Re: Something I still don't quite understand, Re: Let's Encrypt with Tomcat behind httpd

Sat, 22 Aug 2020 07:35:55 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 8/21/20 13:14, James H. H. Lampert wrote:
> On 8/21/20 9:30 AM, Christopher Schultz wrote:
>
>> Why would you think that redirecting from http -> https would
>> block renewal?
>
> Because, at least if I correctly understand what I set up,
>
> (1) every http request is unconditionally redirected to https:
>
> RewriteEngine on RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule
> ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This is not unconditional. That's what "RewriteCond" does: it sets up
a condition :)

If Let's Encrypt requests http://www.yoursite.com/ then it won't be
redirected.

> (2) every https request is unconditionally passed to Tomcat.
>
> ProxyPass "/" "http://127.0.0.1:8080/"; ProxyPassReverse "/"
> "http://127.0.0.1:8080/"; ProxyRequests Off
>
> and (3) Let's Encrypt rechecks domain control when it renews, and
> therefore Certbot needs to put something where the Let's Encrypt
> server can find it.
>
> Are any of these assumptions wrong?

What domains are you asking LE to certify?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9BLSAACgkQHPApP6U8
pFjFIQ//cO9QGyqvHZzmWm1m28CCCZ4bjG/LpLH8QbflQHrum39wV1b5l+idWdST
QlnBV9ZWmFlHFqLw/NyHXUW6o3GHZRv0ObKJ+qVBZlSQ2dS1IZ4DQkQBuq7qq2ZK
PNg2Z8Gu9TkaGAbn7G6VqOht+AQ5BdnjSkQLKlA/9goJIx/vt7oqZusXk9eAHL06
hoKr44+LzhgdkoLI4fAFNBeHx9tSnOluovT75/cHRTMcOoyIOAOXn0sjeQTiJZw/
i/yBjp3SkSZCvmzWj0rpOfmrvb3Fe+s/yXtvNWdsWptVUuDEeFcGKq+syVPuRB0I
K37q/FFEKmeQyOsqqKdwHv0kiWOASoFRqt+Or5Rvqo22MhV2abhkJ2P2u23BkLOy
nTA6deeHZOXzSptjzVrgzAXpNO88dL0WFarMONLs/hffCIGVSRbVgzUS3vawS5z1
Ar+DM26Hna2ZB7VjjgpXMivsXAPUJWxxZhMJt0tniq6T1YHHJJdpIUh6QYsGR6Tg
Oo6aSNK7tPPDdgmCEkuqB1S3qEmhNvD4AKVlkZ/L9PVqGOUDEMNn5DRGduobNz+B
eTiYIImIovIQhRy2cRmNmgSotOlwxkJMFX+eat9eJT/0NTKG0tlwajBculzEIPH3
3CConKkHXAuzTj1KZbVMYon2fAfuN6VbOkEdl4bEWNBm2NFnfAk=
=R0qT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to