Let's Encrypt certificate install failed for subdomain.domain.tld 403

:uk:/:us:

My YunoHost server

Hardware: VPS bought online…
YunoHost version: 11.2.27
I have access to my server : Through SSH | through the webadmin…
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Haven’t added a new domain/subdomain in a while but tried doing that yesterday and could not manage to get LetsEncrypt Certificates install.

I keep running into. have tried doing it for test subdomains for domain1.tld, domain2.tld, domain3.tld but none of them work.

ERROR - Wrote file to /var/www/.well-known/acme-challenge-public/sGgHISEKiblaUBO0JS4x1cHl4lbwuuQ0IqgbaQwzh14, but couldn't download http://test.domain2.tld/.well-known/acme-challenge/sGgHISEKiblaUBO0JS4x1cHl4lbwuuQ0IqgbaQwzh14: Error:
Url: http://test.domain2.tld/.well-known/acme-challenge/sGgHISEKiblaUBO0JS4x1cHl4lbwuuQ0IqgbaQwzh14
Data: None
Response Code: 403
Response: <html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

2024-08-24 05:33:58,134: ERROR - Certificate installation for test.domain2.tld failed !
Exception: Could not sign the new certificate

Full log here:
paste.yunohost.org/raw/ucufepizek

args:
force: true
no_checks: false
ended_at: 2024-08-23 19:33:58.134666
error: 'Certificate installation for test.domain2.tld failed !

Exception: Could not sign the new certificate’
interface: api
operation: letsencrypt_cert_install
parent: null
related_to:

    • domain
    • test.domain2.tld
      started_at: 2024-08-23 19:33:53.115824
      success: false
      yunohost_version: 11.2.27

============

2024-08-24 05:33:53,123: DEBUG - Making sure tmp folders exists…
2024-08-24 05:33:53,123: DEBUG - Reusing IPv4 from cache: xx.xx.xx.xx
2024-08-24 05:33:53,124: DEBUG - Reusing IPv6 from cache: None
2024-08-24 05:33:53,124: DEBUG - Prepare key and certificate signing request (CSR) for test.domain2.tld…
2024-08-24 05:33:54,081: DEBUG - Saving to /var/www/.well-known/acme-challenge-private/test.domain2.tld.csr.
2024-08-24 05:33:54,082: DEBUG - Now using ACME Tiny to sign the certificate…
2024-08-24 05:33:54,082: INFO - Parsing account key…
2024-08-24 05:33:54,092: INFO - Parsing CSR…
2024-08-24 05:33:54,099: INFO - Found domains: test.domain2.tld
2024-08-24 05:33:54,100: INFO - Getting directory…
2024-08-24 05:33:54,640: INFO - Directory found!
2024-08-24 05:33:54,640: INFO - Registering account…
2024-08-24 05:33:55,697: INFO - Already registered!
2024-08-24 05:33:55,698: INFO - Creating new order…
2024-08-24 05:33:57,065: INFO - Order created!
2024-08-24 05:33:58,129: INFO - Verifying test.domain2.tld…
2024-08-24 05:33:58,133: ERROR - Wrote file to /var/www/.well-known/acme-challenge-public/sGgHISEKiblaUBO0JS4x1cHl4lbwuuQ0IqgbaQwzh14, but couldn’t download http://test.domain2.tld/.well-known/acme-challenge/sGgHISEKiblaUBO0JS4x1cHl4lbwuuQ0IqgbaQwzh14: Error:
Url: http://test.domain2.tld/.well-known/acme-challenge/sGgHISEKiblaUBO0JS4x1cHl4lbwuuQ0IqgbaQwzh14
Data: None
Response Code: 403
Response:

403 Forbidden

403 Forbidden


nginx

2024-08-24 05:33:58,134: ERROR - Certificate installation for test.domain2.tld failed !
Exception: Could not sign the new certificate

Is the Diagnosis menu complaining about any modified file, especially regarding NGINX?

No, I’ve also tried regenerating them forced from suggestions in all previous similar posts.
Also tried form the CLI, same errors.

