DevHeads.net

issue with apache and virtual hosts and acme-client letsencrypt certificates

Hello,

I'm running a FreeBSD system that I'm running apache on and using that
to validate and put in to place letsencrypt certificates for several
domains.

I thought I had auto-updating working, turns out I didn't, but also
I've got a configuration problem with apache that is preventing
certificate validation.

If I use:

acme-client -v -C /usr/local/www/.well-known/acme-challenge -mbnN
domain.com webmail.domain.com

/usr/local/www/.well-known/acme-challenge is where challenges are
stored, the validation works only if I have this line commented out:

Redirect / <a href="https://www.domain.com/" title="https://www.domain.com/">https://www.domain.com/</a>

if the above is uncommented validation fails. My goal is an all-ssl
site except for the acme validations, so if a user types in domain.com
or <a href="http://www.domain.com" title="www.domain.com">www.domain.com</a> they get redirected to https. But if a request comes
in with the domain host/.well-known/acme-challenge redirection to the
http site occurs for certificate validation.

Here's a virtual host config:

<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at domain dot com"> ... at domain dot com</a>
DocumentRoot "/usr/vhosts/domain.com/htdocs/"
ServerName <a href="http://www.domain.com" title="www.domain.com">www.domain.com</a>
ServerAlias domain.com <a href="http://www.domain.com" title="www.domain.com">www.domain.com</a> mail.domain.com

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's Encrypt!
Alias /.well-known/acme-challenge /usr/local/www/.well-known/acme-challenge

# Anything that isn't going to domain.com/.well-known gets
forwarded to the https site
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known
Redirect / <a href="https://www.domain.com/" title="https://www.domain.com/">https://www.domain.com/</a>

ErrorLog "/usr/vhosts/domain.com/logs/error.log"

# for acme challenges
<Directory "/usr/local/www/.well-known/acme-challenge">
Options None
AllowOverride None
Require all granted
Header add Content-Type text/plain
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin <a href="mailto: ... at domain dot com"> ... at domain dot com</a>
DocumentRoot "/usr/vhosts/domain.com/htdocs/"
ServerName <a href="http://www.domain.com" title="www.domain.com">www.domain.com</a>

SSLEngine on
SSLCertificateFile "/usr/local/etc/ssl/acme/domain.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/ssl/acme/private/domain.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/ssl/acme/domain.com/chain.pem"

<Directory "/usr/vhosts/domain.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/domain.com/logs/access.log-%Y-%m-%d.log 86400" combined
</IfModule>

# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>

Suggestions welcome.

Thanks.
Dave.