Allow MDPortMap for virtual hosts, or disable the port check #133
Comments
|
I agree that MDPortMap currently has a too simplistic view for multi-homes hosts settings. With the abolishment of the 'tls-sni-01' challenge, all current challenges use the domain to be verified either in Host: or SNI. That means the port number itself is not really interesting, only the fact of the domain can be used in http: and/or https: requests/connections. Currently, a configuration of would maybe serve better, configurable global or per MDomain. I think I draw the line at MDomains where individual VirtualHost vary in accessibility. Such a setup can be done, but that leads to overcomplications in the module. Split such an MDomain in two, I would recommend. What do you think? |
|
I like this idea 👍 It's easy to use and powerful enough. |
|
Hmm, I think I need to backtrack a bit here. This is a larger change than thought at first. Right now, mod_md uses the http: and https: ports also to make a guess if a VirtualHost uses SSL or not. Which is not really correct in all cases as well. I have an idea how to have a more reliable detection without specifying ports, but that does not fit on the margins of this page... |
|
Ok, after more work and more thinking and reading your first post again, I think it has less complexity and the same freedom if users of such multi-homed setup configured the challenges directly. So, if you have an MD that might look available to other challenges, but is not, you configure for it and no other method will be used. This allows also for some esoteric setups. For example you can have a separate http: server that just answers challenges, using the thumbnails of account keys. WDYT? |
|
Sounds good! Configuring the challenges needs some knowledge about which ACME challenges work in which cases. The documentation is a bit outdated, it does not explain that tls-alpn-01 is for port 443, see the "prerequisites" section on https://httpd.apache.org/docs/trunk/mod/mod_md.html With updated documentation, I think that's a good solution 👍 |
|
Ok, updated README and the Apache documentation in trunk. Although, I can describe this particular behaviour there only after copying the 2.1 over. I leave this issue open until this has happened. |
|
Updated in Apache subversion in r1868506. |
When the challenge "tls-alpn-01" is pre-configured with MDCAChallenges, mod_md should not check any ports and just set up the challenge. This is a follow-up to icing#133
For "tls-alpn-01" challenges, mod_md checks whether there is a server that supports the "acme-tls/1" protocol. If the challenge "tls-alpn-01" is pre-configured with MDCAChallenges, the ports of the servers are ignored (see issue icing#133). If there are multiple servers matching a domain name, don't just look at the first server but search one that supports the "acme-tls/1" protocol. This is a follow-up to icing#159 and icing#133
For "tls-alpn-01" challenges, mod_md checks whether there is a server that supports the "acme-tls/1" protocol. If the challenge "tls-alpn-01" is pre-configured with MDCAChallenges, the ports of the servers are ignored (see issue icing#133). If there are multiple servers matching a domain name, don't just look at the first server but search one that supports the "acme-tls/1" protocol. This is a follow-up to icing#159 and icing#133
For "tls-alpn-01" challenges, mod_md checks whether there is a server that supports the "acme-tls/1" protocol. If the challenge "tls-alpn-01" is pre-configured with MDCAChallenges, the ports of the servers are ignored (see issue icing#133). If there are multiple servers matching a domain name, don't just look at the first server but search one that supports the "acme-tls/1" protocol. This is a follow-up to icing#159 and icing#133
When the challenge "tls-alpn-01" is pre-configured with MDCAChallenges, mod_md should not check any ports and just set up the challenge. This is a follow-up to icing#133
For "tls-alpn-01" challenges, mod_md checks whether there is a server that supports the "acme-tls/1" protocol. If the challenge "tls-alpn-01" is pre-configured with MDCAChallenges, the ports of the servers are ignored (see issue icing#133). If there are multiple servers matching a domain name, don't just look at the first server but search one that supports the "acme-tls/1" protocol. This is a follow-up to icing#159 and icing#133
Multiple virtual hosts can listen on different IP addresses, so the port mapping may differ for each virtual host. Currently "MDPortMap" is a global setting.
It would be an improvement to have the "MDPortMap" setting for each virtual host. But then mod_md also needs to check whether there are contradicting port mappings for virtual hosts that are on the same IP address, so this would make the code more complex.
An easier solution would be a new configuration setting to disable the port check, so that mod_md just assumes that all managed virtual hosts are reachable for Let's Encrypt. We could call this setting "MDPortCheck".
The text was updated successfully, but these errors were encountered: