[BlueOnyx:26741] Re: SSL/LE

Michael Stauber mstauber at blueonyx.it
Tue Jan 30 10:55:47 -05 2024 

Hi Taco,

> @Michael, it might make sense to see if the LetsEncrypt “path” that is 
> used for the Domain checks can somehow be forced and not overridden with 
> .htaccess files.
> Or maybe document what needs to be added to the .htaccess file to 
> exclude the path that is used for LetsEncryp.
We already have a lot of exception built in for this. For example:

[root at bx ~]# cat /etc/httpd/conf.d/acme_sh.conf
Alias /.well-known/acme-challenge/ /home/.acme/
<Directory "/home/.acme/">
     Options FollowSymLinks
     AllowOverride None
     ForceType text/plain
     RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
     Require all granted
</Directory>

That redirects all calls for /.well-known/acme-challenge/ to 
/home/.acme/, where Let's Encrypt stores the verification files.

Additionally we temporarily disable during the LE-cert request the 
following Vsite related configurations (if they are enabled):

- "Force HTTPS" in "Site Management" / <Vsite> / "SSL"
- "Redirect/Proxy Website" in "Site Management" / <Vsite> / "Services" /
   "Web"

However: When a Vsite is accessed during the verification, then Apache 
still uses the <VirtualHost>-container to get the rest of the settings 
and configs for that Vsite *before* the above path related 
<Directory>-Rule triggers.

And .htaccess (if present) counts as an exception and any rules in it 
will be honored.

I'm a bit torn about renaming .htaccess during the LE request. For 
starters this can break the website in the process. On the other hand: 
.htaccess are usually not allowed and you have to specifically allow 
them. Plus it's not exactly our fault if someone puts something into a 
custom .htaccess that breaks stuff. :p

For example: If you have a redirect in your .htaccess? Why is it in 
there and why don't you use the "Force HTTPS" or "Redirect/Proxy 
Website" options that the GUI provide and which are covered by our 
handling of LE-requests?

I'm not saying "no" to another exception for .htaccess and will think 
about it. But out of curiosity: What kind of redirect did you have in there?

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list