Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
On Monday 19 of March 2018, Stefan Eissing wrote: > Thanks, Arkadiusz, that sounds reasonable. I will make that change and let > you know. > > For tracking and so that other Apache user can find it more easily, could > you open a short bug report here? Thanks! https://bz.apache.org/bugzilla/show_bug.cgi?id=62189 > > > Am 18.03.2018 um 19:00 schrieb Arkadiusz Miśkiewicz: > >> On Sunday 18 of March 2018, Eric Covener wrote: > >>> On Sun, Mar 18, 2018 at 1:41 PM, Steffen wrote: > >>> Did some tests: > >>> > >>> http://www.apachelounge.com/viewtopic.php?p=36624#36624 > >>> > >>> > >>> My conclusion (correct me if I am wrong): > >>> > >>> When you run mod_md , you cannot use a client which uses TLS . > >>> > >>> It is a limitation when Apache user has an "old" LE account and uses > >>> a acme client with/without mod_md > >>> > >>> TLS-SNI challenge was disabled by Let's Encrypt back in January, but > >>> old users can still use it. Old accounts are whitelisted. > >>> > >>> > >>> Let's Encrypt says: > >>> > >>> > >>> whitelisting mechanisms are live. If you have a certificate renewal > >>> that has been failing due to the TLS-SNI disablement, you should now be > >>> able to renew. > >> > >> After reading the above and the last post in the forum, it sounds like > >> the requirement is: > >> > >> "Need an option to disable the handling of /.well-known by mod_md so > >> an external ACME client can be used more easily". > >> > >> It seems a bit weird to load mod_md and not use it as your ACME > >> client, but it's a reasonable request. > > > > Or better be able to handle both. If no on disk challenge then fallback > > to mod_md (or the other way). -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
> Am 18.03.2018 um 20:34 schrieb Gregg Smith: > > My read on the original post: > > First we have stated that "For mod_ssl to work in the vote release, mod_md > must also be included..." > > That is what I honed in on. Apache will not start if there's a module > specific directive without that module being loaded. Since the OP states that > *mod_ssl* will not work without without mod_md included, there must be some > mod_md directives not contained inside laying around in the OP's > config. I believe this is the first of two parts. Exactly. Everything works as before when one does not load mod_md. > Now, Apache serving a 404 on /.well-known/acme-challenge/test.txt when mod_md > is loaded I think is because mod_md stores this stuff under MDStoreDir where > the acme client puts it elsewhere IIRC. So this behavior I see as by design > since mod_md intercepts the requests coming from the acme server obviously to > serve what is stored under MDStoreDir. > > My guess anyway. Correct. And as noted in another mail, the fallback behaviour will be added so that md and external clients can co-exist. I did not foresee this mixed run mode and therefore decided to deny any fallback here. Seems like this security reduced the usability too much. Stefan >> On 3/18/2018 12:07 PM, Eric Covener wrote: >>> On Sun, Mar 18, 2018 at 2:25 PM, Steffen wrote: >>> >>> It is indeed a limitation for an "old" account, and when LE enables TLS >>> again (not sure it does already in ACMEv2 protocol) >> When did this become about TLS-SNI challenges and how does that tie >> into the external ACME client? >> Can you connect the dots for me or is this unrelated? >>> In my test mod_md says; >>> >>> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge >>> for www.apachelounge.com (/.well-known/acme-challenge/test.txt) >>> >>> >>> For me case closed., sorry for the clutter. >> Does this confirm something beyond "mod_md works"? >>> When it is not appreciated that I share it with dev, say it please. >> My own 2 cents: It would be helpful and take much less of a toll on >> this volunteers time/patience/morale if this kind of feedback were >> refined before being brought forward. >> For example, here are hypothetical concise requirements / complaints >> that someone could meaningfully address without having to pull teeth: >> mod_md could do something specifically different with TLS-SNI >> challenges for old users >> mod_md pre-empts HTTP challenges for domains that are not mod_md managed. >> mod_md can't decline/defer to an Alias for /.well-known if it has no >> stored challenge >> But instead we have several paragraphs about votes and releases and >> mod_ssl depending on mod_md and two different clients and a request to >> test "it" on Linux.
