)
  • Switch mixed content fixer hook (disabled)

That’s all they give us on that plugin. I don’t know if this is the source of our issues, I was including this information if it was of help in troubleshooting (as I believe it has altered our htaccess file).

To your point, how do I exclude requests to the /.well-known/acme-challenge/ folder? I have sublime text editor and FTP access, I can make changes if need be - I just need to be told what to do. :wink:

Thanks!


#7

I would disable it there and handle it specifically within the web server.


#8

10-4, can do.

Any ideas on the errors on our certificate?


#9

403 permission denied.

So we need simplify things before we can know exactly when/where/why things are failing.

Please place a test.txt file at:
http://test.myobjectives.com/.well-known/acme-challenge/test.txt


#10

403 permission denied.

We had an IP block on the site because it was a development site. I just temporarily disabled this for our troubleshooting purposes. On that note, thanks for your time.

I just created that file and placed it on the server. I temporarily disabled the Really Simple SSL plugin. I am able to get to that file by clicking the link.


#11

I don’t get a file from:
http://test.myobjectives.com/.well-known/acme-challenge/test.txt
“404 not found”

Once that file is accessible from the Internet, try getting a cert for:
-d test.myobjectives.com


#12

I don’t get a file from:
http://test.myobjectives.com/.well-known/acme-challenge/test.txt
“404 not found”

Hm, I am properly confused. The file is there. I am able to load it from an incognito window. Even when I click your link it opens in a new window for me. We did have an IP block installed up until a minute ago, would it be a cache issue?

try getting a cert for:
-d test.myobjectives.com

Is this a CLI command?


#13

Are you able to renew the certificate while the IP block is disabled? (I believe there should be an option under “SSL/TLS Status” to make it retry immediately, though I don’t use cPanel myself)


#14

I am able to get the file now.
by “-d test.myobjectives.com
I meant try to get a cert for the domain: test.myobjectives.com


#15

I tried manually renewing via CLI in WHM.

"./certbot-auto --apache -d test.myobjectives.com

It went through the steps. I got an error after agreeing to TOS and sharing my email question, cleaning up challenges section:

File:
- Could not be found to be deleted /etc/httpd/conf.d/le_http_01_challenge_pre.conf - Certbot probably shut down unexpectedly
File:
- Could not be found to be deleted /etc/httpd/conf.d/le_http_01_challenge_post.conf - Certbot probably shut down unexpectedly

An unexpected error occurred:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
load_entry_point(‘letsencrypt==0.7.0’, ‘console_scripts’, ‘letsencrypt’)()
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1124, in run
certname, lineage)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 126, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/configurator.py”, line 2280, in perform
http_response = http_doer.perform()
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/http_01.py”, line 72, in perform
self._mod_config()
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/http_01.py”, line 118, in _mod_config
with open(self.challenge_conf_pre, “w”) as new_conf:
FileNotFoundError: [Errno 2] No such file or directory: ‘/etc/httpd/conf.d/le_http_01_challenge_pre.conf’

Odd it is saying these files aren’t there, we currently have Let’s Encrypt on the site although I have temporarily turned off the forcing of https.

Thanks everyone for your time.


#16

The current cert expires tomorrow…
Were you able to renew it?

Perhaps the version of certbot need updating…
Please show:
./certbot-auto --version

And did you try with “sudo” ?
sudo ./certbot-auto --apache -d test.myobjectives.com


#17

I was unable to renew.

We have certbot version 0.27.1.

I tried running renew as sudo, same errors. Hm.


#18

Hi folks,

Next morning update: Overnight I received an email that AutoSSL had successfully renewed the DV certificate for the site, which tells me the previous failures were probably related to the temporary IP block/filter we had installed.

Good to know. I’m putting that information out here in case others have a similar issue in the future and find this thread in a search.

Thanks everyone for your assistance yesterday.


#19

FYI:

Do not use certbot or certbot-auto when you have cPanel. It might end up breaking the configuration of the site.