[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] LetsEncrypt / EPrints Rewrite rules

Subject: [EP-tech] LetsEncrypt / EPrints Rewrite rules
From: J.Salter at leeds.ac.uk (John Salter)
Date: Thu, 7 May 2020 12:41:39 +0000
References: <DB6PR0301MB2565050348B1071C07480A49C4A50@DB6PR0301MB2565.eurprd03.prod.outlook.com>

Hi,
I've been looking at the instructions here:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FSetting_up_HTTPS_using_Let%2527s_Encrypt&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Ce0eec4bb467e4c67348008d7f283fe12%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=%2FjUHGFQjBYenuvlMa1v0AScGcmNQPlpZKoKvkuP4YFA%3D&amp;reserved=0
and wondering how they actually work alongside an EPrints install.

In the EPrints::Apache::Rewrite module (which would normally handle anything in the EPrints' domain, there is a specific rule declining access to anything including '/.'.
The normal LetsEncrypt issuance/renewal process uses an asynchronous challenge/response to the server - normally to a URL like:
http://DOMAIN/.well-known/acme-challenge/[random<http://DOMAIN/.well-known/acme-challenge/%5brandom> string]

This contains the '/.' string, so the EPrints stack rejects the request.

There are two resolutions to this:

1)      Add a rule to the Apache config to prevent the EPrints stack handling the '.well-known' directory

2)      Add a URL rewrite trigger to serve the '.well-known' directory (if it exists).

For my test server, I have gone down the second of these routes - and will add details to the Wiki page.

Can someone using LetsEncrypt confirm that the above is correct - and provide an example of the Apache config used?
There may be other approaches - LetsEncrypt has various mechanisms, but the Apache or Webroot ones are the most relevant here I think.

Cheers,
John

John Salter
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Forcid.org%2F0000-0002-8611-8266&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Ce0eec4bb467e4c67348008d7f283fe12%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=a2iiSgrK%2BhRT9epHJH7bSz9cmS%2B0a0kfe9WoQNyLtos%3D&amp;reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20200507/b5618b23/attachment.html

Follow-Ups:
- [EP-tech] LetsEncrypt / EPrints Rewrite rules
  - From: J.Salter at leeds.ac.uk (John Salter)

References:
- [EP-tech] LetsEncrypt / EPrints Rewrite rules
  - From: J.Salter at leeds.ac.uk (John Salter)

Prev by Date: [EP-tech] Eprints show default apache page
Next by Date: [EP-tech] Different field labels
Next by thread: [EP-tech] Re: Eprints divisions problem
Index(es):
- Date
- Thread