Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Arkadiusz Miśkiewicz]

On Monday 19 of March 2018, Stefan Eissing wrote:
> Thanks, Arkadiusz, that sounds reasonable. I will make that change and let
> you know.
> 
> For tracking and so that other Apache user can find it more easily, could
> you open a short bug report here? Thanks!

https://bz.apache.org/bugzilla/show_bug.cgi?id=62189

> 
> > Am 18.03.2018 um 19:00 schrieb Arkadiusz Miśkiewicz :
> >> On Sunday 18 of March 2018, Eric Covener wrote:
> >>> On Sun, Mar 18, 2018 at 1:41 PM, Steffen  wrote:
> >>> Did some tests:
> >>> 
> >>> http://www.apachelounge.com/viewtopic.php?p=36624#36624
> >>> 
> >>> 
> >>> My conclusion (correct me if I am wrong):
> >>> 
> >>> When you run mod_md  , you cannot use a client which uses TLS .
> >>> 
> >>> It is a limitation when  Apache user has an "old"  LE account and uses
> >>> a acme client with/without mod_md
> >>> 
> >>> TLS-SNI challenge was disabled by Let's Encrypt back in January, but
> >>> old users can still use it. Old accounts are whitelisted.
> >>> 
> >>> 
> >>> Let's Encrypt says:
> >>> 
> >>> 
> >>> whitelisting mechanisms are live. If you have a certificate renewal
> >>> that has been failing due to the TLS-SNI disablement, you should now be
> >>> able to renew.
> >> 
> >> After reading the above and the last post in the forum, it sounds like
> >> the requirement is:
> >> 
> >> "Need an option to disable the handling of /.well-known by mod_md so
> >> an external ACME client can be used more easily".
> >> 
> >> It seems a bit weird to load mod_md and not use it as your ACME
> >> client, but it's a reasonable request.
> > 
> > Or better be able to handle both. If no on disk challenge then fallback
> > to mod_md (or the other way).


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Stefan Eissing]

> Am 18.03.2018 um 20:34 schrieb Gregg Smith :
> 
> My read on the original post:
> 
> First we have stated that "For mod_ssl to work in the vote release, mod_md 
> must also be included..."
> 
> That is what I honed in on. Apache will not start if there's a module 
> specific directive without that module being loaded. Since the OP states that 
> *mod_ssl* will not work without without mod_md included, there must be some 
> mod_md directives not contained inside  laying around in the OP's 
> config. I believe this is the first of two parts.

Exactly. Everything works as before when one does not load mod_md. 

> Now, Apache serving a 404 on /.well-known/acme-challenge/test.txt when mod_md 
> is loaded I think is because mod_md stores this stuff under MDStoreDir where 
> the acme client puts it elsewhere IIRC. So this behavior I see as by design 
> since mod_md intercepts the requests coming from the acme server obviously to 
> serve what is stored under MDStoreDir.
> 
> My guess anyway.

Correct. And as noted in another mail, the fallback behaviour will be added so 
that md and external clients can co-exist.

I did not foresee this mixed run mode and therefore decided to deny any 
fallback here. Seems like this security reduced the usability too much.

Stefan

>> On 3/18/2018 12:07 PM, Eric Covener wrote:
>>> On Sun, Mar 18, 2018 at 2:25 PM, Steffen  wrote:
>>> 
>>> It is indeed a limitation for an "old" account, and when LE enables TLS
>>> again (not sure it does already in ACMEv2 protocol)
>> When did this become about TLS-SNI challenges and how does that tie
>> into the external ACME client?
>> Can you connect the dots for me or is this unrelated?
>>> In my test mod_md says;
>>> 
>>> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
>>> for www.apachelounge.com (/.well-known/acme-challenge/test.txt)
>>> 
>>> 
>>> For me case closed., sorry for the clutter.
>> Does this confirm something beyond "mod_md works"?
>>> When it is not  appreciated that I share it with dev, say it please.
>> My own 2 cents: It would be helpful and take much less of a toll on
>> this volunteers time/patience/morale if this kind of feedback were
>> refined before being brought forward.
>> For example, here are hypothetical concise requirements / complaints
>> that someone could meaningfully address without having to pull teeth:
>> mod_md could do something specifically different with TLS-SNI
>> challenges for old users
>> mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
>> mod_md can't decline/defer to an Alias for /.well-known if it has no
>> stored challenge
>> But instead we have several paragraphs about votes and releases and
>> mod_ssl depending on mod_md and two different clients and a request to
>> test "it" on Linux.

