W dniu 06.12.2017 o 21:49, Alan pisze: > Thanks Andrzej, > > That's what I was looking for. However, why replace those lines after > receiving certificate? Of course, our script will add necessary > entries to Pound configuration for newly acquired certificates, but > then it's not clear why we should remove the above entries for > bypassing requests to /.well-known/acme-challenge/? Don't we need them > for automatic Let's Encrypt renewal? In three months the verification > file will be renewed and Let's Encrypt will try again, so can we leave > bypassing entries in there for always? no, you don't remove entries in configuration :) Only you need to replace a ssl certificate by generated by letsencrypt, and after that reload pound.
Regards, Andrzej > > Thanks! > > On Wed, Dec 6, 2017 at 12:58 AM, undefine <[email protected]> wrote: >> W dniu 06.12.2017 o 03:07, Alan pisze: >>> I can't just forward this as the system where we are trying Pound on >>> requests Let's Encrypt certificate at early stages during creation of >>> virtual server on port 80 and naturally doesn't find anything there, >>> because Apache listens to port 8080. And in our case it is possible to >>> create entries in in the Pound configuration file and restart it only >>> after Let's Encrypt certificate is requested. And, unfortunately, >>> Let's Encrypt always looks for verification file at port 80 like, for >>> example: >>> >>> >>> http://sub.mydomain.com/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw >>> >>> It is not possible for us to make Let's Encrypt to look for verification >>> file at >>> >>> >>> http://sub.mydomain.com:8080/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw >>> >>> So it would be wonderful if Pound allowed just passing requests to >>> .well-known directly to Apache. At least that's how it's done on nginx >>> according to the accepted answers on >>> >>> https://serverfault.com/questions/768509/lets-encrypt-with-an-nginx-reverse-proxy >>> or >>> https://serverfault.com/questions/886583/how-to-configure-pound-proxy-to-pass-requests-to-well-known-directory. >> If you already have apache who can serve static files, and don't want to use >> bundled standalone http >> server in certbot/letsencrypt - just forward rules to >> /.well-known/acme-challenge/ into your apache port. >> >> For example (if you have apache on port 8080). >> >> Service >> URL "/.well-known/acme-challenge/" >> IgnoreCase 1 >> BackEnd >> Address 127.0.0.1 >> Port 8080 >> End >> End >> >> After receiving certificate - you need of course to replate it in pound >> configuration. I have it just in script, >> which after successfull receive merge key, intermediate certificate and >> certificate into one file and replace >> with that file certificate in pound. >> >> >> Andrzej >> >> >> -- >> To unsubscribe send an email with subject unsubscribe to [email protected]. >> Please contact [email protected] for questions. > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. > -- Regards, Andrzej 'The Undefined' Dopierała http://andrzej.dopierala.name/ -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
