Unable to renew letsencrypt cert on Ghost blog behind litespeed - proxypass needed?

c0ldshadow

Well-Known Member
#1
Hi LiteSpeed Community and Staff,

I am running into a problem where my Ghost blog running behind a litespeed server can't renew the letsencrypt SSL cert, and I think the solution may involve needing to add something to my htaccess. My Ghost blog is running behind "external app" feature in the vhost. I used paid litespeed consult hours to set this up as I'm not an expert in this area.

certbow renew output (all of my other sites work perfect, but the ghost blog is behind

Code:
  /etc/letsencrypt/live/removed.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: removed.com
   Type:   unauthorized
   Detail: Invalid response from
   http://removed.com/.well-known/acme-challenge/WTjlQKsQCfEfBTqCeXXo1pCjJ0he-YDFuYvkd-mRU6g:
   "<!DOCTYPE html>\n<html style=\"height:100%\">\n<head><title> 503
   Service Unavailable\r\n</title></head>\n<body style=\"color: #444;
   marg"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
The DNS is correct. Others have had similar issue and it appears the solution may involve ProxyPass or maybe some htaccess changes, but this is a bit beyond my level of understanding:

https://community.letsencrypt.org/t/cant-renew-letsencript-cert-on-my-ghost-blog/33941
https://community.letsencrypt.org/t/solved-problems-issuing-a-certificate/17987/4

From reading the above it appears maybe something isn't redirecting probably with the /.well-known/acme-challenge URL which would require me to change something in my config somewhere.

Please advise.. thanks so much for the help. I am running litespeed 5.3.6
 

Jon K

Administrator
Staff member
#2
You say Ghost is running as an External App, is it running as a Web Server/Proxy external app? Is ghost hosted on this server or another server?

You may need to setup a .well-known context and have certbot point to that context/path to renew the domain.
 

c0ldshadow

Well-Known Member
#3
Hello @Jon K

Ghost is hosted locally on the server. Regarding whether it is running as a Web Server/Proxy external app, I am not sure (I used paid consult hours to have litespeed staff set it up).

However, I can see this in the config which may help answer the question.

Under "External App" for the vhost:
Code:
Type: Web Server
Name: ghost_backend
Address: 127.0.0.1:2369
Under the "Context" tab I see:
Code:
Type: Proxy
URI: /
Order: 1
When I click "/" under URI, it takes me to Proxy Context Definition which shows:
Code:
Web Server: [VHost Level]: ghost_backend
Hope this helps answer the question. If there is any other data you need please let me know.

Also please advise on any specific config level changes that you think might fix the issue if you have an idea. This site is unimportant and really only in test mode so I don't really care if it breaks lol.

Thanks again for the support.
 
Last edited by a moderator:

c0ldshadow

Well-Known Member
#5
Hi @Pong

I tried the following command:
Code:
certbot renew -a webroot
instead of certbot renew

which produced the same error:

Code:
- The following errors were reported by the server:

   Domain: removed.com
   Type:   unauthorized
   Detail: Invalid response from
   http://removed.com/.well-known/acme-challenge/MdQGcMEGh2_sBfm7f9aOxBJtNUxxaPLiowfkpKtNUBQ:
   "<!DOCTYPE html>\n<html style=\"height:100%\">\n<head><title> 503
   Service Unavailable\r\n</title></head>\n<body style=\"color: #444;
   marg"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
No errors for any of my other sites, just the one with Ghost. So guessing something else in the litespeed config needs to change, but I'm not sure what specific changes are needed.

Any other ideas, guys?

Thx for the help
 
Last edited by a moderator:

Pong

Well-Known Member
Staff member
#6
Last edited by a moderator:

Jon K

Administrator
Staff member
#7
Since there is a Proxy Context setup to / it will redirect all the traffic to the node.js server including the .well-known/ directory which node.js has no idea about. You will need to create a context for /.well-known/ and folder and then point the --webroot that Pong suggested to that directory.

For example you'd create a context with the following:
Code:
Context:
Type: Static
URI: /.well-known/
Path: /var/www/blackhole/.well-known/
Command Line:
Code:
mkdir -p /var/www/blackhole/
certbot certonly --webroot -w /var/www/blackhole/ -d example.com -d www.example.com
Certbot will automatically create the .well-known directory so no need for you to do it. If you manually create it could have issues with r/w to that directory.
 
Last edited by a moderator:

c0ldshadow

Well-Known Member
#8
@Jon K

Thanks this worked! You are a hero.

Although it appears to work, does the order matter here, this is what it shows in my litespeed contexts:

Code:
        Static    /.well-known/    2   + / -        View   Edit   Delete

        Proxy    /    1   + / -        View   Edit   Delete
Best Regards,
 
Top