-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 8/24/20 13:24, James H. H. Lampert wrote: > On 8/24/20 9:57 AM, Christopher Schultz wrote: >> So your RewriteCond[ition] is expected to always be true? Okay. >> Maybe remove it, then? BTW I think your rewrite will strip query >> strings and stuff like that. Maybe you just want >> RedirectPermanent instead of Rewrite(Cond|Rule)? >> >> Okay, so everyone gets redirected from http://exmaple.com/ to >> https://example.com/. If LE requests >> http://example.com/.well-known/uherfhuerhfiu then it will be >> redirected to https://example.com/.well-known/uherfhuerhfiu, >> presumably locate the correct file and authorize the certificate >> request, right? >> >> But you have said that "everything is unconditionally passed to >> Tomcat". You posted some config that definitely passes some >> things to Tomcat, but without seeing the rest of the >> <VirtualHost> configuration it's not possible to know for sure >> nothing else is going on. > > Ok. In the original post, I posted the virtual host configuration > as it was at the time, with meaningful domain names and IP > addresses redacted, and some commented-out, abandoned-in-place > lines removed. > > Here is what I currently have in place, albeit with names and IP > addresses "changed to protect the innocent." I'm sending you the > uncensored version off-List. > > <VirtualHost *:80> ServerName foo.frobozz.com # ServerAlias > bar.frobozz.com DocumentRoot /var/www/html/test ServerAdmin > i...@frobozz.com <Directory /var/www/html/test> AllowOverride All > </Directory> RewriteEngine on RewriteCond %{HTTP_HOST} !^www\. > [NC] RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} > [R=301,L] </VirtualHost> > > <IfModule mod_ssl.c> <VirtualHost *:443> ServerName > foo.frobozz.com # ServerAlias bar.frobozz.com DocumentRoot > /var/www/html/test ServerAdmin i...@frobozz.com # <Directory > /var/www/html/test> # AllowOverride All # </Directory> # <Proxy > "https://foo.frobozz.com/manager/html/*";> # Require ip > aa.bb.cc.dd # </Proxy> # <Proxy > "https://bar.frobozz.com/manager/html/*";> # Require ip > aa.bb.cc.dd # </Proxy> <Location /manager> Require ip aa.bb.cc.dd > ww.xx.yy zz pp.dd.qq.xx </Location> <Location /host-manager> > Require ip aa.bb.cc.dd ww.xx.yy zz pp.dd.qq.xx </Location> > ProxyPass "/" "http://127.0.0.1:8080/"; ProxyPassReverse "/" > "http://127.0.0.1:8080/"; ProxyRequests Off Include > /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile > /etc/letsencrypt/live/foo.frobozz.com/fullchain.pem > SSLCertificateKeyFile > /etc/letsencrypt/live/foo.frobozz.com/privkey.pem </VirtualHost> > </IfModule> Yeah... that''s pretty straightforward. Hmm. No other VirtualHosts? Non other web servers in the mix (e.g. load-balancer which alreaddy redirects to HTTPS), etc.? That seems pretty mysterious to me, too. Are you using VH-based authentication with LE? Meaning, you aren't using DNS authentication or anything like that? I think once you have configured the server once with an LE certificate, renewals can use the existing certificate as proof-of-ownership without having to put the file into /.well-known. Or something. I have forgotten the details. So maybe that's it: you've already bootstrapped the process and so it's smoother, now. Maybe? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9FHD0ACgkQHPApP6U8 pFi58xAAvux94C7QCOUkLj8MLGiQV57/ImcTa85nMme2H2ywpZ7JQozlssU6CSpH FAYFCOP3U3EH6A9AzFeSZhW+sKMeBt6uF3QR/2QF3vGmg5/KcB0srcdBcn6eejVc KrUnVKx5lcK+hmyXPlIVdGb+koiDl1D1omkeOxdQOaniNfGvW1LgUxouRXpUBTfJ JK5oe7yV5U8Ge5Wm+pOIrpf/4Y0JqluNJplQIEVWv3x7EsJtSKVKIoCXfPyGf36g aGmFRsh6XvndllaV/FBxx/K9zh5TG1GijkfO+vsl4l3ZXnljJm1h4Vx/1Y6KEUbM x9Zv8QgNpXsmZ+ylfi3hK0l9V7rkUB6ZX5mYJa9ABPXYtkE/rvCpG6RijVgY9WA4 4LXKW74+QR9R352OLBCgvE2gjRgVTX/KmoGasBrB3mDYd+vELkBCcXlHAQkYBVqw KL4UIL3SUEnV4jDfrJ/g2ujyPKd9+ED7EECM91lWg6Lcunc5865qJfPvykIDaBnZ kASElxqRGqmTUEi57z+BKJNRBs+ME9f7JOlT8iaoB2wKJC8CrUnGNtrFpvBxhehb GY4uPrUZro7NjuJ/jALnb1CeedeL9+OohxqbTYECaoeS4Op8vNNU6/FtUH9BTjWD mlaXkhrGr7puf4AjPg9geE/0h5Bg+ltTh8yrK1o+4jrct34S438= =6dbK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
