Thanks Andrzej, That's what I was looking for. However, why replace those lines after receiving certificate? Of course, our script will add necessary entries to Pound configuration for newly acquired certificates, but then it's not clear why we should remove the above entries for bypassing requests to /.well-known/acme-challenge/? Don't we need them for automatic Let's Encrypt renewal? In three months the verification file will be renewed and Let's Encrypt will try again, so can we leave bypassing entries in there for always?
Thanks! On Wed, Dec 6, 2017 at 12:58 AM, undefine <[email protected]> wrote: > W dniu 06.12.2017 o 03:07, Alan pisze: >> >> I can't just forward this as the system where we are trying Pound on >> requests Let's Encrypt certificate at early stages during creation of >> virtual server on port 80 and naturally doesn't find anything there, >> because Apache listens to port 8080. And in our case it is possible to >> create entries in in the Pound configuration file and restart it only >> after Let's Encrypt certificate is requested. And, unfortunately, >> Let's Encrypt always looks for verification file at port 80 like, for >> example: >> >> >> http://sub.mydomain.com/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw >> >> It is not possible for us to make Let's Encrypt to look for verification >> file at >> >> >> http://sub.mydomain.com:8080/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw >> >> So it would be wonderful if Pound allowed just passing requests to >> .well-known directly to Apache. At least that's how it's done on nginx >> according to the accepted answers on >> >> https://serverfault.com/questions/768509/lets-encrypt-with-an-nginx-reverse-proxy >> or >> https://serverfault.com/questions/886583/how-to-configure-pound-proxy-to-pass-requests-to-well-known-directory. > > If you already have apache who can serve static files, and don't want to use > bundled standalone http > server in certbot/letsencrypt - just forward rules to > /.well-known/acme-challenge/ into your apache port. > > For example (if you have apache on port 8080). > > Service > URL "/.well-known/acme-challenge/" > IgnoreCase 1 > BackEnd > Address 127.0.0.1 > Port 8080 > End > End > > After receiving certificate - you need of course to replate it in pound > configuration. I have it just in script, > which after successfull receive merge key, intermediate certificate and > certificate into one file and replace > with that file certificate in pound. > > > Andrzej > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
