[BlueOnyx:26743] Re: SSL/LE

Herbert Rubin herbr at pfinders.com
Tue Jan 30 20:22:48 -05 2024 

Michael,

Thanks for the suggestion but now its worse. I am stuck with a self signed
certificate. LE will not work for site2.

There is no .htaccess file being used by site2 www.vendig.com. Its a boring
old site actually.

This issue is that the site2 file is rewritten improperly during the LE
attempt at renewal. So apache dies during restart.
So of course LE cannot verify the website.

Line 46 seems unrelated to any cert renewal process so there is some kind
of bug here.

<IfModule mod_suphp.c>
    suPHP_Engine on
    suPHP_UserGroup vendigadmin site2
    AddType application/ .php
    AddHandler  .php .php5 .php4 .php3 .phtml
    suPHP_AddHandler x-httpd-suphp
    suPHP_ConfigPath /home/.sites/site2/wwwroot/
</IfModule>

is written as:

<IfModule mod_suphp.c>
    suPHP_Engine on
    suPHP_UserGroup vendigadmin site2
    AddType application/ .php
    AddHandler  .php .php5 .php4 .php3 .phtml
    suPHP
    suPHP_ConfigPath /home/.sites/site2/wwwroot/
</IfModule>

Why is the AddHandler line mangled?

Herb


On Tue, Jan 30, 2024 at 8:05 AM Michael Stauber via Blueonyx <
blueonyx at mail.blueonyx.it> wrote:

> Hi Taco,
>
> > @Michael, it might make sense to see if the LetsEncrypt “path” that is
> > used for the Domain checks can somehow be forced and not overridden with
> > .htaccess files.
> > Or maybe document what needs to be added to the .htaccess file to
> > exclude the path that is used for LetsEncryp.
> We already have a lot of exception built in for this. For example:
>
> [root at bx ~]# cat /etc/httpd/conf.d/acme_sh.conf
> Alias /.well-known/acme-challenge/ /home/.acme/
> <Directory "/home/.acme/">
>      Options FollowSymLinks
>      AllowOverride None
>      ForceType text/plain
>      RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
>      Require all granted
> </Directory>
>
> That redirects all calls for /.well-known/acme-challenge/ to
> /home/.acme/, where Let's Encrypt stores the verification files.
>
> Additionally we temporarily disable during the LE-cert request the
> following Vsite related configurations (if they are enabled):
>
> - "Force HTTPS" in "Site Management" / <Vsite> / "SSL"
> - "Redirect/Proxy Website" in "Site Management" / <Vsite> / "Services" /
>    "Web"
>
> However: When a Vsite is accessed during the verification, then Apache
> still uses the <VirtualHost>-container to get the rest of the settings
> and configs for that Vsite *before* the above path related
> <Directory>-Rule triggers.
>
> And .htaccess (if present) counts as an exception and any rules in it
> will be honored.
>
> I'm a bit torn about renaming .htaccess during the LE request. For
> starters this can break the website in the process. On the other hand:
> .htaccess are usually not allowed and you have to specifically allow
> them. Plus it's not exactly our fault if someone puts something into a
> custom .htaccess that breaks stuff. :p
>
> For example: If you have a redirect in your .htaccess? Why is it in
> there and why don't you use the "Force HTTPS" or "Redirect/Proxy
> Website" options that the GUI provide and which are covered by our
> handling of LE-requests?
>
> I'm not saying "no" to another exception for .htaccess and will think
> about it. But out of curiosity: What kind of redirect did you have in
> there?
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240130/e49ce3b8/attachment.html>

More information about the Blueonyx mailing list