8

I have a global entry

Alias /.well-known/acme-challenge /var/www/letsencrypt/.well-known/acme-challenge/

in my apache configuration, outside any virtual host. This way, the above Alias is effective for all virtual hosts. Unfortunately, there are still virtual hosts where this does not work as intended, e.g. due to redirects, authetication requirements etc.

Is there a way to tell apache to consider this alias before even reading the configuration of the particular virtual host?

Improve this question
2
  • Why don't you just set an exception to your redirect & authentication for this file Commented Dec 19, 2015 at 20:17
  • 4
    Because I don’t want to touch the configuration of several dozens virtual hosts, adding an exception to each of them. Commented Dec 19, 2015 at 21:11

5 Answers 5

Reset to default
7

You can try to add this before all your virtual host :

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/ #Bypass Auth <Directory /var/www/letsencrypt/.well-known/acme-challenge/> Satisfy any </Directory> #Redirect before other rewrite rules RewriteCond %{REQUEST_URI} /\.well\-known/acme\-challenge/ RewriteRule (.*) /.well-known/acme-challenge/$1 [L,QSA]
Improve this answer
8
  • Well, almost. It seems that ScriptAliasMatch /(.*) /opt/.../cgi.pl/$1 in a Virtual Host configuration still takes precedence. Commented Dec 20, 2015 at 22:16
  • I updated the answer, i hope it ll work. By the way i think /(.*) should be ^/(.*) to be more revealant Commented Dec 21, 2015 at 12:44
  • Thanks. Unfortunately, it does not; it seems that the ScriptAliasMatch in the VirtualHost section still has precedence. I also tried some variations, i.e. with or without ^, AliasMatch instad of ScriptAliasMatch. Commented Dec 21, 2015 at 12:51
  • What about ScriptAlias / /opt/.../cgi.pl/ instead of your scriptaliasmatch, it should do the same. Then if needed you can add ScriptAlias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/. It is not as i would like but it should work in your case Commented Dec 21, 2015 at 13:07
  • 1
    The Virtual Host settings still take precedence. I’ll just byte the bullet and add Alias /.well-known/acme-challenge/ ... to the few virtual hosts that are affected by this. Commented Dec 21, 2015 at 13:45
2

I came across your question with the same letsencrypt acme apache alias problem. After reading through the apache documentation, I still don't undestand why the global alias doesn't work as expected (according to the documentation it should).

Anyway, here is a workaround that uses RedirectMatch (which according to the documentation is evaluated before alias). It requires one additional host and one global configuration file:

  1. Create an additional (sub)domain / host that only serves acme requests, lets say "acme.mydomain.tld"

  2. Create (and enable) a global configuration that redirects all acme-requests to that host, excluding the host itself from redirection:

    <If "%{HTTP_HOST} != 'acme.mydomain.tld'"> RedirectMatch "^/.well-known/(.*)$" "http://acme.mydomain.tld/.well-known/$1" </If>

This works for all my VirtualHosts which had problems with the old alias approach.

Improve this answer
1
  • I was honestly hoping for something like the accepted answer to work, but this was the only thing that deals with all my oddball virtualhosts Commented Sep 4, 2018 at 19:16
1

According to Apache 2.4 documentation you have these options:

There are two basic types of containers. Most containers are evaluated for each request. The enclosed directives are applied only for those requests that match the containers. The <IfDefine>, <IfModule>, and <IfVersion> containers, on the other hand, are evaluated only at server startup and restart. If their conditions are true at startup, then the enclosed directives will apply to all requests. If the conditions are not true, the enclosed directives will be ignored.

May be you can give it a try use one of the containers mentioned above and add the alias that you need to be globally for all requests. See details here: https://httpd.apache.org/docs/2.4/sections.html#mergin.

Improve this answer
3
  • 1
    I doubt that IfDefine etc will help. They just toggle the contained configuration, so they either have no effect at all (not helpful), or the same as if they were not wrapped in IfDefine. Commented Dec 20, 2015 at 20:48
  • Congrats on 3k - have fun closing stuff. Commented Dec 23, 2015 at 18:55
  • Doubt and thinking are of no use here. I actually tried enclosing it in a <IfVersion> Block. It doesn't work. Commented Jan 17, 2018 at 10:08
0

I use global /etc/httpd/conf.d/acme.conf:

<IfModule mod_proxy.c> ProxyPass /.well-known/acme-challenge ! </IfModule> Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/ <Directory "/var/www/letsencrypt/.well-known/acme-challenge/"> Options None AllowOverride None ForceType text/plain </Directory>

BUT if you use <Location> directive in virtualhosts it doesnt work so you must add BELOW:

<Location /.well-known/acme-challenge> ProxyPass ! </Location>
Improve this answer
-1

I handled the issue with a global alias

Create a global config

Alias /.well-known/acme-challenge/ /my-acme-challenge-directory

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.