What’s the output of ls -la /var/www/.well-known ?

ls -la /var/www/.well-known
total 144
drwxrwxr-x+ 35 root root     4096 Aug 24 19:19 .
drwxrwxr-x+ 16 root root     4096 Aug 23 23:33 ..
drwxrwxr-x+  3 root root     4096 Apr 24 21:24 13ft.app.[domain1]
drwxrwxr-x+  3 root root     4096 May  9 04:52 152-67-126-126.519b6502d940.[domain2]
drw-r-----+  2 root root     4096 Aug 23 23:27 acme-challenge-private
drw-r-x---+  2 root www-data 4096 Aug 24 05:33 acme-challenge-public
drwxrwxr-x+  3 root root     4096 Apr 24 04:35 app.[domain1]
drwxrwxr-x+  3 root root     4096 Apr  5 18:16 cat.[domain1]
drwxrwxr-x+  3 root root     4096 Mar  9 02:31 cloud.[domain1]
drwxrwxr-x+  3 root root     4096 Mar  9 03:36 cloud.[domain3]
drwxrwxr-x+  3 root root     4096 Apr 25 13:59 cockpit.app.[domain1]
drwxrwxr-x+  3 root root     4096 Aug 12 08:48 comet.app.[domain1]
drwxr-xr-x+  3 root root     4096 Aug 23 16:58 coturn.app.[domain1]
drwxrwxr-x+  3 root root     4096 Jul  7 14:10 decore.[domain4]
drwxrwxr-x+  3 root root     4096 Jul  7 13:39 decoremedia.[domain1]
drwxrwxr-x+  3 root root     4096 Apr 22 06:37 dr.[domain1]
drwxrwxr-x+  3 root root     4096 Apr 14 07:21 flare.[domain1]
drwxrwxr-x+  3 root root     4096 Apr  5 16:31 homarr.[domain1]
drwxrwxr-x+  3 root root     4096 Aug 30  2023 [domain1]
drwxrwxr-x+  3 root root     4096 Apr 19 03:51 jrholder.[domain1]
drwxrwxr-x+  3 root root     4096 Apr 24 01:49 [domain5]
drwxrwxr-x+  3 root root     4096 Mar 16 19:25 logivision.[domain1]
drwxrwxr-x+  3 root root     4096 Apr 17 16:12 media.[domain1]
drwxrwxr-x+  3 root root     4096 Sep 12  2023 media.[domain3]
drwxrwxr-x+  3 root root     4096 Sep  2  2023 monitor.[domain3]
drwxrwxr-x+  3 root root     4096 Apr 25 13:44 overleaf.app.[domain1]
drwxrwxr-x+  3 root root     4096 Apr  6 04:51 portainer.[domain1]
drwxr-xr-x+  3 root root     4096 Aug 23 21:06 send.app.[domain1]
drwxrwxr-x+  3 root root     4096 Aug 30  2023 [domain3]
drwxr-xr-x+  3 root root     4096 Aug 23 23:26 test.decore.[domain4]
drwxrwxr-x+  3 root root     4096 Feb 28 13:48 tree.[domain3]
drwxr-xr-x+  3 root root     4096 Aug 23 18:37 umami.app.[domain1]
drwxrwxr-x+  3 root root     4096 Aug 30  2023 vpn.[domain3]
drwxrwxr-x+  3 root root     4096 Apr 29 02:03 www.[domain5]
drwxrwxr-x+  2 root root     4096 Aug 24 19:19 ynh-diagnosis

This also seems to contain domains, which have not been used for a long time/were only used for temporary basis.

Have you played with ACLs?

What’s the output of getfacl /var/www/.well-known

❯ sudo getfacl /var/www/.well-known
getfacl: Removing leading '/' from absolute path names
# file: var/www/.well-known
# owner: root
# group: root
user::rwx
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:mask::r-x
default:other::r-x

@tituspijean hey any input? this is kinda a big issue if I can’t renew my certificates.

