Here's some things you need to know before reading any further.
- Purchased to Google Domains
- Correctly configured the Nameserver to point to my VPS
- dig and nslookup commands return correct DNS configuration
- Apache on Ubuntu
Failed authorization procedure
I spend almost 2 days trying to find a solution to Let's Encrypt certificates not being fully installed under Ubuntu's with Apache.
I would run the ./certbot-auto and as soon as we got to the Cleaning up challenges step it would output something like this:
From what I could gather there are multiple things that can trigger this error. Permissions, badly configured domain, closed ports...
Apache 403 Forbidden
I tried everything I could find without any luck. Giving permissions to the manually created /.well-known/acme-challenge/ folder or trying to serve a file from the outside. It was working, no problems there.
However, during the process I would still get the irritating 403.
Detail: Invalid response fromCode language: HTTP (http)
Specify a webroot path
I still don't know if it was because the domain has this cool ".club" ending instead of the typical ".com" but I needed to specify --webroot-path or its alias -w.
To not reach my rate limit I did add --dry-run to the command to make it sure I got it right before requesting the certificate for real.
I'm very inclined to think it's the domain itself. I have 3 other domains (ending on .com and .cat) running in the same VPS server, on the same Apache virtualhost configuration and they can be renewed without having to specify the webroot path.
Here's the magical command:
After running this, the only thing left to do is to add the chain and key file to the site apache virtualhost configuration.
Message from the bot:
- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Add the following lines:
I hope this might help you out. Good luck!
UPDATE (November 19th): the --apache plugin when running the bot no longer works for any of my domains. I'm now using --webroot The downside is that I have to manually copy and paste the certificate to each virtual host file (even if I just have 1 certificate with all the domains).
UPDATE (April 2019): Be careful if the domain or subdomain has a forwarding from the :80 port to the HTTPS :443
My previous rewrite rules were causing problems (unauthorized).
This rule in my .conf file works: