Using certbot --apache ends with error 503 (or 403)

Laiss · May 10, 2023, 1:31pm

Dear community,

I try to setup a certificate for a new domain and new webserver. The the server is an apache standard (currently you will only see the default page). SSL is enabled. The ports 443 and 80 are reachable, and you get the http and https page (sure ... currently "insecure")

My domain is: wiki.wsi.med.uni-muenchen.de (138.244.128.5)

I ran this command: sudo certbot --apache (but running it with sudo certbot --manual certonly brings up the same error)

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: wiki.wsi.med.uni-muenchen.de*
Type: unauthorized*
Detail: 138.244.128.5: Invalid response from http://wiki.wsi.med.uni-muenchen.de/.well-known/acme-challenge/JaXT4_09NpRX0cpvHQmKEh4N2i5GyeaXe8Y4q2nGMic: 503*

My web server is (include version): apache (installed in WSL1), but the problem also appears with a virtual machine, installed with Ubuntu and Apache

The operating system my web server runs on is (include version):WSL1 (Windows 10 Professional)

My hosting provider, if applicable, is: local workstation

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I've attached the console output and the related log file.
certbot-output.txt (1.3 KB)
letsencrypt.txt (20.9 KB)

Help would be really nice, I've tried many things, but always end up with this error.

MikeMcQ · May 10, 2023, 2:09pm

Welcome to the community @Laiss

Thanks for nice problem description. A strong possibility is you are being blocked by a Palo Alto brand firewall. We saw many similar problems starting about a year ago but haven't seen these much lately.

See an earlier post of mine for more info (link here)

In that one the error was a "reset by peer" but sometimes we also saw a 503 depending on the model and software version on the Palo Alto device.

Your symptoms are that this returns an expected 404:

curl -I http://wiki.wsi.med.uni-muenchen.de/.well-known/Test123
HTTP/1.1 404 Not Found
Date: Wed, 10 May 2023 14:01:55 GMT
Server: Apache/2.4.52 (Ubuntu)

But, if I use a user-agent similar to what Let's Encrypt uses it fails with a 503

curl -I http://wiki.wsi.med.uni-muenchen.de/.well-known/acme-challenge/Test123 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 503 Service Unavailable
P3P: CP="CAO PSA OUR"

(various other headers removed for readability)

Laiss · May 10, 2023, 2:23pm

Lovely ... Like a charm ... not sure if this will bring the solution, but yes, our provider uses Palo Alto since 2 years. And to have a possibility to replicate this problem is awesome.

Until now I thought I'm getting crazy

I will tell the outcome

Best regards

Markus

Laiss · May 12, 2023, 2:30pm

Well, it was indeed simple to solve for them who know what the problem was.

At the end, with the hints, the IT specialist for the firewall enabled the acme-challenge protocol (I was not aware, that this has to be permitted separately via firewall ... I thought "well please open 80 and 443 for this server, and we will do the rest") for port 80 and 443. They noticed these within the logs.

So I was able to setup a certificate for your domain, which is now online.

Best regards and many thanks

Markus