EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #08154


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] LetsEncrypt / EPrints Rewrite rules


Hi,
I've been looking at the instructions here:

https://wiki.eprints.org/w/Setting_up_HTTPS_using_Let%27s_Encrypt

and wondering how they actually work alongside an EPrints install.

 

In the EPrints::Apache::Rewrite module (which would normally handle anything in the EPrints' domain, there is a specific rule declining access to anything including '/.'.

The normal LetsEncrypt issuance/renewal process uses an asynchronous challenge/response to the server - normally to a URL like:

MailScanner has detected a possible fraud attempt from "domain" claiming to be http://DOMAIN/.well-known/acme-challenge/[random string]

 

This contains the '/.' string, so the EPrints stack rejects the request.

 

There are two resolutions to this:

1)      Add a rule to the Apache config to prevent the EPrints stack handling the '.well-known' directory

2)      Add a URL rewrite trigger to serve the '.well-known' directory (if it exists).

 

For my test server, I have gone down the second of these routes - and will add details to the Wiki page.

 

Can someone using LetsEncrypt confirm that the above is correct - and provide an example of the Apache config used?

There may be other approaches - LetsEncrypt has various mechanisms, but the Apache or Webroot ones are the most relevant here I think.

 

Cheers,

John

 

John Salter

http://orcid.org/0000-0002-8611-8266