Let’s Encrypt 403 Forbidden failed authorization procedure


Here's some things you need to know before reading any further.

  • Purchased to Google Domains
  • Correctly configured the Nameserver to point to my VPS
  • dig and nslookup commands return correct DNS configuration
  • Apache on Ubuntu

Failed authorization procedure

I spend almost 2 days trying to find a solution to Let's Encrypt certificates not being fully installed under Ubuntu's with Apache.

I would run the ./certbot-auto and as soon as we got to the Cleaning up challenges step it would output something like this:

Failed authorization procedure. www.coctel.club (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.coctel.club/.well-known/acme-challenge/XXX:Code language: JavaScript (javascript)

From what I could gather there are multiple things that can trigger this error. Permissions, badly configured domain, closed ports...

Apache 403 Forbidden

I tried everything I could find without any luck. Giving permissions to the manually created /.well-known/acme-challenge/ folder or trying to serve a file from the outside. It was working, no problems there.

However, during the process I would still get the irritating 403.

Domain: coctel.club
Type:   unauthorized
Detail: Invalid response fromCode language: HTTP (http)

Specify a webroot path

I still don't know if it was because the domain has this cool ".club" ending instead of the typical ".com" but I needed to specify --webroot-path or its alias -w.

To not reach my rate limit I did add --dry-run to the command to make it sure I got it right before requesting the certificate for real.

I'm very inclined to think it's the domain itself. I have 3 other domains (ending on .com and .cat) running in the same VPS server, on the same Apache virtualhost configuration and they can be renewed without having to specify the webroot path.

Here's the magical command:

./certbot-auto certonly --webroot -w /var/www/coctel.club/web/ -d www.coctel.club -d coctel.clubCode language: JavaScript (javascript)

After running this, the only thing left to do is to add the chain and key file to the site apache virtualhost configuration.

Message from the bot:

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
/etc/letsencrypt/live/www.coctel.club/privkey.pemCode language: JavaScript (javascript)

Add the following lines:

SSLCertificateFile /etc/letsencrypt/live/www.coctel.club/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.coctel.club/privkey.pem

I hope this might help you out. Good luck!

UPDATE (November 19th): the --apache plugin when running the bot no longer works for any of my domains. I'm now using --webroot The downside is that I have to manually copy and paste the certificate to each virtual host file (even if I just have 1 certificate with all the domains).

UPDATE (April 2019): Be careful if the domain or subdomain has a forwarding from the :80 port to the HTTPS :443
My previous rewrite rules were causing problems (unauthorized).
This rule in my .conf file works:

RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]Code language: JavaScript (javascript)


  1. Ian Colwell says:

    I ran into this problem yesterday too.
    I’m running ubuntu 16.04 with Apache version 2.4.18
    Thanks for the tip, it worked great.

    For anyone else using certbot for the first time, you need to add the following to your apache virtual host config file (/etc/apache2/sites-available):

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.yourdomain.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
    Code language: PHP (php)
    1. Rick says:

      Glad it help and thanks for sharing your snippet Ian!

      Best regards

  2. Frederico says:

    Hi Rick,

    Thank you very much for this post. I was struggling with this error for days and you command line saved me. 🙂

    Strangely I have other domains on the same server with no problem at all. And I renewed the problematic domain before too.

    Well, but now it’s solved, thanks to you.

    1. Rick says:

      Glad it helped!

      Happy holidays.

Leave a Reply

Your email address will not be published. Required fields are marked *