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
Thanks, Arkadiusz, that sounds reasonable. I will make that change and let you know. For tracking and so that other Apache user can find it more easily, could you open a short bug report here? Thanks! > Am 18.03.2018 um 19:00 schrieb Arkadiusz Miśkiewicz: > >> On Sunday 18 of March 2018, Eric Covener wrote: >>> On Sun, Mar 18, 2018 at 1:41 PM, Steffen wrote: >>> Did some tests: >>> >>> http://www.apachelounge.com/viewtopic.php?p=36624#36624 >>> >>> >>> My conclusion (correct me if I am wrong): >>> >>> When you run mod_md , you cannot use a client which uses TLS . >>> >>> It is a limitation when Apache user has an "old" LE account and uses a >>> acme client with/without mod_md >>> >>> TLS-SNI challenge was disabled by Let's Encrypt back in January, but old >>> users can still use it. Old accounts are whitelisted. >>> >>> >>> Let's Encrypt says: >>> >>> >>> whitelisting mechanisms are live. If you have a certificate renewal >>> that has been failing due to the TLS-SNI disablement, you should now be >>> able to renew. >> >> After reading the above and the last post in the forum, it sounds like >> the requirement is: >> >> "Need an option to disable the handling of /.well-known by mod_md so >> an external ACME client can be used more easily". >> >> It seems a bit weird to load mod_md and not use it as your ACME >> client, but it's a reasonable request. > > Or better be able to handle both. If no on disk challenge then fallback to > mod_md (or the other way). > > -- > Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
My read on the original post: First we have stated that "For mod_ssl to work in the vote release, mod_md must also be included..." That is what I honed in on. Apache will not start if there's a module specific directive without that module being loaded. Since the OP states that *mod_ssl* will not work without without mod_md included, there must be some mod_md directives not contained inside laying around in the OP's config. I believe this is the first of two parts. Now, Apache serving a 404 on /.well-known/acme-challenge/test.txt when mod_md is loaded I think is because mod_md stores this stuff under MDStoreDir where the acme client puts it elsewhere IIRC. So this behavior I see as by design since mod_md intercepts the requests coming from the acme server obviously to serve what is stored under MDStoreDir. My guess anyway. On 3/18/2018 12:07 PM, Eric Covener wrote: On Sun, Mar 18, 2018 at 2:25 PM, Steffenwrote: It is indeed a limitation for an "old" account, and when LE enables TLS again (not sure it does already in ACMEv2 protocol) When did this become about TLS-SNI challenges and how does that tie into the external ACME client? Can you connect the dots for me or is this unrelated? In my test mod_md says; mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge for www.apachelounge.com (/.well-known/acme-challenge/test.txt) For me case closed., sorry for the clutter. Does this confirm something beyond "mod_md works"? When it is not appreciated that I share it with dev, say it please. My own 2 cents: It would be helpful and take much less of a toll on this volunteers time/patience/morale if this kind of feedback were refined before being brought forward. For example, here are hypothetical concise requirements / complaints that someone could meaningfully address without having to pull teeth: mod_md could do something specifically different with TLS-SNI challenges for old users mod_md pre-empts HTTP challenges for domains that are not mod_md managed. mod_md can't decline/defer to an Alias for /.well-known if it has no stored challenge But instead we have several paragraphs about votes and releases and mod_ssl depending on mod_md and two different clients and a request to test "it" on Linux.
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
Am 18.03.2018 um 20:07 schrieb Eric Covener: On Sun, Mar 18, 2018 at 2:25 PM, Steffenwrote: It is indeed a limitation for an "old" account, and when LE enables TLS again (not sure it does already in ACMEv2 protocol) When did this become about TLS-SNI challenges and how does that tie into the external ACME client? Can you connect the dots for me or is this unrelated? In my test mod_md says; mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge for www.apachelounge.com (/.well-known/acme-challenge/test.txt) For me case closed., sorry for the clutter. Does this confirm something beyond "mod_md works"? When it is not appreciated that I share it with dev, say it please. My own 2 cents: It would be helpful and take much less of a toll on this volunteers time/patience/morale if this kind of feedback were refined before being brought forward. For example, here are hypothetical concise requirements / complaints that someone could meaningfully address without having to pull teeth: mod_md could do something specifically different with TLS-SNI challenges for old users mod_md pre-empts HTTP challenges for domains that are not mod_md managed. mod_md can't decline/defer to an Alias for /.well-known if it has no stored challenge But instead we have several paragraphs about votes and releases and mod_ssl depending on mod_md and two different clients and a request to test "it" on Linux. To add to Eric: typically if something does not work, it would be helpful to get the typical information: - version and platform info (might be clear from the context) - configuration used - steps to reproduce - expected result - actual result - regression or not, ie. is it a new problem or does it exist in older versions too Sometimes one can shortcut but very often it is really necessary to get that type of information to be able to analyze/understand what the problem is. Thanks and regards, Rainer
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
On Sun, Mar 18, 2018 at 2:25 PM, Steffenwrote: > > It is indeed a limitation for an "old" account, and when LE enables TLS > again (not sure it does already in ACMEv2 protocol) When did this become about TLS-SNI challenges and how does that tie into the external ACME client? Can you connect the dots for me or is this unrelated? > In my test mod_md says; > > mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge > for www.apachelounge.com (/.well-known/acme-challenge/test.txt) > > > For me case closed., sorry for the clutter. Does this confirm something beyond "mod_md works"? > When it is not appreciated that I share it with dev, say it please. My own 2 cents: It would be helpful and take much less of a toll on this volunteers time/patience/morale if this kind of feedback were refined before being brought forward. For example, here are hypothetical concise requirements / complaints that someone could meaningfully address without having to pull teeth: mod_md could do something specifically different with TLS-SNI challenges for old users mod_md pre-empts HTTP challenges for domains that are not mod_md managed. mod_md can't decline/defer to an Alias for /.well-known if it has no stored challenge But instead we have several paragraphs about votes and releases and mod_ssl depending on mod_md and two different clients and a request to test "it" on Linux.
