-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Ian,

On 5/1/17 3:11 PM, Ian Brown wrote:
> I am trying to https/SSL enable my tomcat application server and 
> have a problem when I request verification from the CA.
> 
> Let's Encrypt requires the certificate request to be placed in 
> mydomain.tld/.well-known/acme-challenge/ which they query to check 
> that I control the site.
> 
> Tomcat does not appear to handle hidden directories correctly.
> There as several on-line references to Tomcat being an issue, but I
> have yet to find a Tomcat solution.
I'm doing this in a completely-scripted environment using certbot-auto,
etc. I'm presenting everything at ApacheCon/TomcatCon in two weeks in
Miami if you'd like to join us. After my presentation, the slides, etc.
will be available online.

There is nothing "hidden" about a directory that starts with a period.
It's just an indication to "ls" that the directory entry should not be
shown unless a certain flag is present.

Tomcat is ignorant of that convention, and the "hiddenness" of your
directory is a red herring.

> The hidden directory problem manifest in two ways. 1. If I create a
> site/app with th directory /.well-known/ Tomcat
creates two contexts where there should be one, one for my app and
another for /.well-known (i.e. a sub directory of the app)

What is your application's context-path? If it's anything other than ""
(empty string, for the ROOT web application) then requests to
/.well-known won't be served by your application. Period.

> 2. If I don't create a /.well-known/ directory, but try and do a
urlrewrite from /.well-known/ to say /well-known/ it still sees the
url as trying to access a separte context /.well-known/
> and does not rewrite it as expected.

Note that url-rewrite must be configured within an application -- it
can't be done globally. Basically, if you want to serve responses to a
URL like /.well-known/whatever, then you either need an application with
a context-path of "/.well-known", or you need the ROOT application to
respond to those requests.

> Request-dumper shows ( some lines removed for clarity)
> 
> requestURI=/.well-known/acme-challenge/test.html 
> contextPath=/.well-known serverName=mydomain.tld serverPort=80 
> servletPath=/acme-challenge/test.html status=404
> 
> The above fails if /.well-known/acme-challenge/test.html exists or 
> not since it is looking in the wrong context path.

What context-path did you expect?

> Contrasts with a correctly served (not hidden) page.
> 
> requestURI=/stats/index.html contextPath= 
> header=host=www.mydomain.tld contextPath= 
> serverName=www.mydomain.tld serverPort=80 
> servletPath=/stats/index.html status=200

Those are all being served by the ROOT web application. Why not put your
/.well-known files within the ROOT web application? Or leave them in
/.well-known as above? Please post some more details for what you are
doing in case #1 above where the context-path of the application is
/.well-known. For example, what files are on the disk, and where? Where
is the <Context> defined?

- -chris

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZB7KtAAoJEBzwKT+lPKRY+IMP/2MJNzFeD932piXkF/ky2QiD
DNIUDrX4RDMwBucKNf9jDT96GE3VwmmpDsFDNvcmjveGROfgEf/wTwFKqWhwSdYr
pYNquHTyGMUh2flfUZfjgQbuCArmyCzrr80GaoDe5g3TpZ8SbyupzEYylhZ9QiZr
eNzjeWAQOa6UsSXZ9vqPM/nf2rB5i2A2P3eoggyduGFzM1r6UkQ9I5LWwIdY/2gS
V9HlW1TSRbrR+FhVvACZx8+p8GtxpG6Es+wKck7LhwX6UhCtMiZyKlcn/bl0XS2G
EW9vmTAo6myt6Avk0QAZG4s8fJWASmxA2nJP9c0RQhyueaoGwWvasgsVbbMnGT3N
ojw98bQq4SYIJoUi+ypGN93xyOqxU0ihdwEdrunxRe1HKXVsDaXiriS6WOyhWgNd
c9VRut4SfnHVdQPibiifLd6A2VNlCFC7t/fgkkSI7/uiZGwOM7sqDOFJ5UMlrvQ+
BbaRZgzVycjjz3ARM+/5Scwi9UHqnq1Zli96KmBs+28SY6lV8h7y+voqz7gD+82k
7Z2wHuyXP0ElY91w6VTIexmOxfXzaVv+qNdAZhuiylRnZKpI5Hux1JlSvbXil6WX
s1TTEW0K7sIBA+9AqRWczHL+fJyb866XIgaRaOU2WU2ivwh7ZIQ2wEQzRcpfFBvW
SZ8mmcjXFMpoTTw5n7SF
=DQYr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to