Try again with

sudo getfacl /var/www/.well-known/acme-challenge-public
❯ sudo getfacl /var/www/.well-known/acme-challenge-public
getfacl: Removing leading '/' from absolute path names
# file: var/www/.well-known/acme-challenge-public
# owner: root
# group: www-data
user::rw-
group::r-x
mask::r-x
other::---
default:user::rw-
default:group::r-x
default:mask::r-x
default:other::---

does other have to be r-x ?

From what I see it should work… can you try to do sudo -u www-data ls /var/www/.well-known/acme-challenge-public ?

1 Like
❯ sudo -u www-data ls /var/www/.well-known/acme-challenge-public
[sudo] password for [username]:
Sorry, user [username] is not allowed to execute '/usr/bin/ls /var/www/.well-known/acme-challenge-public' as www-data on [hostname].

After getting the right permissions:

❯ sudo -u www-data ls -la /var/www/.well-known/acme-challenge-public
total 52
drw-r-x---+  2 root www-data 4096 Aug 24 05:33 .
drwxr-xr-x+ 25 root root     4096 Aug 27 19:08 ..
-rw-r-x---+  1 root root       87 Aug 23 17:16 05CeI7WAZUCucN-f4F7JhjLk1WZlCxuv_xsFJiiFYpg
-rw-r-x---+  1 root root       87 Aug 26 22:40 -3eZlIqMyHH1-5wr0DjxWOLpIUSXvQ3eb5lmsPvwS7k
-rw-r-x---+  1 root root       87 Aug 23 17:51 AAZb2TdFGkXzVWfpE7kCHSlj_838_vyzLaw5opZTjVM
-rw-r-x---+  1 root root       87 Aug 23 22:29 b7RDALYn7uYptG4GXQkXmZrpxAflUqMWF-h8ZmnGBqE
-rw-rw-rw-+  1 root root       87 Apr 24 02:00 bJmKrQrLU_kaL0SF7icMw99iGw90Zxtn09XTYZ9YAC4
-rw-rw-rw-+  1 root root       87 Jul  7 14:12 Kr63aUGXIO5sGKyWTBnPXhrN8aO610S9ZL_d38hHDbU
-rw-r-x---+  1 root root       87 Aug 23 17:39 m2U9MmOzahNuOlhyurpSPGoeAunxKprmR2K5zEWI01o
-rw-rw-rw-+  1 root root       87 Apr 24 02:22 MtswMtKWFHRbhK2WVDpYfdcFcU6yqVr__uWCz1KYdbI
-rw-r-x---+  1 root root       87 Aug 24 06:52 sGgHISEKiblaUBO0JS4x1cHl4lbwuuQ0IqgbaQwzh14
-rw-r-x---+  1 root root       87 Aug 23 17:39 WbXdZfxBI5l5VCz-0d2F1WSjj-585Gl6wAJmVtgUOxg
-rw-r-x---+  1 root root       87 Aug 23 23:27 zQ9Y06P14J9whqm80Y764au3RYckBxo2CCI90lIxGBY

also added others to /var/www/.well-known/acme-challenge-public

❯ sudo getfacl /var/www/.well-known/acme-challenge-public
getfacl: Removing leading '/' from absolute path names
# file: var/www/.well-known/acme-challenge-public
# owner: root
# group: www-data
user::rw-
group::r-x
mask::r-x
other::r-x
default:user::rw-
default:group::r-x
default:mask::r-x
default:other::r-x

So this seems to have fixed it:
sudo setfacl -R -m d:o:rx,o:rx /var/www/.well-known/acme-challenge-public

As to what could have caused this I got no clue.

1 Like

I make a new subdomain and always want to install an ssl cert right away too. I have found:

  1. make new subdomain
  2. add new domain in yunohost
  3. run diagnosis before trying to do letsencrypt
  4. run letsencrypt
    Otherwise, it always fails. The above procedure always works - and I like experimenting a Lot and like a new subdomain for each application.
    Maybe this helps someone. And thank you very much for this forum and yunohost itself! :slight_smile:

@tituspijean it would be nice to check this permissions set in the diagnostic check.

@gemlog This is not the issue I was running into.