403 forbidden from nginx but only for some apps after migration

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.0.17
How are you able to access your server: The webadmin
SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: I used an automatic migration tool from my hoster to move my VPS from Virtuozzo to KVM

Describe your issue

Forum newbie here but have been using Yunohost for a while. Know basic command line and Linux stuff. I’m posting with a somewhat unusual “nginx 403 forbidden” problem:

My hosting provider Strato has pushed me to migrate my VPS from an old Virtuozzo-based machine to a newer KVM-based one. Their web-based migration process promised that “everything will be as before” after migration, all files will be copied over. The migration threw no error.

There were couple smaller issues I was able to fix myself (like my Yunohost admin user was gone on the new machine), but I struggle with one last weird thing:

Half my apps stopped working, throwing me a 403 permissions error:

Works: Yunohost admin interface, Synapse, Vaultwarden, LSTU link shortener, Wikijs, Readeck

Does not work:

  • Pixelfed just loads an empty page in the browser
  • 2x Wordpress throw an nginx 403
  • Automad throws an nginx 403
  • Nextcloud throws an nginx 403
  • Dovecot fails to load with a TLS handshaking: SSL_accept() failed: error:0A00006C:SSL routines::bad key share in the logs Dovecot logs

With regard to 403 I checked the folder permissions and ownership in /var/www which I assume each should have their own name as user and group. Except Synapse, all those that did not work had a group ownership called tape. I changed it back to their respective name, with e.g. chown -R nextcloud:nextcloud /var/www/nextcloud and reloaded nginx but the permissions error persists.

With regard to Dovecot I noticed Yunohost diagnosis says port 993 was closed but when I do:

$ sudo nmap -sU -p 993 xx.xx.xx.xx
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-20 17:48 CEST
Nmap scan report for my.domain.net (xx.xx.xx.xx)
Host is up (0.15s latency).

PORT STATE SERVICE
993/udp open|filtered imaps

If anyone has an idea what else I could try to understand what’s wrong with those apps, I’d be incredibly grateful! Please let me know if you need any more data or logs and a big thank you already or reading this!

Share relevant logs or error messages

Nginx needs access to the apps files so you have to change ownership (and maybe permissions). For example, for Nextcloud :

chown -R nextcloud:www-data /var/www/nextcloud

And did you try

yunohost tools regen-conf dovecot

Try force-upgrading the apps with sudo yunohost app upgrade <theapp> -F
This will make sure all the permissions are set correctly.

In YunoHost 12.1 (still in testing), there will be a button for that in each app page in the webadmin.

If the issue remains, please share the NGINX <domain>-error logs.

Oh thanks a million @tituspijean for this super straight forward solution. Force-updating those apps did indeed fix the permissions problem!

The only open problem that remains is dovecot which refuses to start. I first thought it might be a port 993 problem (maybe my VPS hoster blocking it but they confirmed to me today they do not), but now I think there must be another reasons. The logs throw all those TLS/SSL handshake errors wrong version numbers but I cannot quite make sense of it. :grimacing:

Edit: Adding this oddity from the admin panel which argues my Dovecot has been “inactive since over 55 years” :thinking:

Edit for @otm33: Unfortunately yunohost tools regen-conf dovecot did not solve it. Dovecot still refuses to start. :frowning:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.