On 5/1/17 12:11 PM, Ian Brown wrote: > I am trying to https/SSL enable my tomcat application server and have a > problem when I request verification from the CA. > Let's Encrypt requires the certificate request to be placed in > mydomain.tld/.well-known/acme-challenge/ which they query to check that I > control the site. > Tomcat does not appear to handle hidden directories correctly. There as > several on-line references to Tomcat being an issue, but I have yet to find a > Tomcat solution. > (Other than to front tend Tomcat with the Apache httpd server, but I would > like to find a solution that is pure tomcat.) > I started with tomcat-7.0.42 Centos 6-8.el6 jdk1.7.0_25, then > upgraded to tomcat-8.5.14 Centos 6-8.el6 jdk1.8.0_131, same problem. > > The hidden directory problem manifest in two ways. > 1. If I create a site/app with th directory /.well-known/ Tomcat creates two > contexts where there should be one, one for my app and another for > /.well-known (i.e. a sub directory of the app) > 2. If I don't create a /.well-known/ directory, but try and do a urlrewrite > from /.well-known/ to say /well-known/ it still sees the url as trying to > access a separte context /.well-known/ > and does not rewrite it as expected. > > Request-dumper shows ( some lines removed for clarity) > > requestURI=/.well-known/acme-challenge/test.html > contextPath=/.well-known > serverName=mydomain.tld > serverPort=80 > servletPath=/acme-challenge/test.html > status=404 > > The above fails if /.well-known/acme-challenge/test.html exists or not since > it is looking in the wrong context path. > > Contrasts with a correctly served (not hidden) page. > > requestURI=/stats/index.html > contextPath= > header=host=www.mydomain.tld > contextPath= > serverName=www.mydomain.tld > serverPort=80 > servletPath=/stats/index.html > status=200 > > Has anyone seen an solution to this issue? Any suggestions? > Thanks for your consideration, > ian >
Hi Ian, Hi Ian, I worked around this for tomcat by using the "--standalone" option for certbot. That just requires that you have port 80 and 443 (temporarily) open for all while it does the verification. My Ansible playbook uses certbot certonly --noninteractive --agree-tos --standalone --email {{certbot_admin_email}} -d {{inventory_hostname}} then openssl pkcs12 -inkey {{certbot_output_dir}}/privkey.pem -in {{certbot_output_dir}}/fullchain.pem -export -out {{tomcat_keystore_dir}}/vlibrary.pfx -password pass:{{key_pwd}} I agree it would be great to have an auto-install certbot setup for tomcat, though. Phil --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org