What should letsencrypt certbot-auto's "webroot-path" be for a non-PHP / non-static-files website?

Question

In the case you have a website using Apache only (maybe with PHP) that is in:

/home/www/mywebsite/
/home/www/mywebsite/index.php
/home/www/mywebsite/style.css

then, it's easy to set certbot's --webroot-path:

./certbot-auto certonly --webroot --webroot-path /home/www/mywebsite/
                        --domain example.com --domain www.example.com --email [email protected]

---

Question: when using a website run by NodeJS or Python Flask or Bottle, linked to Apache either with WSGI (mod_wsgi) or simple proxying (I know the latter is not recommended in the case Python)

RewriteEngine On
RewriteRule /(.*)           http://localhost:5000/$1 [P,L]

what should --webroot-path be?

More specifically, if we have:

/home/www/mywebsite/       (Pyton example)
/home/www/mywebsite/myapp.py
/home/www/mywebsite/myapp.sqlite
/home/www/mywebsite/static/style.css
...

or

/home/www/mywebsite/        (NodeJS example)
/home/www/mywebsite/myapp.js
/home/www/mywebsite/myapp.sqlite
/home/www/mywebsite/static/style.css
...

then it doesn't make sense to choose --webroot-path as /home/www/mywebsite/, right?

Indeed, I don't want any other program/script like letsencrypt certbot to fiddle with my .py files.

Anyway, what does --webroot-path in certbot do? Will files there be analyzed, parsed?

Answer 1

Very interesting question that yet has a trivial answer. The official documentation states:

The webroot plugin works by creating a temporary file for each of your requested domains in ${webroot-path}/.well-known/acme-challenge. Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot.

So it doesn't really matter for Certbot where your actual webroot really resides as long it's served under domain you're trying to obtain certificates for, and it's not really interested in what is your project/framework structure is.

In other words, certbot does not require access to your project's directory with source files.

For example, Apache configuration for any application on your server can have shared so-called webroot, and Certbot only requires /.well-known/acme-challenge/ available as static directory where it can store challenge file on the server side that will be available for Certbot validation server:

Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"

<Directory "/var/www/html/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Same way it works for NGINX when setting for a particular server block configuration:

server {

    location /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
    }

}

Both examples would work if certificate is then requested with:

certbot-auto certonly --webroot --webroot-path /var/www/html -d domain.com