logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: mod_md : not possible to use with other acme client
Author
pbhq



Joined: 17 Mar 2013
Posts: 37
Location: Germany

PostPosted: Sun 18 Mar '18 17:13    Post subject: mod_md : not possible to use with other acme client Reply with quote

Split from www.apachelounge.com/viewtopic.php?t=7938

Steffen wrote:

*) mod_md is in 2.4.30 added as an experimental module, not advised to use in production yet, we need success stories.
Also Let's encrypt has new features, like the new ACMEv2 protocol and wildcard. So better to wait with mod_md.
Advised is to use win-acme which has a more complete feature set.
Please mail me or post here when you have success with mod_md or not.


A suggestion from me for the official release:

I would not publish the official release with mod_md, but offer the two modules (mod_md & mod_ssl) separately for download.

For mod_ssl to work in the vote release, mod_md must also be included and mod_md will catch access to the .well-know directory. In other words: With the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think).
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677

PostPosted: Sun 18 Mar '18 17:53    Post subject: Reply with quote

I run here mod_ssl and not with mod_md. Cannot test with win-acm now, have to wait for cert expire.


I think you mean with win-acme client.

Maybe the author Stefan can answer if .well-know is catched in mod_ssl with and without mod_md ?

When it is true what you say then in the Linux world they could maybe not use their Certbot client either.

I would like to see that a Linux users tries it ?

Maybe you yo file a bug report when Linux also has issues at https://bz.apache.org/bugzilla/ is preferred by the dev's.

Posted this again to the dev list: http://apache-http-server.18135.x6.nabble.com/mod-md-not-possible-to-use-Lets-Encrypt-Win-Simple-td5042358.html
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sun 18 Mar '18 18:29    Post subject: Re: Apache httpd 2.4.33-vote available Reply with quote

pbhq wrote:
For mod_ssl to work in the vote release, mod_md must also be included and mod_md will catch access to the .well-know directory.


I do not find this the case. I have mod_ssl loaded and working yet do not have mod_md loaded.

If you have any of mod_md's directives in your configuration then of course it also must be loaded or Apache will error, like any other directive that's module specific.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Sun 18 Mar '18 18:42    Post subject: Reply with quote

He means that he cannot run win-acm to get certs, because the challenge in .well-know dir is catched by mod_ssl.

I think he is using the TLS-SNI challenge with an old account ? TLS-SNI challenge was disabled by Let's Encrypt back in January, but old users can still use it.

@pbhq what happens when you remove the md folder and start all over again ?

@pbhq what happens when you create a new certificate with win-acm without mod_md and with the mod_ssl ?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Sun 18 Mar '18 19:26    Post subject: Reply with quote

Did a test by making: .well-known\acme-challenge\test.txt

Running not with mod_md :
https://www.apachelounge.com/.well-known/acme-challenge/test.txt

Gives no errors.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Sun 18 Mar '18 19:30    Post subject: Reply with quote

Running with mod_md gives:

not found:

GET /.well-known/acme-challenge/test.txt HTTP/1.1" 404

So when running mod_md you cannot run a acme client which uses https for a challenge.
Back to top
pbhq



Joined: 17 Mar 2013
Posts: 37
Location: Germany

PostPosted: Sun 18 Mar '18 20:20    Post subject: Reply with quote

Steffen wrote:
Running with mod_md gives:

not found:

GET /.well-known/acme-challenge/test.txt HTTP/1.1" 404

So when running mod_md you cannot run a acme client which uses https for a challenge.


If you say so, that's the way it is. And yes, that's how it should work.

Maybe that was different in the first beta version, dont know. Very Happy

I wanted to test the topic again, but mod_md has developed a self-life again . I write something else in the other thread of mod_md. Question
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Sun 18 Mar '18 20:32    Post subject: Reply with quote

This was the log with mod_md:

mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge for www.apachelounge.com (/.well-known/acme-challenge/test.txt)
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sun 18 Mar '18 20:34    Post subject: Reply with quote

OK, I'd imagine that is by design.

Where does mod_md store the well_known stuff? In wherever you have set MDStoreDir. So "${MDStoreDir}/domain" IIRC.

Where does win-acme store the well_known stuff?
"${DocumentRoot}/.well-known/acme-challenge/" IIRC when trying it out long ago under it's original name.

Those are two different places and I would assume that mod_md intercepts any URI with .well-known/acme-challenge/ in it and has Apache serve what's in "${MDStoreDir}/domain" instead.

Like an built-in Alias "/.well-known/acme-challenge/" "${MDStoreDir}/${HTTP_HOST}/"

You yourself had mod_ssl running without mod_md in your first test so mod_ssl will work without mod_md loaded and that is what the OP said did not and I disagreed with. If you have mod_md directives in your config not surrounded by an IfModule container/s, then Yes, mod_ssl, actually Apache, will not start w/o mod_md loaded.

Just my take what was originally stated, mod_ssl not working unless mod_md is included.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 19 Mar '18 11:40    Post subject: Reply with quote

Fix available https://www.apachelounge.com/viewtopic.php?p=36635 :

mod_md: /.well-known/acme-challenge requests that cannot be answered for hostnames
outside the configured MDs are free to be answered by other handlers. This allows
co-existance between mod_md and other ACME clients on the same server (implements PR62189).
[Stefan Eissing, Arkadiusz Miskiewicz <arekm@maven.pl>]


http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1827175

Again thanks for reporting !
Back to top
pbhq



Joined: 17 Mar 2013
Posts: 37
Location: Germany

PostPosted: Tue 20 Mar '18 17:56    Post subject: Re: mod_md : not possible to use with other acme client Reply with quote

pbhq wrote:
For mod_ssl to work in the vote release, mod_md must also be included ...


Sorry, for the mess.

That was my mistake because I did not trigger correctly the md-debug statement for loglevel via IfModule

Of course, mod_ssl works without md_mod. Shocked
Back to top


Reply to topic   Topic: mod_md : not possible to use with other acme client View previous topic :: View next topic
Post new topic   Forum Index -> Apache