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Stefan Eissing]

Thanks, Arkadiusz, that sounds reasonable. I will make that change and let you 
know.

For tracking and so that other Apache user can find it more easily, could you 
open a short bug report here? Thanks!

> Am 18.03.2018 um 19:00 schrieb Arkadiusz Miśkiewicz :
> 
>> On Sunday 18 of March 2018, Eric Covener wrote:
>>> On Sun, Mar 18, 2018 at 1:41 PM, Steffen  wrote:
>>> Did some tests:
>>> 
>>> http://www.apachelounge.com/viewtopic.php?p=36624#36624
>>> 
>>> 
>>> My conclusion (correct me if I am wrong):
>>> 
>>> When you run mod_md  , you cannot use a client which uses TLS .
>>> 
>>> It is a limitation when  Apache user has an "old"  LE account and uses a
>>> acme client with/without mod_md
>>> 
>>> TLS-SNI challenge was disabled by Let's Encrypt back in January, but old
>>> users can still use it. Old accounts are whitelisted.
>>> 
>>> 
>>> Let's Encrypt says:
>>> 
>>> 
>>> whitelisting mechanisms are live. If you have a certificate renewal
>>> that has been failing due to the TLS-SNI disablement, you should now be
>>> able to renew.
>> 
>> After reading the above and the last post in the forum, it sounds like
>> the requirement is:
>> 
>> "Need an option to disable the handling of /.well-known by mod_md so
>> an external ACME client can be used more easily".
>> 
>> It seems a bit weird to load mod_md and not use it as your ACME
>> client, but it's a reasonable request.
> 
> Or better be able to handle both. If no on disk challenge then fallback to 
> mod_md (or the other way).
> 
> -- 
> Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Gregg Smith]

My read on the original post:

First we have stated that "For mod_ssl to work in the vote release, 
mod_md must also be included..."


That is what I honed in on. Apache will not start if there's a module 
specific directive without that module being loaded. Since the OP states 
that *mod_ssl* will not work without without mod_md included, there must 
be some mod_md directives not contained inside  laying around 
in the OP's config. I believe this is the first of two parts.


Now, Apache serving a 404 on /.well-known/acme-challenge/test.txt when 
mod_md is loaded I think is because mod_md stores this stuff under 
MDStoreDir where the acme client puts it elsewhere IIRC. So this 
behavior I see as by design since mod_md intercepts the requests coming 
from the acme server obviously to serve what is stored under MDStoreDir.


My guess anyway.


On 3/18/2018 12:07 PM, Eric Covener wrote:

On Sun, Mar 18, 2018 at 2:25 PM, Steffen  wrote:


It is indeed a limitation for an "old" account, and when LE enables TLS
again (not sure it does already in ACMEv2 protocol)


When did this become about TLS-SNI challenges and how does that tie
into the external ACME client?

Can you connect the dots for me or is this unrelated?


In my test mod_md says;

mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
for www.apachelounge.com (/.well-known/acme-challenge/test.txt)


For me case closed., sorry for the clutter.


Does this confirm something beyond "mod_md works"?


When it is not  appreciated that I share it with dev, say it please.


My own 2 cents: It would be helpful and take much less of a toll on
this volunteers time/patience/morale if this kind of feedback were
refined before being brought forward.

