On Thu, Feb 02, 2017 at 12:34:27PM +0100, Rens Houben wrote: > Dear Maintainer,
Hi! > One of our webhosting customers that I'm using Let's Encrypt certificates > for has migrated to a Joomla site that uses a lot of subdomain redirects > of the general type "subdomain.example.com" -> > "https://example.com/subdomain/"; Right, I've never done that thing, but indeed it won't work with the current rules. > After some digging into the logs I discovered that the problem was that > the certificate challenge followed the redirect chain, so the challenge > for http://subdomain.example.com/.well-known/acme-challenge/etcetera was > redirected to https://example.com/subdomain/well-known/acme-challenge/etc, > and the Alias directive in /etc/apache2/conf-available/dehydrated.conf > didn't cover it. > > Changing the rule to > > AliasMatch /.well-known/acme-challenge/(.*)$ > /var/lib/dehydrated/acme-challenges/$1 Well, I don't particularly like matching '/.well-known/acme-challenge/.*$' anywhere in the url, tbh; I'd rather anchor it at the start by ^, but that won't fix your problem above, even worsen it if possible. Anyhow, do you do those redirects by means of mod_rewrite? If so, could you try adding this bit? If not, how do you redirect? --- a/debian/dehydrated.conf +++ b/debian/dehydrated.conf @@ -8,6 +8,11 @@ # Do not proxy ACME challenge responses ProxyPass /.well-known/acme-challenge/ ! </IfModule> +<IfModule mod_rewrite.c> + # Do not rewrite/redirect ACME challenge responses + RewriteEngine on + RewriteRule ^/\.well-known/acme-challenge/ - [L] +</IfModule> <IfModule !alias_module> # Load the alias module, if not loaded already Include /etc/apache2/mods-available/alias.load -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
