-rw-r--r-- 1 root root 753 Nov 2 19:17 www.frozenarmy.com.conf
-rw-r--r-- 1 root root 743 Nov 2 19:23 www.poolghoul.com.conf
just a reminder, this problem goes away entirely if I don't make the public_html root a CGI context.
mapping url / to path $VH_ROOT/public_html/ as a CGI handler causes the problem in the first place, and will get 500 internal server error if no Static Handler after that. if add a static handler, then get 404 not found. The reason for 500 internal server error I think is b/c the dumped file doesn't have a script handler... this file doesn't have an extension or anything, just a random named file.
Basically I cannot serve CGIs out of the webdir root when using letsencrypt
frozenarmy working perfectly now for simulated renewal when i get rid of the CGI for the webroot.
Yeah, that should mean more to you than it will to us 
You should know how to configure your server to return a static file. Certbot just creates one in the location you tell it. Then it tells the Let's Encrypt server to check it. And, you are replying with Not Found (404).
Would you show contents of the www.poolghoul.com.conf. Redact the account id if you wish
3 Likes
root@polarmyst01:/etc/letsencrypt/renewal# cat www.poolghoul.com.conf
renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /etc/letsencrypt/archive/www.poolghoul.com
cert = /etc/letsencrypt/live/www.poolghoul.com/cert.pem
privkey = /etc/letsencrypt/live/www.poolghoul.com/privkey.pem
chain = /etc/letsencrypt/live/www.poolghoul.com/chain.pem
fullchain = /etc/letsencrypt/live/www.poolghoul.com/fullchain.pem
Options used in the renewal process
[renewalparams]
authenticator = webroot
webroot_path = /usr/local/lsws/sites/poolghoul/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
poolghoul.com = /usr/local/lsws/sites/poolghoul/public_html
www.poolghoul.com = /usr/local/lsws/sites/poolghoul/public_html
I thought you said you remove the "/public_html" part ?
Because those folders are where Certbot writes the challenge token file when using --webroot
3 Likes
You rock, that fixed it. I had a stupid mistake when I changed the file before
Here is the working config:
root@polarmyst01:/etc/letsencrypt/renewal# cat www.poolghoul.com.conf
renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /etc/letsencrypt/archive/www.poolghoul.com
cert = /etc/letsencrypt/live/www.poolghoul.com/cert.pem
privkey = /etc/letsencrypt/live/www.poolghoul.com/privkey.pem
chain = /etc/letsencrypt/live/www.poolghoul.com/chain.pem
fullchain = /etc/letsencrypt/live/www.poolghoul.com/fullchain.pem
Options used in the renewal process
[renewalparams]
authenticator = webroot
webroot_path = /usr/local/lsws/sites/poolghoul/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
poolghoul.com = /usr/local/lsws/sites/poolghoul
www.poolghoul.com = /usr/local/lsws/sites/poolghoul
my mistake before was this line... this one does need public_html. but the ones on the bottom dont
webroot_path = /usr/local/lsws/sites/poolghoul/public_html,
1 Like
We do not recommend updating the Certbot renewal config files manually.
You can easily make minor changes with significant impact (like lines being lost)
The best solution is to re-issue the original Certbot command so it re-creates that file properly
sudo certbot certonly --dry-run --webroot -w /usr/local/lsws/sites/poolghoul -d (domain) -d (domain2) ...
If the --dry-run (test) succeeds, reissue without --dry-run to get fresh cert and update the renewal config file (properly).
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.