Error 403 on LetsEncrypt request

technicalw · May 18, 2020, 10:29am

Hi all,
I requested LE cert for webmin and virtual hosts, but it shows error 403 when challenged.
I am using fresh install centos 8 on Digital Ocean.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for to.website.id
Using the webroot path /home/to/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain to.website.id
http-01 challenge for to.website.id
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: to.site.id
   Type:   unauthorized
   Detail: Invalid response from
   http://to.website.id/.well-known/acme-challenge/GBHA46mREDUe7RQ9k82OkBySRWD8QUyS7aZBDTrRxIQ
   [165.22.52.184]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

DrCarsonBeckett · May 18, 2020, 10:58am

Fix that and it should be fine.

calport · May 18, 2020, 11:46am

I too have been recently experiencing Lets Encrypt certificate generation failures on fresh installs of Webmin 1.492 and Virtualmin 6.09. Thought I should mention it, for what it’s worth.

chriswoods · May 18, 2020, 3:21pm

@technicalw accessing that IP (not the FQDN as you didn’t provide it), shows that you’ve edited the config and (currently) returning a custom 403 response:

Forbidden to enter

You don’t have permission to access / on this server. and so on and so on

This makes me think that you’ve done this in a way which is overriding Apache’s default web serving ability (did you edit a *:80 virtualhost:). Certbot (LE certificate renewer) relies on public_html public access for the domain to complete web authentication.

Either use DNS-based challenge/response or fix your Apache configuration to permit access by the Let’s Encrypt servers.

For the default server (Webmin GUI), Webmin > Webmin Configuration > SSL Encryption > Let’s Encrypt tab, choose “Use DNS domains for validation”.

For Virtualmin sites, each uses their own Let’s Encrypt setup, in Virtualmin > Server Configuration > SSL Certificate > Let’s Encrypt.

As far as I can tell from using Virtualmin, the virtualhost Let’s Encrypt section only offers HTTP challenge-response. I’ve never tested to see if it falls back to DNS because I have public sites on every virtualhost.

It would be nice if virtual site Let’s Encrypt configuration could obviously support DNS challenge-response, so we could request wildcard domains for virtualhosts.

unborn · May 18, 2020, 7:06pm

the problem you have is mentioned in that paste you have here - the error msg and it does tell you what you have to do - to get ssl from them…

read the error messages. It does help a lot.

technicalw · May 19, 2020, 2:06am

DNS is set correctly with cloudflare with A record of
site.com = my IP
*.site.com = my IP
All of them using DNS only, not proxied. If I use proxied, then it end up on too many redirect error (when I see on console it is error 302)
I can open my websites using domain normally.

It is actually an index.html with html code copied from Chrome error page and modified a bit so I know that it is able to open html page normally. So, no, I don’t have ability to override Apache default web serving ability

I don’t find the guide to use LE’s DNS based challenge helpful. If you can help to direct me to a good tutorial of LE’s DNS based challenge it will be much appreciated.

dimitrist · May 19, 2020, 8:22am

this is probably apache related. check your configs and apache logs to find what’s causing it. maybe you were blocking all hidden files/dirs, or something…
if not, then maybe cloudflare-crap related : https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare

technicalw · May 19, 2020, 8:36am

It was because of .well-known folder does not exist. I create .well-known folder with permission 0755 on public_html then request certificate. Now I add .well-known folder on skel directory and every virtual server is able to get LE’s certificate.

chriswoods · May 19, 2020, 10:21am

Ah

I use DNS challenges on another server (not Virtualmin) because I need wildcards. I have to do it in manual mode, so a nice little activity every 3 months…

You run certbot to request an updated certificate (or to issue a new one) and provide the domains/wildcard domains. For each unique domain certbot provides an alphanumeric string which you must add to a TXT record for the domain called _acme-challenge.<domain.tld>.

When done, certbot instructs the LE verification servers to query each domain’s nameserver to check for a matching record and if it exists, certbot is issued the certificate. Certbot does the rest automatically, generating and replacing the private key and cert chain in your system’s PKI folder. Then you just have to restart services using the cert and off you go.

It’s more involved than web-based verification but AFAIK it’s still the only way you can get wildcards (*.example.com to cover all subdomain permutations).

Your problem with .well-known not existing is odd, when I’ve used Virtualmin to request new LE certificates for new domains it’s always been able to create the folder structure automatically. What are your permissions on the public_html dirs?

system · May 23, 2020, 10:27am

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.