-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ian,

On 5/2/17 2:15 PM, Ian Brown wrote:
> Solved/Worked-around !! (Although there might be a better way) Many
> Thanks to Mark and Christopher!
> 
> As Mark indicated the solution is very simple, but what worked on
> my system is slightly, but critically different than what works on
> Mark's.
> 
> Mark's solution/system: cd webapps/ROOT mkdir .well-known
> 
> I have multiple virtual hosts with multiple apps but what I think
> would work on mine (extrapolated from below) is

Hmm, multiple VHs will definitely be a problem, unless you either have
separate appbase directories (.well-known in each one) or ...
something very complicated. Do you have to allow users/apps to specify
their own certs, or are you king of the whole castle?

> cd webapps mkdir .well-known In other words /ROOT and /.well-known
> are at the same level under webapps/
> 
> Here is what appears to work for me:
> 
> With virtual hosts create the directories for each host you want to
> secure  ~/webapps/hosteddomain.tld/.well-known and
> ~/webapps/hosteddomain.tld/.well-known/acme-challenge replacing
> /hosteddomain.tld with the appropriate domain name.
> 
> If you have multiple apps for multiple hosts your directory
> structure should follow this pattern. host1.tld/ROOT/ 
> host1.tld/app1/ host1.tld/.well-known/acme-challenge/ 
> host2.tld/ROOT/ host2.tld/app1/ 
> host2.tld/.well-known/acme-challenge/

That will work.

> Why it is not obvious to me: I expected all urls to be routed with
> the same rules, but that is not what happens. Hidden directories
> are routed differently (on my system).

That should not happen. Remember: there is no such thing as a "hidden
directory".

> In my earlier example where I had www.mydomain.tld/stats/ 
> www.mydomain.tld/.well-known/acme-challenge/test.html 1- the stats
> directory was routed to: contextPath= ,
> servletPath=/stats/index.html 2- the .well-known    directory was
> routed to: contextPath=/.well-known,
> servletPath=/acme-challenge/test.html

That's what I'd expect.

> In directory terms I expected /stats/index.html
> to map to: www.mydomain.tld/ROOT/stats/index.html

If you have a /stats application, then the URL will be routed there.

Once an application has been selected based upon context-path match
(e.g. /stats) Tomcat won't check any other application. So if you have
application /stats and look for /stats/no-file.html you'll get a 404
even if ROOT/stats/no-file.html exists.

> /.well-known/acme-challenge/test.html        to map to:
> www.mydomain.tld/ROOT/.well-known/acme-challenge/test.html What I
> get is /stats/index.html
> maps to: www.mydomain.tld/ROOT/stats/index.html 
> /.well-known/acme-challenge/test.html        maps to:
> www.mydomain.tld/.well-known/acme-challenge/test.html

You haven't told us what apps you have configured, so it's tough to
tell what "should" be happening.

> Christopher: Would love to hear your talk & meet, but I won't be at
> the conference. Thanks for the invitation. We absolutely need a
> certbot-auto for tomcat.

My goal is to create a script that someone with certbot expertise can
use to roll-into certbot.

> There a lots of problem reports on the web for getting the
> certificate request verified under Tomcat.

I think that's because lots of people (a) don't understand the
issuance model for LE or (b) don't really know how to configure
Tomcat. It's dead simple to get LE to issue a certificate using only
Tomcat and a properly-configured DNS name.

> The main solution is to put Apache httpd in front of Tomcat so the 
> url gets routed to the right directory. So I think you will be
> seeing this issue again.
If you have httpd our front, then issuing a certificate for Tomcat is
completely unnecessary, and it's just an academic exercise. Certbot,
for instance, can self-host a web server, so if you are going to
stand-up httpd just for LE cert issuance, then just allow certbot to
host itself instead.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZCeVpAAoJEBzwKT+lPKRYiyAP/0QujIQD6pibcCzsqgl2TIZF
x2jgUkCxzTLZ4BjFOlT03IAbrgLcQd928iy8JxrYepNLYq19VSZUDccex7e8pynO
mWoAgx0MVB8e5CR+UuMq5B9oJ7H2aA/+ARWYl9mpRrT9rRy/187ATcwA1Y5eQcrP
MOSguwt7vpRqBaX925cp/DbAeV6G5P62Wfxd/MKMaX57heC5jICmI085XGGBkeLF
XIJhtmzh7fYD/zAJsISjrDuhNeOv1X8ObsJ4po+IYkEIMHTu9DWNchZfIPUFrhqi
InKsM/yeLmA2eSK8WhrJwvfuXvdv88TC+admQWHlwJXnfbQDsxYVH11PulWqkSAk
9/W7YQ0uakgS6qE1OoHACgAUGxP0lYekLtExPNCHtgBIuSmD+hRPgG54hLm0c/q1
uPIFxvhKu/7gFBdkbGi0icOAkjLwE+fnXYwzUMClT2oHLK3Z2wByxizbQeJlQB4R
mp54XzTh4tMSEsEYmGd1s/x7P6QiFWT31iRLbXpRbHJO1HyYT+ea8j5Aioki0J4h
iyy9KnxecoZomDNoUfOmk/c/+fTIuDvVnSVlK+2Ol0EwYHAZv3+UrQK5WFy/C+KD
Vxk97pxyE3mXWolHuFvzjfiClhCuWGzzJQYOaESal3JmA+zlnC2QZQOv/50sxIqs
olUmniCCe41bIOvIWGXq
=PcH6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to