Certbot (1.19.0) certonly --apache chokes on CustomLog pipe

Noob to certbot. Trying it out for the first time on an internal webserver.

My domain is: on a 10.xxx.yyy.zzz

I ran this command: certbot -v certonly --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf/httpd.conf on line 228: Syntax error')

My web server is (include version): Apache/2.4.6 (Red Hat Enterprise Linux)

The operating system my web server runs on is (include version): RHEL 7.9

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Of course I can!

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): A CP? ew, no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.19.0

The line in question is:

CustomLog       "|/usr/sbin/rotatelogs /var/log/httpd/%Y%m_access 86400 -300" "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"     \"%{User-Agent}i\"

and has been in place for years. apachectl configtest comes back as OK, and I can easily stop-n-start (and I dont mean apachectl restart) Apache with no problems.

I really have no intention of commenting out that line, let alone changing it up.

Some insight/suggestions, etc appreciated.

I can't reproduce with a simple CustomLog "|/bin/cat >/dev/null" vhostio, works perfectly here.

Isn't your line just missing a double quote (") at the end? The last character currently is an escaped double quote belonging to the quotes around the user agent for in the log itself. Not the double quote required by the CustomLog directive.

Just reproduced your error with the CustomLog from your post and indeed results in a syntax error, even while Apache thinks everything is OK. Good news is: just added a double quote at the end of the line and as expected everything works again

Ergo: not a problem with certbot, but with your configuration and an Apache webserver just ignoring the syntax error somehow.. Which is kinda strange..

Yeah, I count nine double quotes on that line - it should be ten.

Yeah. Apache pretty much doesn't care about mismatched quotes because of the way it parses arguments out of a line. EOL is as good as a closed quote as far as Apache is concerned.

Since Certbot uses a more formal definition of grammar rather than an ad-hoc parser like Apache itself, it ends up being less tolerant of issues like mismatched quotes. Ideally Certbot's Apache parser should be totally compatible with Apache's parser and it seems like this might be fixable in the grammar, but I'm not sure there's a huge appetite to go messing with it at this point.

Yes, it seems that indeed was the problem: missing that last double-quote. Surprised apachectl was so lax in parsing that.

I'm definitely not surprised.
Glad to hear that you've conquered/corrected that deficiency

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.