[Letsencrypt-devel] Bug#853944: dehydrated-apache2: Validation fails when redirects point to subdirectories.

Rens Houben rhouben at systemec.nl
Thu Feb 2 11:34:27 UTC 2017 

Package: dehydrated-apache2
Version: 0.3.1-2~bpo8+1
Severity: important

Dear Maintainer,

One of our webhosting customers that I'm using Let's Encrypt certificates 
for has migrated to a Joomla site that uses a lot of subdomain redirects
of the general type "subdomain.example.com" -> "https://example.com/subdomain/"

Because they want the whole site and all subdomains accessible via https, 
I've had to add each subdomain to the certificate. However, this started 
spitting out 404 errors on the subdomains.

After some digging into the logs I discovered that the problem was that
the certificate challenge followed the redirect chain, so the challenge 
for http://subdomain.example.com/.well-known/acme-challenge/etcetera was
redirected to https://example.com/subdomain/well-known/acme-challenge/etc, 
and the Alias directive in /etc/apache2/conf-available/dehydrated.conf 
didn't cover it.

Changing the rule to 

AliasMatch /.well-known/acme-challenge/(.*)$ /var/lib/dehydrated/acme-challenges/$1

fixed the problem.


-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

dehydrated-apache2 depends on no packages.

Versions of packages dehydrated-apache2 recommends:
ii  apache2 [httpd]             2.4.10-10+deb8u7
ii  apache2-mpm-itk [httpd]     2.4.10-10+deb8u7
ii  apache2-mpm-worker [httpd]  2.4.10-10+deb8u7
ii  dehydrated                  0.3.1-2~bpo8+1

dehydrated-apache2 suggests no packages.

-- Configuration Files:
/etc/apache2/conf-available/dehydrated.conf changed:
<IfModule proxy_module>
    # Do not proxy ACME challenge responses
    ProxyPass /.well-known/acme-challenge/ !
</IfModule>
<IfModule !alias_module>
    # Load the alias module, if not loaded already
    Include /etc/apache2/mods-available/alias.load
    Include /etc/apache2/mods-available/alias.conf
</IfModule>
<IfModule alias_module>
    # Serve ACME challenge responses
    # Alias /.well-known/acme-challenge/ /var/lib/dehydrated/acme-challenges/
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/lib/dehydrated/acme-challenges/$1
</IfModule>
<Directory /var/lib/dehydrated/acme-challenges/>
    Options FollowSymlinks
    Options -Indexes
    AllowOverride None
    # Apache >= 2.3
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Allow from all
    </IfModule>
</Directory>


-- no debconf information

More information about the Letsencrypt-devel mailing list