[BlueOnyx:26742] Re: SSL/LE
Taco Scargo
taco at blueonyx.nl
Tue Jan 30 12:21:49 -05 2024
Hi Michael,
Maybe a suggestion to tell website owners how to change their .htaccess so it does not block the LE locations?
As an example, one site has a .htaccess file like this:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteCond %{REQUEST_URI} !public/
RewriteRule (.*) /public/$1 [L]
This will rewrite anything, maybe I should advise adding:
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge/
What do you think?
I guess that is the only option if .htaccess always get priority.
Best regards,
Taco
> On 30 Jan 2024, at 16:55, Michael Stauber via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
>
> Hi Taco,
>
>> @Michael, it might make sense to see if the LetsEncrypt “path” that is used for the Domain checks can somehow be forced and not overridden with .htaccess files.
>> Or maybe document what needs to be added to the .htaccess file to exclude the path that is used for LetsEncryp.
> We already have a lot of exception built in for this. For example:
>
> [root at bx ~]# cat /etc/httpd/conf.d/acme_sh.conf
> Alias /.well-known/acme-challenge/ /home/.acme/
> <Directory "/home/.acme/">
> Options FollowSymLinks
> AllowOverride None
> ForceType text/plain
> RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
> Require all granted
> </Directory>
>
> That redirects all calls for /.well-known/acme-challenge/ to /home/.acme/, where Let's Encrypt stores the verification files.
>
> Additionally we temporarily disable during the LE-cert request the following Vsite related configurations (if they are enabled):
>
> - "Force HTTPS" in "Site Management" / <Vsite> / "SSL"
> - "Redirect/Proxy Website" in "Site Management" / <Vsite> / "Services" /
> "Web"
>
> However: When a Vsite is accessed during the verification, then Apache still uses the <VirtualHost>-container to get the rest of the settings and configs for that Vsite *before* the above path related <Directory>-Rule triggers.
>
> And .htaccess (if present) counts as an exception and any rules in it will be honored.
>
> I'm a bit torn about renaming .htaccess during the LE request. For starters this can break the website in the process. On the other hand: .htaccess are usually not allowed and you have to specifically allow them. Plus it's not exactly our fault if someone puts something into a custom .htaccess that breaks stuff. :p
>
> For example: If you have a redirect in your .htaccess? Why is it in there and why don't you use the "Force HTTPS" or "Redirect/Proxy Website" options that the GUI provide and which are covered by our handling of LE-requests?
>
> I'm not saying "no" to another exception for .htaccess and will think about it. But out of curiosity: What kind of redirect did you have in there?
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list