I had to write some custom code to look for the lets encrypt headers then respond appropriately for verification. It wasn't too bad, although I don't like having that entity-specific code in there so I've isolated and commented it.
On 8/25/20, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > James, > > On 8/24/20 13:24, James H. H. Lampert wrote: >> On 8/24/20 9:57 AM, Christopher Schultz wrote: >>> So your RewriteCond[ition] is expected to always be true? Okay. >>> Maybe remove it, then? BTW I think your rewrite will strip query >>> strings and stuff like that. Maybe you just want >>> RedirectPermanent instead of Rewrite(Cond|Rule)? >>> >>> Okay, so everyone gets redirected from http://exmaple.com/ to >>> https://example.com/. If LE requests >>> http://example.com/.well-known/uherfhuerhfiu then it will be >>> redirected to https://example.com/.well-known/uherfhuerhfiu, >>> presumably locate the correct file and authorize the certificate >>> request, right? >>> >>> But you have said that "everything is unconditionally passed to >>> Tomcat". You posted some config that definitely passes some >>> things to Tomcat, but without seeing the rest of the >>> <VirtualHost> configuration it's not possible to know for sure >>> nothing else is going on. >> >> Ok. In the original post, I posted the virtual host configuration >> as it was at the time, with meaningful domain names and IP >> addresses redacted, and some commented-out, abandoned-in-place >> lines removed. >> >> Here is what I currently have in place, albeit with names and IP >> addresses "changed to protect the innocent." I'm sending you the >> uncensored version off-List. >> >> <VirtualHost *:80> ServerName foo.frobozz.com # ServerAlias >> bar.frobozz.com DocumentRoot /var/www/html/test ServerAdmin >> i...@frobozz.com <Directory /var/www/html/test> AllowOverride All >> </Directory> RewriteEngine on RewriteCond %{HTTP_HOST} !^www\. >> [NC] RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} >> [R=301,L] </VirtualHost> >> >> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName >> foo.frobozz.com # ServerAlias bar.frobozz.com DocumentRoot >> /var/www/html/test ServerAdmin i...@frobozz.com # <Directory >> /var/www/html/test> # AllowOverride All # </Directory> # <Proxy >> "https://foo.frobozz.com/manager/html/*";> # Require ip >> aa.bb.cc.dd # </Proxy> # <Proxy >> "https://bar.frobozz.com/manager/html/*";> # Require ip >> aa.bb.cc.dd # </Proxy> <Location /manager> Require ip aa.bb.cc.dd >> ww.xx.yy zz pp.dd.qq.xx </Location> <Location /host-manager> >> Require ip aa.bb.cc.dd ww.xx.yy zz pp.dd.qq.xx </Location> >> ProxyPass "/" "http://127.0.0.1:8080/"; ProxyPassReverse "/" >> "http://127.0.0.1:8080/"; ProxyRequests Off Include >> /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile >> /etc/letsencrypt/live/foo.frobozz.com/fullchain.pem >> SSLCertificateKeyFile >> /etc/letsencrypt/live/foo.frobozz.com/privkey.pem </VirtualHost> >> </IfModule> > > Yeah... that''s pretty straightforward. Hmm. > > No other VirtualHosts? Non other web servers in the mix (e.g. > load-balancer which alreaddy redirects to HTTPS), etc.? > > That seems pretty mysterious to me, too. > > Are you using VH-based authentication with LE? Meaning, you aren't > using DNS authentication or anything like that? > > I think once you have configured the server once with an LE > certificate, renewals can use the existing certificate as > proof-of-ownership without having to put the file into /.well-known. > Or something. I have forgotten the details. > > So maybe that's it: you've already bootstrapped the process and so > it's smoother, now. Maybe? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9FHD0ACgkQHPApP6U8 > pFi58xAAvux94C7QCOUkLj8MLGiQV57/ImcTa85nMme2H2ywpZ7JQozlssU6CSpH > FAYFCOP3U3EH6A9AzFeSZhW+sKMeBt6uF3QR/2QF3vGmg5/KcB0srcdBcn6eejVc > KrUnVKx5lcK+hmyXPlIVdGb+koiDl1D1omkeOxdQOaniNfGvW1LgUxouRXpUBTfJ > JK5oe7yV5U8Ge5Wm+pOIrpf/4Y0JqluNJplQIEVWv3x7EsJtSKVKIoCXfPyGf36g > aGmFRsh6XvndllaV/FBxx/K9zh5TG1GijkfO+vsl4l3ZXnljJm1h4Vx/1Y6KEUbM > x9Zv8QgNpXsmZ+ylfi3hK0l9V7rkUB6ZX5mYJa9ABPXYtkE/rvCpG6RijVgY9WA4 > 4LXKW74+QR9R352OLBCgvE2gjRgVTX/KmoGasBrB3mDYd+vELkBCcXlHAQkYBVqw > KL4UIL3SUEnV4jDfrJ/g2ujyPKd9+ED7EECM91lWg6Lcunc5865qJfPvykIDaBnZ > kASElxqRGqmTUEi57z+BKJNRBs+ME9f7JOlT8iaoB2wKJC8CrUnGNtrFpvBxhehb > GY4uPrUZro7NjuJ/jALnb1CeedeL9+OohxqbTYECaoeS4Op8vNNU6/FtUH9BTjWD > mlaXkhrGr7puf4AjPg9geE/0h5Bg+ltTh8yrK1o+4jrct34S438= > =6dbK > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
