Package: dehydrated-apache2 Version: 0.3.1-2~bpo8+1 Severity: important Dear Maintainer,
One of our webhosting customers that I'm using Let's Encrypt certificates for has migrated to a Joomla site that uses a lot of subdomain redirects of the general type "subdomain.example.com" -> "https://example.com/subdomain/" Because they want the whole site and all subdomains accessible via https, I've had to add each subdomain to the certificate. However, this started spitting out 404 errors on the subdomains. After some digging into the logs I discovered that the problem was that the certificate challenge followed the redirect chain, so the challenge for http://subdomain.example.com/.well-known/acme-challenge/etcetera was redirected to https://example.com/subdomain/well-known/acme-challenge/etc, and the Alias directive in /etc/apache2/conf-available/dehydrated.conf didn't cover it. Changing the rule to AliasMatch /.well-known/acme-challenge/(.*)$ /var/lib/dehydrated/acme-challenges/$1 fixed the problem. -- System Information: Debian Release: 8.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/6 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) dehydrated-apache2 depends on no packages. Versions of packages dehydrated-apache2 recommends: ii apache2 [httpd] 2.4.10-10+deb8u7 ii apache2-mpm-itk [httpd] 2.4.10-10+deb8u7 ii apache2-mpm-worker [httpd] 2.4.10-10+deb8u7 ii dehydrated 0.3.1-2~bpo8+1 dehydrated-apache2 suggests no packages. -- Configuration Files: /etc/apache2/conf-available/dehydrated.conf changed: <IfModule proxy_module> # Do not proxy ACME challenge responses ProxyPass /.well-known/acme-challenge/ ! </IfModule> <IfModule !alias_module> # Load the alias module, if not loaded already Include /etc/apache2/mods-available/alias.load Include /etc/apache2/mods-available/alias.conf </IfModule> <IfModule alias_module> # Serve ACME challenge responses # Alias /.well-known/acme-challenge/ /var/lib/dehydrated/acme-challenges/ AliasMatch /.well-known/acme-challenge/(.*)$ /var/lib/dehydrated/acme-challenges/$1 </IfModule> <Directory /var/lib/dehydrated/acme-challenges/> Options FollowSymlinks Options -Indexes AllowOverride None # Apache >= 2.3 <IfModule mod_authz_core.c> Require all granted </IfModule> # Apache < 2.3 <IfModule !mod_authz_core.c> Order Allow,Deny Allow from all </IfModule> </Directory> -- no debconf information