For example, here are hypothetical concise requirements / complaints
that someone could meaningfully address without having to pull teeth:

mod_md could do something specifically different with TLS-SNI
challenges for old users
mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
mod_md can't decline/defer to an Alias for /.well-known if it has no
stored challenge

But instead we have several paragraphs about votes and releases and
mod_ssl depending on mod_md and two different clients and a request to
test "it" on Linux.

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Rainer Jung]

Am 18.03.2018 um 20:07 schrieb Eric Covener:

On Sun, Mar 18, 2018 at 2:25 PM, Steffen  wrote:


It is indeed a limitation for an "old" account, and when LE enables TLS
again (not sure it does already in ACMEv2 protocol)


When did this become about TLS-SNI challenges and how does that tie
into the external ACME client?

Can you connect the dots for me or is this unrelated?


In my test mod_md says;

mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
for www.apachelounge.com (/.well-known/acme-challenge/test.txt)


For me case closed., sorry for the clutter.


Does this confirm something beyond "mod_md works"?


When it is not  appreciated that I share it with dev, say it please.


My own 2 cents: It would be helpful and take much less of a toll on
this volunteers time/patience/morale if this kind of feedback were
refined before being brought forward.

For example, here are hypothetical concise requirements / complaints
that someone could meaningfully address without having to pull teeth:

mod_md could do something specifically different with TLS-SNI
challenges for old users
mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
mod_md can't decline/defer to an Alias for /.well-known if it has no
stored challenge

But instead we have several paragraphs about votes and releases and
mod_ssl depending on mod_md and two different clients and a request to
test "it" on Linux.


To add to Eric: typically if something does not work, it would be 
helpful to get the typical information:


- version and platform info (might be clear from the context)
- configuration used
- steps to reproduce
- expected result
- actual result
- regression or not, ie. is it a new problem or does it exist in older 
versions too


Sometimes one can shortcut but very often it is really necessary to get 
that type of information to be able to analyze/understand what the 
problem is.


Thanks and regards,

Rainer

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Eric Covener]

On Sun, Mar 18, 2018 at 2:25 PM, Steffen  wrote:
>
> It is indeed a limitation for an "old" account, and when LE enables TLS
> again (not sure it does already in ACMEv2 protocol)

When did this become about TLS-SNI challenges and how does that tie
into the external ACME client?

Can you connect the dots for me or is this unrelated?

> In my test mod_md says;
>
> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
> for www.apachelounge.com (/.well-known/acme-challenge/test.txt)
>
>
> For me case closed., sorry for the clutter.

Does this confirm something beyond "mod_md works"?

> When it is not  appreciated that I share it with dev, say it please.

My own 2 cents: It would be helpful and take much less of a toll on
this volunteers time/patience/morale if this kind of feedback were
refined before being brought forward.

For example, here are hypothetical concise requirements / complaints
that someone could meaningfully address without having to pull teeth:

mod_md could do something specifically different with TLS-SNI
challenges for old users
mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
mod_md can't decline/defer to an Alias for /.well-known if it has no
stored challenge

But instead we have several paragraphs about votes and releases and
mod_ssl depending on mod_md and two different clients and a request to
test "it" on Linux.

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Steffen]

It is indeed a limitation for an "old" account, and when LE enables 
TLS again (not sure it does already in ACMEv2 protocol)


You can have mod_md for a few domains and other domains with a client.

This a a conf most AL  admin/users are using till now, special the 
seasoned admin's.


In my test mod_md says;

mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] 
Challenge for www.apachelounge.com 
(/.well-known/acme-challenge/test.txt)



For me case closed., sorry for the clutter.



For me not related to a vote, therefore I made a seperate topic.

It is not "ÿour user" but our user :)


As I said:

Not sure it is an issue.
and
correct me if I am wrong



I just trying to help  admin/users out there which where early 
adopters.



When it is not  appreciated that I share it with dev, say it please.





