-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Ian, On 5/1/17 3:11 PM, Ian Brown wrote: > I am trying to https/SSL enable my tomcat application server and > have a problem when I request verification from the CA. > > Let's Encrypt requires the certificate request to be placed in > mydomain.tld/.well-known/acme-challenge/ which they query to check > that I control the site. > > Tomcat does not appear to handle hidden directories correctly. > There as several on-line references to Tomcat being an issue, but I > have yet to find a Tomcat solution. I'm doing this in a completely-scripted environment using certbot-auto, etc. I'm presenting everything at ApacheCon/TomcatCon in two weeks in Miami if you'd like to join us. After my presentation, the slides, etc. will be available online. There is nothing "hidden" about a directory that starts with a period. It's just an indication to "ls" that the directory entry should not be shown unless a certain flag is present. Tomcat is ignorant of that convention, and the "hiddenness" of your directory is a red herring. > The hidden directory problem manifest in two ways. 1. If I create a > site/app with th directory /.well-known/ Tomcat creates two contexts where there should be one, one for my app and another for /.well-known (i.e. a sub directory of the app) What is your application's context-path? If it's anything other than "" (empty string, for the ROOT web application) then requests to /.well-known won't be served by your application. Period. > 2. If I don't create a /.well-known/ directory, but try and do a urlrewrite from /.well-known/ to say /well-known/ it still sees the url as trying to access a separte context /.well-known/ > and does not rewrite it as expected. Note that url-rewrite must be configured within an application -- it can't be done globally. Basically, if you want to serve responses to a URL like /.well-known/whatever, then you either need an application with a context-path of "/.well-known", or you need the ROOT application to respond to those requests. > Request-dumper shows ( some lines removed for clarity) > > requestURI=/.well-known/acme-challenge/test.html > contextPath=/.well-known serverName=mydomain.tld serverPort=80 > servletPath=/acme-challenge/test.html status=404 > > The above fails if /.well-known/acme-challenge/test.html exists or > not since it is looking in the wrong context path. What context-path did you expect? > Contrasts with a correctly served (not hidden) page. > > requestURI=/stats/index.html contextPath= > header=host=www.mydomain.tld contextPath= > serverName=www.mydomain.tld serverPort=80 > servletPath=/stats/index.html status=200 Those are all being served by the ROOT web application. Why not put your /.well-known files within the ROOT web application? Or leave them in /.well-known as above? Please post some more details for what you are doing in case #1 above where the context-path of the application is /.well-known. For example, what files are on the disk, and where? Where is the <Context> defined? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZB7KtAAoJEBzwKT+lPKRY+IMP/2MJNzFeD932piXkF/ky2QiD DNIUDrX4RDMwBucKNf9jDT96GE3VwmmpDsFDNvcmjveGROfgEf/wTwFKqWhwSdYr pYNquHTyGMUh2flfUZfjgQbuCArmyCzrr80GaoDe5g3TpZ8SbyupzEYylhZ9QiZr eNzjeWAQOa6UsSXZ9vqPM/nf2rB5i2A2P3eoggyduGFzM1r6UkQ9I5LWwIdY/2gS V9HlW1TSRbrR+FhVvACZx8+p8GtxpG6Es+wKck7LhwX6UhCtMiZyKlcn/bl0XS2G EW9vmTAo6myt6Avk0QAZG4s8fJWASmxA2nJP9c0RQhyueaoGwWvasgsVbbMnGT3N ojw98bQq4SYIJoUi+ypGN93xyOqxU0ihdwEdrunxRe1HKXVsDaXiriS6WOyhWgNd c9VRut4SfnHVdQPibiifLd6A2VNlCFC7t/fgkkSI7/uiZGwOM7sqDOFJ5UMlrvQ+ BbaRZgzVycjjz3ARM+/5Scwi9UHqnq1Zli96KmBs+28SY6lV8h7y+voqz7gD+82k 7Z2wHuyXP0ElY91w6VTIexmOxfXzaVv+qNdAZhuiylRnZKpI5Hux1JlSvbXil6WX s1TTEW0K7sIBA+9AqRWczHL+fJyb866XIgaRaOU2WU2ivwh7ZIQ2wEQzRcpfFBvW SZ8mmcjXFMpoTTw5n7SF =DQYr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org