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
It is indeed a limitation for an "old" account, and when LE enables TLS again (not sure it does already in ACMEv2 protocol) You can have mod_md for a few domains and other domains with a client. This a a conf most AL admin/users are using till now, special the seasoned admin's. In my test mod_md says; mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge for www.apachelounge.com (/.well-known/acme-challenge/test.txt) For me case closed., sorry for the clutter. For me not related to a vote, therefore I made a seperate topic. It is not "ÿour user" but our user :) As I said: Not sure it is an issue. and correct me if I am wrong I just trying to help admin/users out there which where early adopters. When it is not appreciated that I share it with dev, say it please. On Sunday 18/03/2018 at 18:48, Eric Covener wrote: On Sun, Mar 18, 2018 at 11:52 AM, Steffenwrote: A note from admin/user at http://www.apachelounge.com/viewtopic.php?p=36619#36619 Asked the reporter to file at bugzilla: Not sure it is a issue. A suggestion from me for the official release: I would not publish the official release with mod_md, but offer the two modules (mod_md & mod_ssl) separately for download. For mod_ssl to work in the vote release, mod_md must also be included and mod_md will catch access to the .well-know directory. In other words: With the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think). My response to that: I think you mean with win-acme client When it is true what you say then in the Linux world they could maybe not use e.g. their Certbot client either. I would like to see that a Linux users tries it ? This is all quite difficult to parse for me. Is your user saying that loading mod_md blocks some mode of operation of an external acme client? By handling request for /.well-known? I don't think such a thing impacts the release vote or structure unless it's a regression of using the two things together, and there's no implication that it is. After all, mod_md is optional, and its primary role is certificates via ACME. I don't see the dilemma, so maybe I am misinterpreting Spelling out whatever requirement or concern in at the root of this, in more precise detail, is probably the only way it will move forward. -- Eric Covener cove...@gmail.com
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
>> After reading the above and the last post in the forum, it sounds like >> the requirement is: >> >> "Need an option to disable the handling of /.well-known by mod_md so >> an external ACME client can be used more easily". >> >> It seems a bit weird to load mod_md and not use it as your ACME >> client, but it's a reasonable request. > > Or better be able to handle both. If no on disk challenge then fallback to > mod_md (or the other way). IIUC, you are saying that mod_md could decline to handle /.well-known if it receives an authentication request it wasn't anticipating (because it had not recently seen this challenge during a request Then presumably the /.well-known/whatever alias would point to somewhere the external ACME client was writing to and the server would process it "normally". Sounds reasonable to me (as an ACME/LE layman)
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
On Sunday 18 of March 2018, Eric Covener wrote: > On Sun, Mar 18, 2018 at 1:41 PM, Steffenwrote: > > Did some tests: > > > > http://www.apachelounge.com/viewtopic.php?p=36624#36624 > > > > > > My conclusion (correct me if I am wrong): > > > > When you run mod_md , you cannot use a client which uses TLS . > > > > It is a limitation when Apache user has an "old" LE account and uses a > > acme client with/without mod_md > > > > TLS-SNI challenge was disabled by Let's Encrypt back in January, but old > > users can still use it. Old accounts are whitelisted. > > > > > > Let's Encrypt says: > > > > > > whitelisting mechanisms are live. If you have a certificate renewal > > that has been failing due to the TLS-SNI disablement, you should now be > > able to renew. > > After reading the above and the last post in the forum, it sounds like > the requirement is: > > "Need an option to disable the handling of /.well-known by mod_md so > an external ACME client can be used more easily". > > It seems a bit weird to load mod_md and not use it as your ACME > client, but it's a reasonable request. Or better be able to handle both. If no on disk challenge then fallback to mod_md (or the other way). -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
