On 5/1/17 12:11 PM, Ian Brown wrote:
> I am trying to https/SSL enable my tomcat application server and have a
> problem when I request verification from the CA.
> Let's Encrypt requires the certificate request to be placed in
> mydomain.tld/.well-known/acme-challenge/ which they query to check that I
> control the site.
> Tomcat does not appear to handle hidden directories correctly. There as
> several on-line references to Tomcat being an issue, but I have yet to find a
> Tomcat solution.
> (Other than to front tend Tomcat with the Apache httpd server, but I would
> like to find a solution that is pure tomcat.)
> I started with tomcat-7.0.42 Centos 6-8.el6 jdk1.7.0_25, then
> upgraded to tomcat-8.5.14 Centos 6-8.el6 jdk1.8.0_131, same problem.
>
> The hidden directory problem manifest in two ways.
> 1. If I create a site/app with th directory /.well-known/ Tomcat creates two
> contexts where there should be one, one for my app and another for
> /.well-known (i.e. a sub directory of the app)
> 2. If I don't create a /.well-known/ directory, but try and do a urlrewrite
> from /.well-known/ to say /well-known/ it still sees the url as trying to
> access a separte context /.well-known/
> and does not rewrite it as expected.
>
> Request-dumper shows ( some lines removed for clarity)
>
> requestURI=/.well-known/acme-challenge/test.html
> contextPath=/.well-known
> serverName=mydomain.tld
> serverPort=80
> servletPath=/acme-challenge/test.html
> status=404
>
> The above fails if /.well-known/acme-challenge/test.html exists or not since
> it is looking in the wrong context path.
>
> Contrasts with a correctly served (not hidden) page.
>
> requestURI=/stats/index.html
> contextPath=
> header=host=www.mydomain.tld
> contextPath=
> serverName=www.mydomain.tld
> serverPort=80
> servletPath=/stats/index.html
> status=200
>
> Has anyone seen an solution to this issue? Any suggestions?
> Thanks for your consideration,
> ian
>
Hi Ian,
Hi Ian,
I worked around this for tomcat by using the "--standalone" option
for certbot. That just requires that you have port 80 and 443
(temporarily) open for all while it does the verification. My
Ansible playbook uses
certbot certonly --noninteractive --agree-tos --standalone --email
{{certbot_admin_email}} -d {{inventory_hostname}}
then
openssl pkcs12 -inkey {{certbot_output_dir}}/privkey.pem -in
{{certbot_output_dir}}/fullchain.pem -export -out
{{tomcat_keystore_dir}}/vlibrary.pfx -password pass:{{key_pwd}}
I agree it would be great to have an auto-install certbot setup for
tomcat, though.
Phil
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
