Here's some things you need to know before reading any further.
- Purchased to Google Domains
- Correctly configured the Nameserver to point to my VPS
- dig and nslookup commands return correct DNS configuration
- Apache on Ubuntu
Failed authorization procedure
I spend almost 2 days trying to find a solution to Let's Encrypt certificates not being fully installed under Ubuntu's with Apache.
I would run the ./certbot-auto and as soon as we got to the Cleaning up challenges step it would output something like this:
From what I could gather there are multiple things that can trigger this error. Permissions, badly configured domain, closed ports...
Apache 403 Forbidden
I tried everything I could find without any luck. Giving permissions to the manually created /.well-known/acme-challenge/ folder or trying to serve a file from the outside. It was working, no problems there.
However, during the process I would still get the irritating 403.
Domain: coctel.club Type: unauthorized Detail: Invalid response fromCode language: HTTP (http)
Specify a webroot path
I still don't know if it was because the domain has this cool ".club" ending instead of the typical ".com" but I needed to specify --webroot-path or its alias -w.
To not reach my rate limit I did add --dry-run to the command to make it sure I got it right before requesting the certificate for real.
I'm very inclined to think it's the domain itself. I have 3 other domains (ending on .com and .cat) running in the same VPS server, on the same Apache virtualhost configuration and they can be renewed without having to specify the webroot path.
Here's the magical command:
After running this, the only thing left to do is to add the chain and key file to the site apache virtualhost configuration.
Message from the bot:
Add the following lines:
SSLCertificateFile /etc/letsencrypt/live/www.coctel.club/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.coctel.club/privkey.pem
I hope this might help you out. Good luck!
UPDATE (November 19th): the --apache plugin when running the bot no longer works for any of my domains. I'm now using --webroot The downside is that I have to manually copy and paste the certificate to each virtual host file (even if I just have 1 certificate with all the domains).
UPDATE (April 2019): Be careful if the domain or subdomain has a forwarding from the :80 port to the HTTPS :443
My previous rewrite rules were causing problems (unauthorized).
This rule in my .conf file works:
Thank you very much for this post. I was struggling with this error for days and you command line saved me. 🙂
Strangely I have other domains on the same server with no problem at all. And I renewed the problematic domain before too.
Well, but now it’s solved, thanks to you.
Glad it helped!
I ran into this problem yesterday too.
I’m running ubuntu 16.04 with Apache version 2.4.18
Thanks for the tip, it worked great.
For anyone else using certbot for the first time, you need to add the following to your apache virtual host config file (/etc/apache2/sites-available):
Glad it help and thanks for sharing your snippet Ian!