On Sun, Mar 18, 2018 at 1:41 PM, Steffenwrote: > > Did some tests: > > http://www.apachelounge.com/viewtopic.php?p=36624#36624 > > > My conclusion (correct me if I am wrong): > > When you run mod_md , you cannot use a client which uses TLS . > > It is a limitation when Apache user has an "old" LE account and uses a > acme client with/without mod_md > > TLS-SNI challenge was disabled by Let's Encrypt back in January, but old > users can still use it. Old accounts are whitelisted. > > Let's Encrypt says: > > > whitelisting mechanisms are live. If you have a certificate renewal that > has been failing due to the TLS-SNI disablement, you should now be able to > renew. > > After reading the above and the last post in the forum, it sounds like the requirement is: "Need an option to disable the handling of /.well-known by mod_md so an external ACME client can be used more easily". It seems a bit weird to load mod_md and not use it as your ACME client, but it's a reasonable request.
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
On Sun, Mar 18, 2018 at 11:52 AM, Steffenwrote: > A note from admin/user at > http://www.apachelounge.com/viewtopic.php?p=36619#36619 > > Asked the reporter to file at bugzilla: > > Not sure it is a issue. > > A suggestion from me for the official release: > > I would not publish the official release with mod_md, but offer the two > modules (mod_md & mod_ssl) separately for download. > > For mod_ssl to work in the vote release, mod_md must also be included and > mod_md will catch access to the .well-know directory. In other words: With > the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think). > > > My response to that: > > > I think you mean with win-acme client > > When it is true what you say then in the Linux world they could maybe not > use e.g. their Certbot client either. > > I would like to see that a Linux users tries it ? This is all quite difficult to parse for me. Is your user saying that loading mod_md blocks some mode of operation of an external acme client? By handling request for /.well-known? I don't think such a thing impacts the release vote or structure unless it's a regression of using the two things together, and there's no implication that it is. After all, mod_md is optional, and its primary role is certificates via ACME. I don't see the dilemma, so maybe I am misinterpreting Spelling out whatever requirement or concern in at the root of this, in more precise detail, is probably the only way it will move forward. -- Eric Covener cove...@gmail.com
Re: mod_md : not possible to use Lets-Encrypt-Win-Simple
Did some tests: http://www.apachelounge.com/viewtopic.php?p=36624#36624 My conclusion (correct me if I am wrong): When you run mod_md , you cannot use a client which uses TLS . It is a limitation when Apache user has an "old" LE account and uses a acme client with/without mod_md TLS-SNI challenge was disabled by Let's Encrypt back in January, but old users can still use it. Old accounts are whitelisted. Let's Encrypt says: whitelisting mechanisms are live. If you have a certificate renewal that has been failing due to the TLS-SNI disablement, you should now be able to renew. On Sunday 18/03/2018 at 16:53, Steffen wrote: A note from admin/user at http://www.apachelounge.com/viewtopic.php?p=36619#36619 Asked the reporter to file at bugzilla: Not sure it is a issue. A suggestion from me for the official release: I would not publish the official release with mod_md, but offer the two modules (mod_md & mod_ssl) separately for download. For mod_ssl to work in the vote release, mod_md must also be included and mod_md will catch access to the .well-know directory. In other words: With the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think). My response to that: I think you mean with win-acme client When it is true what you say then in the Linux world they could maybe not use e.g. their Certbot client either. I would like to see that a Linux users tries it ?
mod_md : not possible to use Lets-Encrypt-Win-Simple
A note from admin/user at http://www.apachelounge.com/viewtopic.php?p=36619#36619 Asked the reporter to file at bugzilla: Not sure it is a issue. A suggestion from me for the official release: I would not publish the official release with mod_md, but offer the two modules (mod_md & mod_ssl) separately for download. For mod_ssl to work in the vote release, mod_md must also be included and mod_md will catch access to the .well-know directory. In other words: With the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think). My response to that: I think you mean with win-acme client When it is true what you say then in the Linux world they could maybe not use e.g. their Certbot client either. I would like to see that a Linux users tries it ?