etc/examples/httpd.conf remove acme-challenge location block on port 443

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

etc/examples/httpd.conf remove acme-challenge location block on port 443

Horia Racoviceanu
afaik, there is no challenge on port https

examples-httpd.conf.diff (468 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: etc/examples/httpd.conf remove acme-challenge location block on port 443

Florian Obser-2
On Thu, Jun 13, 2019 at 10:08:52AM -0400, Horia Racoviceanu wrote:
> afaik, there is no challenge on port https

That is true, kinda:

RFC 8555, 8.3 HTTP Challenge, page 63:

    Because many web servers allocate a default HTTPS virtual host to a
    particular low-privilege tenant user in a subtle and non-intuitive
    manner, the challenge must be completed over HTTP, not HTTPS.

(Not quite sure what they are going on about though)

However, https://letsencrypt.org/docs/challenge-types/

    Our implementation of the HTTP-01 challenge follows redirects, up to
    10 redirects deep. It only accepts redirects to "http:" or "https:",
    and only to ports 80 or 443.

I could swear that Let's Encrypt actually probed on 443 in case of a
renew in the past. I don't think they do that anymore. (And the
documentation suggests that they don't and only follow redirects.)

I'm fine with the change. But I'm also fine with keeping it, with a
slight preference towards deletion.

> Index: httpd.conf
> ===================================================================
> RCS file: /cvs/src/etc/examples/httpd.conf,v
> retrieving revision 1.20
> diff -u -p -r1.20 httpd.conf
> --- httpd.conf 13 Jun 2018 15:08:24 -0000 1.20
> +++ httpd.conf 13 Jun 2019 13:57:56 -0000
> @@ -20,8 +20,4 @@ server "example.com" {
>   location "/pub/*" {
>   directory auto index
>   }
> - location "/.well-known/acme-challenge/*" {
> - root "/acme"
> - request strip 2
> - }
>  }


--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: etc/examples/httpd.conf remove acme-challenge location block on port 443

Klemens Nanni-2
In reply to this post by Horia Racoviceanu
On Thu, Jun 13, 2019 at 10:08:52AM -0400, Horia Racoviceanu wrote:
> afaik, there is no challenge on port https
https://letsencrypt.org/docs/challenge-types/