| Author |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
 Posted: Sun 18 Mar '18 17:13 Post subject: mod_md : not possible to use with other acme client |
 |
|
Split from www.apachelounge.com/viewtopic.php?t=7938
| Steffen wrote: |
*) mod_md is in 2.4.30 added as an experimental module, not advised to use in production yet, we need success stories.
Also Let's encrypt has new features, like the new ACMEv2 protocol and wildcard. So better to wait with mod_md.
Advised is to use win-acme which has a more complete feature set.
Please mail me or post here when you have success with mod_md or not.
|
A suggestion from me for the official release:
I would not publish the official release with mod_md, but offer the two modules (mod_md & mod_ssl) separately for download.
For mod_ssl to work in the vote release, mod_md must also be included and mod_md will catch access to the .well-know directory. In other words: With the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think). |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sun 18 Mar '18 18:29 Post subject: Re: Apache httpd 2.4.33-vote available |
|
|
| pbhq wrote: | | For mod_ssl to work in the vote release, mod_md must also be included and mod_md will catch access to the .well-know directory. |
I do not find this the case. I have mod_ssl loaded and working yet do not have mod_md loaded.
If you have any of mod_md's directives in your configuration then of course it also must be loaded or Apache will error, like any other directive that's module specific. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sun 18 Mar '18 18:42 Post subject: |
|
|
He means that he cannot run win-acm to get certs, because the challenge in .well-know dir is catched by mod_ssl.
I think he is using the TLS-SNI challenge with an old account ? TLS-SNI challenge was disabled by Let's Encrypt back in January, but old users can still use it.
@pbhq what happens when you remove the md folder and start all over again ?
@pbhq what happens when you create a new certificate with win-acm without mod_md and with the mod_ssl ? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sun 18 Mar '18 19:30 Post subject: |
|
|
Running with mod_md gives:
not found:
GET /.well-known/acme-challenge/test.txt HTTP/1.1" 404
So when running mod_md you cannot run a acme client which uses https for a challenge. |
|
| Back to top |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
| Posted: Sun 18 Mar '18 20:20 Post subject: |
|
|
| Steffen wrote: | Running with mod_md gives:
not found:
GET /.well-known/acme-challenge/test.txt HTTP/1.1" 404
So when running mod_md you cannot run a acme client which uses https for a challenge. |
If you say so, that's the way it is. And yes, that's how it should work.
Maybe that was different in the first beta version, dont know. 
I wanted to test the topic again, but mod_md has developed a self-life again . I write something else in the other thread of mod_md.  |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sun 18 Mar '18 20:32 Post subject: |
|
|
This was the log with mod_md:
mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge for www.apachelounge.com (/.well-known/acme-challenge/test.txt) |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sun 18 Mar '18 20:34 Post subject: |
|
|
OK, I'd imagine that is by design.
Where does mod_md store the well_known stuff? In wherever you have set MDStoreDir. So "${MDStoreDir}/domain" IIRC.
Where does win-acme store the well_known stuff?
"${DocumentRoot}/.well-known/acme-challenge/" IIRC when trying it out long ago under it's original name.
Those are two different places and I would assume that mod_md intercepts any URI with .well-known/acme-challenge/ in it and has Apache serve what's in "${MDStoreDir}/domain" instead.
Like an built-in Alias "/.well-known/acme-challenge/" "${MDStoreDir}/${HTTP_HOST}/"
You yourself had mod_ssl running without mod_md in your first test so mod_ssl will work without mod_md loaded and that is what the OP said did not and I disagreed with. If you have mod_md directives in your config not surrounded by an IfModule container/s, then Yes, mod_ssl, actually Apache, will not start w/o mod_md loaded.
Just my take what was originally stated, mod_ssl not working unless mod_md is included. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
| Posted: Tue 20 Mar '18 17:56 Post subject: Re: mod_md : not possible to use with other acme client |
|
|
| pbhq wrote: | | For mod_ssl to work in the vote release, mod_md must also be included ... |
Sorry, for the mess.
That was my mistake because I did not trigger correctly the md-debug statement for loglevel via IfModule
Of course, mod_ssl works without md_mod.  |
|
| Back to top |
|