On Sunday 18/03/2018 at 18:48, Eric Covener  wrote:
On Sun, Mar 18, 2018 at 11:52 AM, Steffen  
wrote:


A note from admin/user at
http://www.apachelounge.com/viewtopic.php?p=36619#36619

Asked the reporter to file at bugzilla:

Not sure it is a issue.

A suggestion from me for the official release:

I would not publish the official release with mod_md, but offer the 
two

modules (mod_md & mod_ssl) separately for download.

For mod_ssl to work in the vote release, mod_md must also be included 
and
mod_md will catch access to the .well-know directory. In other words: 
With
the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I 
think).



My response to that:


I think you mean with win-acme client

When it is true what you say then in the Linux world they could maybe 
not

use e.g.  their Certbot client either.

I would like to see that a Linux users tries it ?


This is all quite difficult to parse for me.

Is your user saying that loading mod_md blocks some mode of operation
of an external acme client?  By handling request for /.well-known?

I don't think such a thing impacts the release vote or structure
unless it's a regression of using the two things together, and there's
no implication that it is.

After all, mod_md is optional, and its primary role is certificates
via ACME.  I don't see the dilemma, so maybe I am misinterpreting

Spelling out whatever requirement or concern in at the root of this,
in more precise detail, is probably the only way it will move forward.

--
Eric Covener
cove...@gmail.com

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Eric Covener]

>> After reading the above and the last post in the forum, it sounds like
>> the requirement is:
>>
>> "Need an option to disable the handling of /.well-known by mod_md so
>> an external ACME client can be used more easily".
>>
>> It seems a bit weird to load mod_md and not use it as your ACME
>> client, but it's a reasonable request.
>
> Or better be able to handle both. If no on disk challenge then fallback to
> mod_md (or the other way).

IIUC, you are saying that mod_md  could decline to handle /.well-known
if it receives an authentication request it wasn't anticipating
(because it had not recently seen this challenge during a request

Then presumably the /.well-known/whatever alias would point to
somewhere the external ACME client was writing to and the server would
process it "normally".

Sounds reasonable to me (as an ACME/LE layman)

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Arkadiusz Miśkiewicz]

On Sunday 18 of March 2018, Eric Covener wrote:
> On Sun, Mar 18, 2018 at 1:41 PM, Steffen  wrote:
> > Did some tests:
> > 
> > http://www.apachelounge.com/viewtopic.php?p=36624#36624
> > 
> > 
> > My conclusion (correct me if I am wrong):
> > 
> > When you run mod_md  , you cannot use a client which uses TLS .
> > 
> > It is a limitation when  Apache user has an "old"  LE account and uses a
> > acme client with/without mod_md
> > 
> > TLS-SNI challenge was disabled by Let's Encrypt back in January, but old
> > users can still use it. Old accounts are whitelisted.
> > 
> > 
> > Let's Encrypt says:
> > 
> > 
> > whitelisting mechanisms are live. If you have a certificate renewal
> > that has been failing due to the TLS-SNI disablement, you should now be
> > able to renew.
> 
> After reading the above and the last post in the forum, it sounds like
> the requirement is:
> 
> "Need an option to disable the handling of /.well-known by mod_md so
> an external ACME client can be used more easily".
> 
> It seems a bit weird to load mod_md and not use it as your ACME
> client, but it's a reasonable request.

Or better be able to handle both. If no on disk challenge then fallback to 
mod_md (or the other way).

-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Eric Covener]

On Sun, Mar 18, 2018 at 1:41 PM, Steffen  wrote:
>
> Did some tests:
>
> http://www.apachelounge.com/viewtopic.php?p=36624#36624
>
>
> My conclusion (correct me if I am wrong):
>
> When you run mod_md  , you cannot use a client which uses TLS .
>
> It is a limitation when  Apache user has an "old"  LE account and uses a
> acme client with/without mod_md
>
> TLS-SNI challenge was disabled by Let's Encrypt back in January, but old
> users can still use it. Old accounts are whitelisted.
>

> Let's Encrypt says:
>
>
> whitelisting mechanisms are live. If you have a certificate renewal that
> has been failing due to the TLS-SNI disablement, you should now be able to
> renew.
>
>

After reading the above and the last post in the forum, it sounds like
the requirement is:

"Need an option to disable the handling of /.well-known by mod_md so
an external ACME client can be used more easily".

