[Letsencrypt-devel] Bug#853944: dehydrated-apache2: Validation fails when redirects point to subdirectories.

Mattia Rizzolo mattia at debian.org
Thu Feb 2 17:26:45 UTC 2017 

On Thu, Feb 02, 2017 at 12:34:27PM +0100, Rens Houben wrote:
> Dear Maintainer,

Hi!

> One of our webhosting customers that I'm using Let's Encrypt certificates 
> for has migrated to a Joomla site that uses a lot of subdomain redirects
> of the general type "subdomain.example.com" -> "https://example.com/subdomain/"

Right, I've never done that thing, but indeed it won't work with the
current rules.

> After some digging into the logs I discovered that the problem was that
> the certificate challenge followed the redirect chain, so the challenge 
> for http://subdomain.example.com/.well-known/acme-challenge/etcetera was
> redirected to https://example.com/subdomain/well-known/acme-challenge/etc, 
> and the Alias directive in /etc/apache2/conf-available/dehydrated.conf 
> didn't cover it.
> 
> Changing the rule to 
> 
> AliasMatch /.well-known/acme-challenge/(.*)$ /var/lib/dehydrated/acme-challenges/$1

Well, I don't particularly like matching '/.well-known/acme-challenge/.*$'
anywhere in the url, tbh; I'd rather anchor it at the start by ^, but
that won't fix your problem above, even worsen it if possible.

Anyhow, do you do those redirects by means of mod_rewrite?
If so, could you try adding this bit?  If not, how do you redirect?


--- a/debian/dehydrated.conf
+++ b/debian/dehydrated.conf
@@ -8,6 +8,11 @@
     # Do not proxy ACME challenge responses
     ProxyPass /.well-known/acme-challenge/ !
 </IfModule>
+<IfModule mod_rewrite.c>
+    # Do not rewrite/redirect ACME challenge responses
+    RewriteEngine on
+    RewriteRule ^/\.well-known/acme-challenge/ - [L]
+</IfModule>
 <IfModule !alias_module>
     # Load the alias module, if not loaded already
     Include /etc/apache2/mods-available/alias.load


-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/letsencrypt-devel/attachments/20170202/64cc8df9/attachment.sig>

More information about the Letsencrypt-devel mailing list