Invalid response 500 error (unauthorized) when /public_html/ is CGI context

-rw-r--r-- 1 root root 753 Nov 2 19:17 www.frozenarmy.com.conf
-rw-r--r-- 1 root root 743 Nov 2 19:23 www.poolghoul.com.conf

just a reminder, this problem goes away entirely if I don't make the public_html root a CGI context.

mapping url / to path $VH_ROOT/public_html/ as a CGI handler causes the problem in the first place, and will get 500 internal server error if no Static Handler after that. if add a static handler, then get 404 not found. The reason for 500 internal server error I think is b/c the dumped file doesn't have a script handler... this file doesn't have an extension or anything, just a random named file.

Basically I cannot serve CGIs out of the webdir root when using letsencrypt

frozenarmy working perfectly now for simulated renewal when i get rid of the CGI for the webroot.

Yeah, that should mean more to you than it will to us :slight_smile:

You should know how to configure your server to return a static file. Certbot just creates one in the location you tell it. Then it tells the Let's Encrypt server to check it. And, you are replying with Not Found (404).

Would you show contents of the www.poolghoul.com.conf. Redact the account id if you wish

3 Likes

root@polarmyst01:/etc/letsencrypt/renewal# cat www.poolghoul.com.conf

renew_before_expiry = 30 days

version = 2.11.0
archive_dir = /etc/letsencrypt/archive/www.poolghoul.com
cert = /etc/letsencrypt/live/www.poolghoul.com/cert.pem
privkey = /etc/letsencrypt/live/www.poolghoul.com/privkey.pem
chain = /etc/letsencrypt/live/www.poolghoul.com/chain.pem
fullchain = /etc/letsencrypt/live/www.poolghoul.com/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = webroot
webroot_path = /usr/local/lsws/sites/poolghoul/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
poolghoul.com = /usr/local/lsws/sites/poolghoul/public_html
www.poolghoul.com = /usr/local/lsws/sites/poolghoul/public_html

I thought you said you remove the "/public_html" part ?

Because those folders are where Certbot writes the challenge token file when using --webroot

3 Likes

You rock, that fixed it. I had a stupid mistake when I changed the file before

Here is the working config:

root@polarmyst01:/etc/letsencrypt/renewal# cat www.poolghoul.com.conf

renew_before_expiry = 30 days

version = 2.11.0
archive_dir = /etc/letsencrypt/archive/www.poolghoul.com
cert = /etc/letsencrypt/live/www.poolghoul.com/cert.pem
privkey = /etc/letsencrypt/live/www.poolghoul.com/privkey.pem
chain = /etc/letsencrypt/live/www.poolghoul.com/chain.pem
fullchain = /etc/letsencrypt/live/www.poolghoul.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
webroot_path = /usr/local/lsws/sites/poolghoul/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
poolghoul.com = /usr/local/lsws/sites/poolghoul
www.poolghoul.com = /usr/local/lsws/sites/poolghoul

my mistake before was this line... this one does need public_html. but the ones on the bottom dont

webroot_path = /usr/local/lsws/sites/poolghoul/public_html,

1 Like

We do not recommend updating the Certbot renewal config files manually.

You can easily make minor changes with significant impact (like lines being lost)

The best solution is to re-issue the original Certbot command so it re-creates that file properly

sudo certbot certonly --dry-run --webroot -w /usr/local/lsws/sites/poolghoul -d (domain) -d (domain2) ...

If the --dry-run (test) succeeds, reissue without --dry-run to get fresh cert and update the renewal config file (properly).

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.