Articles in this section

See more

Website hosted on Plesk for Linux is not accessible with 403 Forbidden: AH00529: pcfg_openfile: unable to check htaccess file, ensure it is readable

Avatar
Alexandr Nikolaenko
Updated
Follow

Applicable to:

  • Plesk for Linux

Symptoms

  • While trying to browse a website, the error 403 Forbidden appears:

    CONFIG_TEXT: You don't have permission to access / on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

  • The domain's error log /var/www/system/example.com/logs/error_log contains the following:

    CONFIG_TEXT: (13)Permission denied: /var/www/vhosts/example.com/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://example.com/
    (13)Permission denied: [client 203.0.113.2:39024] AH00529: /var/www/vhosts/example.com/httpdocs/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/var/www/vhosts/example.com/httpdocs/' is executable

  • A lot of TIME_WAIT connections to/from 7080/7081 or 80/443 ports.

Cause

Apache service does not have proper permissions to vhost or httpdocs folder.

Resolution

The most common cause of this issue is missing executable permissions on the folders.

Click on a section to expand

  1. At first, try to repair permissions for the site. 

    For Plesk Onyx 17.8

    1. Connect to the server via SSH

    2. Execute the following command (replacing example.com with the domain name):

      # plesk repair fs example.com

    3. Add executable for all the folders inside the document root of the website:

      # find /var/www/vhosts/example.com/httpdocs/ -type d -exec chmod 755 {} \;

    For Plesk Onyx 17.5 and lower:

    1. Connect to the server via SSH

    2. Execute the following command (replace example.com in the command below with the domain name:

      # INFO=($(MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -uadmin psa -sN -e'SELECT h.www_root,s.login FROM domains d, hosting h, sys_users s WHERE s.id=h.sys_user_id AND h.dom_id=d.id AND d.name="example.com"')); chown -R ${INFO[1]}:psacln ${INFO[0]}; chown ${INFO[1]}:psaserv ${INFO[0]}

    3. Execute the following command (replacing example.com with the domain name):

      # plesk repair fs example.com

    4. Add executable for all the folders inside the document root of the website:

      # find /var/www/vhosts/example.com/httpdocs/ -type d -exec chmod 755 {} \;

  2. In case the issue will persist, check whether or not the site is compatible with PHP handler.

    Click here to reveal additional information regarding this point

    In Plesk interface, navigate to Domains > example.com > PHP Settings and try to switch handlers (by FastCGI or to PHP-FPM) to a different one:
    Click Install

  3. There is also a chance that this issue is global and it affects all the websites. In that case, it is required to check Apache user permissions:

    For Debian

    • Find the username that is used by the Apache service. This username is defined in the APACHE_RUN_USER variable in /etc/apache2/envvars:

      # grep APACHE_RUN_USER /etc/apache2/envvars
      export APACHE_RUN_USER=www-data

    • Add that user to the psaserv group. For example, if the Apache user is www-data, you would add the user in the psaserv group as below:

      # usermod -a -G psaserv www-data

    • Restart web server

      # service apache2 restart

    For CentOS
    • Add the apache user to the psaserv group:

      # usermod -a -G psaserv apache

    • Restart web server

      # service httpd restart

Note: If the server is running on Proxmox VE, this configuration not going to work as expected. Please contact Proxmox support for further assistance.

Note: It also worth checking SELinux in case of CentOS. Set it to permissive with setenforce 0 command to check it.

Comments

4 comments

Sort by Date Votes
  • Avatar
    lev k

    HI!

    just want to say, its not always the user.

    sometimes its the group.

    somehow it changed to psacln.

    somehow example: client deleted the httpdocs folder and then recreated it.

    so, solution is chown ftpuser:psaserv httpdocs in this situations

    0
    Permalink
  • Avatar
    Lev Iurev

    Hi @lev k , yes, that's correct, however article describes specific case when user is not in psaserv group

    0
    Permalink
  • Avatar
    Brian L

    I am getting the same errors described in this article, but it does not look to be permissions.
    After a service restart of Apache I can run the command:
    lsof -c httpd | grep "apache-shm" | wc -l
    And the count will be in the 20's or so.
    As the day(s) go on that number will grow and grow up into the tens of thousands and eventually bomb websites on the Plesk server with a 403 error and the errors mentioned in the log files in this article.

    Once it bombs out, the apache-shm count will go back down, sites will return to normal, but it will start to slowly climb back up.
    Have had a support call/remote session with Plesk support, but have not had any luck finding a fix.

    CentOS Linux release 7.5.1804
    Plesk Onyx Version 17.5.3 Update #54

    0
    Permalink
  • Avatar
    Ivan Postnikov

    Hello @Brian,

    As the issue is complex I suggest creating a follow-up ticket to Plesk support and double-check the issue.

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles