Unable to access Netlify site, 403 error, forbidden

Netlify site name: mo-teaching.netlify.app
Custom domain: mo-teaching.nl

My website was working just fine, but when I tried to access it today it gave me the following error:

{
“kind”: “Status”,
“apiVersion”: “v1”,
“metadata”: {

},
“status”: “Failure”,
“message”: “forbidden: User "system:anonymous" cannot get path "/"”,
“reason”: “Forbidden”,
“details”: {

},
“code”: 403
}

I have no clue what this is about and where I should look for a solution so I’m posting here to get some answers.
This means I also don’t know if there is critical information missing in my post. If this is the case, please let me know.

EDIT:
I found a likely cause for the problem. Netlify is stating that I didn’t renew my TLS certificate. I tried to renew it but it isn’t working yet. Any help?

Hi @MoTeske

I see a valid SSL certificate on mo-teaching.nl

Screen Shot 2022-08-22 at 7.52.19 am1454×694 150 KB

Thank you for your response @coelmay.
I however, am a bit confused by your answer. Because it seems as though on your end my site is working while I still can’t get it to open when I try it myself.
Can you expand on what it means to have a valid SSL certificate in my situation?

Can you post a screenshot of the error you are seeing when you try to access your site?

Sure, here are screenshots from both Chrome and Firefox:

mo-teaching 11919×998 16.8 KB

Thanks @MoTeske

There is a support guide covering why you shouldn’t use Cloudflare in front of Netlify as you are

TL;DR using Cloudflare for DNS is fine, just don’t proxy to Netlify (make sure it is *DNS Only.)*

Hi, @MoTeske. @coelmay is very good at this DNS troubleshooting. The only reason I’ve found something he has not is because I am part of Netlify and have access to internal information that he does not.

This is what I see when I lookup the DNS information for this domain:

Name server records (type = NS):
mo-teaching.nl.		21600	IN	NS	anastasia.ns.cloudflare.com.
mo-teaching.nl.		21600	IN	NS	john.ns.cloudflare.com.

Records for the apex domain (type = A):
mo-teaching.nl.		300	IN	A	54.241.246.27
mo-teaching.nl.		300	IN	A	138.68.234.180

Records for www subdomain:
www.mo-teaching.nl.	300	IN	A	184.72.37.151
www.mo-teaching.nl.	300	IN	A	138.68.7.48

What @colemay cannot have examined (not without breaking into our systems first) but which I can is this:

• the list of IP address which Netlify uses for our Standard Edge Network

That list is always changing which is why it isn’t published publicly. However, if you ask our support team we can always verify if an IP address is one we control or not. What I have learned is this.

These two IP addresses are Netlify controlled and the site works for them:

• 54.241.246.27
• 184.72.37.151

Here is an example below (where the -resolve www.mo-teaching.nl:443:184.72.37.151 option controls what IP address curl will make the HTTP request to):

$ curl -k --compressed -svo /dev/null --resolve www.mo-teaching.nl:443:184.72.37.151 https://www.mo-teaching.nl/  2>&1 | egrep '^(<|>)'
> GET / HTTP/2
> Host: www.mo-teaching.nl
> user-agent: curl/7.79.1
> accept: */*
> accept-encoding: deflate, gzip
>
< HTTP/2 200
< age: 109156
< cache-control: public, max-age=0, must-revalidate
< content-encoding: gzip
< content-type: text/html; charset=UTF-8
< date: Sun, 21 Aug 2022 21:51:46 GMT
< etag: "043a7847b5ad8f19a67bc070e8d5c1d5-ssl-df"
< server: Netlify
< strict-transport-security: max-age=31536000
< vary: Accept-Encoding
< x-nf-request-id: 01GB4EB2BQWT97AR0MQHAF9GAG
< content-length: 2961
<

Note, I’ve used the -k option above to ignore SSL errors. The SSL isn’t working because of the DNS configuration is unsupported. Once the DNS is configured to match these instructions, the SSL can be provisioned.

The other two IP addresses are not ones that Netlify controls:

• 138.68.234.180
• 138.68.7.48

When I make the HTTP request to one of those IP address, it is then that the 403 occurs:

$ curl -k --compressed -svo /dev/null --resolve www.mo-teaching.nl:443:138.68.7.48 https://www.mo-teaching.nl/  2>&1 | egrep '^(<|>)'
> GET / HTTP/2
> Host: www.mo-teaching.nl
> user-agent: curl/7.79.1
> accept: */*
> accept-encoding: deflate, gzip
>
< HTTP/2 403
< audit-id: 64d1ccfa-5072-4b74-ad72-a65e937057ea
< cache-control: no-cache, private
< content-type: application/json
< x-content-type-options: nosniff
< x-kubernetes-pf-flowschema-uid: a9177ce7-9873-4003-839a-feb9d2bb4cfc
< x-kubernetes-pf-prioritylevel-uid: 25e07a67-f68d-4c3d-a864-529b0299929d
< content-length: 233
< date: Tue, 23 Aug 2022 04:06:12 GMT
<

To summarize, 403s are not coming from Netlify. For some reason the DNS for this site points sometimes to IP address that Netlify does control and sometimes to IP addresses we do not. I cannot see the DNS configuration at Cloudflare so I don’t know what the reason is for this. However, if you modify the DNS configuration to match the instructions above to it directs only to Netlify, the 403s will stop happening.

@luke I really appreciate your reply and I now do understand what the problem is I’m running into. However, I haven’t gotten it to work yet.
@coelmay suggested to turn off the proxy from cloudflare, which I did.

I’m really new to all this DNS stuff and find the instructions you have provided me kind of hard to follow. But I think what I maybe should be doing is changing the IP addresses which aren’t working. Is this true?

Maybe this screenshot will give you some extra information you can use, because I’m still stuck trying to fix this.

I would love to get some more specific advice, because this stuff is just too confusing for me.

Hey @MoTeske

As Luke mentioned here

These IP addresses appear in the screenshot you have provided.

Also, DNS is not configured as per the Netlify documentation as @luke mentions here

Cloudflare DNS should look like this @MoTeske (using example.com for demonstration purposes.)

Screen Shot 2022-08-23 at 9.44.15 pm2152×582 98.3 KB

@coelmay and @luke, thank you guys both soo much!
Really appreciate the fast replies and thoughtful comments.
My website is now working and I am happy, thank!

That is great news! Thanks for coming back and letting us know!