[BlueOnyx:26742] Re: SSL/LE

Taco Scargo taco at blueonyx.nl
Tue Jan 30 12:21:49 -05 2024 

Hi Michael,

Maybe a suggestion to tell website owners how to change their .htaccess so it does not block the LE locations?

As an example, one site has a .htaccess file like this:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteCond %{REQUEST_URI} !public/
RewriteRule (.*) /public/$1 [L]

This will rewrite anything, maybe I should advise adding:
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge/

What do you think?
I guess that is the only option if .htaccess always get priority.

Best regards,

Taco

> On 30 Jan 2024, at 16:55, Michael Stauber via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
> 
> Hi Taco,
> 
>> @Michael, it might make sense to see if the LetsEncrypt “path” that is used for the Domain checks can somehow be forced and not overridden with .htaccess files.
>> Or maybe document what needs to be added to the .htaccess file to exclude the path that is used for LetsEncryp.
> We already have a lot of exception built in for this. For example:
> 
> [root at bx ~]# cat /etc/httpd/conf.d/acme_sh.conf
> Alias /.well-known/acme-challenge/ /home/.acme/
> <Directory "/home/.acme/">
>    Options FollowSymLinks
>    AllowOverride None
>    ForceType text/plain
>    RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
>    Require all granted
> </Directory>
> 
> That redirects all calls for /.well-known/acme-challenge/ to /home/.acme/, where Let's Encrypt stores the verification files.
> 
> Additionally we temporarily disable during the LE-cert request the following Vsite related configurations (if they are enabled):
> 
> - "Force HTTPS" in "Site Management" / <Vsite> / "SSL"
> - "Redirect/Proxy Website" in "Site Management" / <Vsite> / "Services" /
>  "Web"
> 
> However: When a Vsite is accessed during the verification, then Apache still uses the <VirtualHost>-container to get the rest of the settings and configs for that Vsite *before* the above path related <Directory>-Rule triggers.
> 
> And .htaccess (if present) counts as an exception and any rules in it will be honored.
> 
> I'm a bit torn about renaming .htaccess during the LE request. For starters this can break the website in the process. On the other hand: .htaccess are usually not allowed and you have to specifically allow them. Plus it's not exactly our fault if someone puts something into a custom .htaccess that breaks stuff. :p
> 
> For example: If you have a redirect in your .htaccess? Why is it in there and why don't you use the "Force HTTPS" or "Redirect/Proxy Website" options that the GUI provide and which are covered by our handling of LE-requests?
> 
> I'm not saying "no" to another exception for .htaccess and will think about it. But out of curiosity: What kind of redirect did you have in there?
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list