[Letsencrypt-devel] Bug#853944: dehydrated-apache2: Validation fails when redirects point to subdirectories.
Rens Houben
rhouben at systemec.nl
Thu Feb 2 11:34:27 UTC 2017
Package: dehydrated-apache2
Version: 0.3.1-2~bpo8+1
Severity: important
Dear Maintainer,
One of our webhosting customers that I'm using Let's Encrypt certificates
for has migrated to a Joomla site that uses a lot of subdomain redirects
of the general type "subdomain.example.com" -> "https://example.com/subdomain/"
Because they want the whole site and all subdomains accessible via https,
I've had to add each subdomain to the certificate. However, this started
spitting out 404 errors on the subdomains.
After some digging into the logs I discovered that the problem was that
the certificate challenge followed the redirect chain, so the challenge
for http://subdomain.example.com/.well-known/acme-challenge/etcetera was
redirected to https://example.com/subdomain/well-known/acme-challenge/etc,
and the Alias directive in /etc/apache2/conf-available/dehydrated.conf
didn't cover it.
Changing the rule to
AliasMatch /.well-known/acme-challenge/(.*)$ /var/lib/dehydrated/acme-challenges/$1
fixed the problem.
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
dehydrated-apache2 depends on no packages.
Versions of packages dehydrated-apache2 recommends:
ii apache2 [httpd] 2.4.10-10+deb8u7
ii apache2-mpm-itk [httpd] 2.4.10-10+deb8u7
ii apache2-mpm-worker [httpd] 2.4.10-10+deb8u7
ii dehydrated 0.3.1-2~bpo8+1
dehydrated-apache2 suggests no packages.
-- Configuration Files:
/etc/apache2/conf-available/dehydrated.conf changed:
<IfModule proxy_module>
# Do not proxy ACME challenge responses
ProxyPass /.well-known/acme-challenge/ !
</IfModule>
<IfModule !alias_module>
# Load the alias module, if not loaded already
Include /etc/apache2/mods-available/alias.load
Include /etc/apache2/mods-available/alias.conf
</IfModule>
<IfModule alias_module>
# Serve ACME challenge responses
# Alias /.well-known/acme-challenge/ /var/lib/dehydrated/acme-challenges/
AliasMatch /.well-known/acme-challenge/(.*)$ /var/lib/dehydrated/acme-challenges/$1
</IfModule>
<Directory /var/lib/dehydrated/acme-challenges/>
Options FollowSymlinks
Options -Indexes
AllowOverride None
# Apache >= 2.3
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
</IfModule>
</Directory>
-- no debconf information
More information about the Letsencrypt-devel
mailing list