Error 500 caused by htaccess tampering

Justin.Reinhart · November 13, 2019, 3:33pm

Bluehost is using Let’s Encrypt to provide free SSL certs to all sites. I spoke to their support today because my htaccess file was molested and caused Error 500 on some of my sites. They confirmed it was a bug with Let’s Encrypt and there’s nothing they can do about it. The issue is that htaccess files are being tampered with and RewiteCond are being added redundantly to the file and in the wrong places, sometimes inserting 4 lines for every 1 line in the file.

I’ll attempt to copy/paste the contents of one of my htaccess files below in a “hide details” field so you can see what happened.

Summary

#Options +Indexes
RewriteEngine On

HTTPS

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Enforce no trailing slash

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/cpanel-dcv/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Banana616)? RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?
RewriteRule ^ %1 [R=301,L]

Pretty URLs

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/(?:\ Banana616)?
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/[A-F0-9]{32}.txt(?:\ Comodo\ DCV)? RewriteRule ^pet-sitting pet-sitting.php RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/cpanel-dcv/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Banana616)? RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?
RewriteRule ^dog-training dog-training.php
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/(?:\ Banana616)?
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/[A-F0-9]{32}.txt(?:\ Comodo\ DCV)? RewriteRule ^products products.php RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/cpanel-dcv/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Banana616)? RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?
RewriteRule ^forms contracts.php

Pretty URLs (used for offline testing)

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/(?:\ Banana616)?
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/[A-F0-9]{32}.txt(?:\ Comodo\ DCV)? RewriteRule ^/animal-aide/pet-sitting /animal-aide/pet-sitting.php RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/cpanel-dcv/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Banana616)? RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?
RewriteRule ^/animal-aide/dog-training.php /animal-aide/dog-training.php
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/(?:\ Banana616)?
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/[A-F0-9]{32}.txt(?:\ Comodo\ DCV)? RewriteRule ^/animal-aide/products /animal-aide/products.php RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/cpanel-dcv/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Banana616)? RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?
RewriteRule ^/animal-aide/forms /animal-aide/contracts.php

Redirect mistyped or misremembered urls to /forms

Redirect /contracts /forms
Redirect /contract /forms

Redirects errors to the index

ErrorDocument 404 /redirect-to-index.php
ErrorDocument 403 /redirect-to-index.php

JuergenAuer · November 13, 2019, 3:55pm

Hi @Justin.Reinhart

that's a Bluehost problem.

Sounds like Bluehost has created an own client, that client produces errors. But that's not a Letsencrypt problem.

Letsencrypt creates only certificates, but doesn't change rewrite rules.

Or it's a wrong configured Certbot. But that's the same -> wrong client usage from Bluehost.

schoen · November 13, 2019, 5:38pm

Certbot doesn't have any code to edit .htaccess files and doesn't have any code to modify these paths this way (only acme-challenge is used by Let's Encrypt at all, while the others are used by other certificate authorities).

When I searched for "Pretty URLs used for offline testing", the only Google result was this thread, so I think that's a good indication that this is something Bluehost-specific somehow. If it were a part of a default configuration file in some kind of open source server environment, or a part of a file created by a published Let's Encrypt client, we would probably find other references to it on the web.

Justin.Reinhart · November 14, 2019, 12:32pm

Thank you gentlemen for your replies. Much appreciated.

The "Pretty URLs used for offline testing" is my own making. That was in my htaccess file before a robot inserted a bunch of RewriteCond lines.

well-known, acme-challenge, cpanel-dcv, and pki-validation. Any place you see these 4 terms it was because it was inserted by a robot. Everything else is mine.

Summary

Robot Garbage

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+ RewriteCond %{REQUEST_URI} !^/.well-known/cpanel-dcv/[0-9a-zA-Z_-]+
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/(?:\ Banana616)?
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/[A-F0-9]{32}.txt(?:\ Comodo\ DCV)?

Based on both of your replies it sounds like it is neither Let's Encrypt nor Certbot is doing the editing to the htaccess file. Perhaps Bluehost made or uses yet another tool to automate this process and it has the issue in question. Did I reach the correct conclusion?

JuergenAuer · November 14, 2019, 12:57pm

Yes, it's a Bluehost problem.

If they use their own client, only Bluehost knows whtat that client is doing.

schoen · November 14, 2019, 5:52pm

When I search for some of the other terms, I find other forum posts about cPanel edits to .htaccess files. I’m not 100% sure that these edits correspond to those that cPanel makes, but they are somewhat similar to them. So that might also be something to look into if you happen to be using cPanel.

system · December 14, 2019, 5:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.