It seems a bit weird to load mod_md and not use it as your ACME
client, but it's a reasonable request.

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Eric Covener]

On Sun, Mar 18, 2018 at 11:52 AM, Steffen  wrote:
> A note from admin/user at
> http://www.apachelounge.com/viewtopic.php?p=36619#36619
>
> Asked the reporter to file at bugzilla:
>
> Not sure it is a issue.
>
> A suggestion from me for the official release:
>
> I would not publish the official release with mod_md, but offer the two
> modules (mod_md & mod_ssl) separately for download.
>
> For mod_ssl to work in the vote release, mod_md must also be included and
> mod_md will catch access to the .well-know directory. In other words: With
> the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think).
>
>
> My response to that:
>
>
> I think you mean with win-acme client
>
> When it is true what you say then in the Linux world they could maybe not
> use e.g.  their Certbot client either.
>
> I would like to see that a Linux users tries it ?

This is all quite difficult to parse for me.

Is your user saying that loading mod_md blocks some mode of operation
of an external acme client?  By handling request for /.well-known?

I don't think such a thing impacts the release vote or structure
unless it's a regression of using the two things together, and there's
no implication that it is.

After all, mod_md is optional, and its primary role is certificates
via ACME.  I don't see the dilemma, so maybe I am misinterpreting

Spelling out whatever requirement or concern in at the root of this,
in more precise detail, is probably the only way it will move forward.

-- 
Eric Covener
cove...@gmail.com

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

[Steffen]

Did some tests:

http://www.apachelounge.com/viewtopic.php?p=36624#36624


My conclusion (correct me if I am wrong):

When you run mod_md  , you cannot use a client which uses TLS .

It is a limitation when  Apache user has an "old"  LE account and uses 
a acme client with/without mod_md


TLS-SNI challenge was disabled by Let's Encrypt back in January, but 
old users can still use it. Old accounts are whitelisted.



Let's Encrypt says:


whitelisting mechanisms are live. If you have a certificate 
renewal that has been failing due to the TLS-SNI disablement, you 
should now be able to renew.




On Sunday 18/03/2018 at 16:53, Steffen  wrote:





A note from admin/user at 
http://www.apachelounge.com/viewtopic.php?p=36619#36619



Asked the reporter to file at bugzilla:

Not sure it is a issue.

A suggestion from me for the official release:

I would not publish the official release with mod_md, but offer the 
two modules (mod_md & mod_ssl) separately for download.


For mod_ssl to work in the vote release, mod_md must also be included 
and mod_md will catch access to the .well-know directory. In other 
words: With the Vote release it's not possible to use 
Lets-Encrypt-Win-Simple (I think).



My response to that:


I think you mean with win-acme client

When it is true what you say then in the Linux world they could maybe 
not use e.g.  their Certbot client either.


I would like to see that a Linux users tries it ?

mod_md : not possible to use Lets-Encrypt-Win-Simple

[Steffen]

A note from admin/user at  
http://www.apachelounge.com/viewtopic.php?p=36619#36619



Asked the reporter to file at bugzilla:

Not sure it is a issue.

A suggestion from me for the official release:

I would not publish the official release with mod_md, but offer the 
two modules (mod_md & mod_ssl) separately for download.


For mod_ssl to work in the vote release, mod_md must also be included 
and mod_md will catch access to the .well-know directory. In other 
words: With the Vote release it's not possible to use 
Lets-Encrypt-Win-Simple (I think).



My response to that:


I think you mean with win-acme client

When it is true what you say then in the Linux world they could maybe 
not use e.g.  their Certbot client either.


I would like to see that a Linux users tries it ?