On 1/29/19 10:20 AM, Bill Cole wrote:
On 29 Jan 2019, at 10:25, Kevin A. McGrail wrote:
FYI, I think this is your territory, Dave
Bill had some interesting experience with the issue so cc'ing him.
Only "interesting" because I didn't trust the simplicity of the fix.
All I had to do on a fairly recent Certbot/CentOS7 installation was to
update the Certbot package and related Python packages (all in EPEL) and
verify that nothing in the config referenced tls-sni-01 explicitly.
Running 'certbot renew --dry-run' ran happily. This was all in the
LE/Certbot docs referenced in the warning message.
What confused me was that the Apache server in question had a stack of
vhosts, all of which had all port 80 requests redirected (via
mod_rewrite) to their port 443 siblings, all of which required "Basic"
authentication. The LE/Certbot information states that port 80 is
required for http-01 verification, so I didn't see how it could work and
did not see direct evidence of what certbot was doing. Upon closer
investigation, I found that it temporarily wraps the vhost config with a
mod_rewrite redirection of the challenge URL path, cleaning up after
itself when done. A few directories got modified, but no remaining files
were, so the only clear evidence of this was in the certbot debug log.
In short: I expected a failure that I'd need to work around but that
didn't happen. It just worked.
So is this fixed on the sa-vm1.apache.org server or do I need to fix it
still?
FYI, I found a better method for LE verification using the DNS-01 method
and a wrapper hook to ACME DNS:
http://docs.cert-manager.io/en/master/reference/issuers/acme/dns01/acme-dns.html
I setup the ACME DNS go server on auth.ena.net so I can host my own
_acme-challenge records via a CNAME. You can use the author's
auth.acme-dns.io server to get started. At home I set this up on my
pfSense firewall using the acme package. Now I have a wildcard cert
that I pull from my pfSense firewall to my raspi and push out to all of
my web servers so I have https everywhere and no annoying cert warnings.
ACME DNS allows for a server that is not reachable by the Internet to be
a central repository for all of your LE certs and automated renewals.
Then you push out the certs to all of your servers using your favorite
tool like Ansible, Puppet, Chef, Salt, shell script, etc.
Dave
