[EP-tech] LetsEncrypt / EPrints Rewrite rules

John Salter J.Salter at leeds.ac.uk
Thu May 7 13:41:39 BST 2020


Hi,
I've been looking at the instructions here:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FSetting_up_HTTPS_using_Let%2527s_Encrypt&data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Ce0eec4bb467e4c67348008d7f283fe12%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=%2FjUHGFQjBYenuvlMa1v0AScGcmNQPlpZKoKvkuP4YFA%3D&reserved=0
and wondering how they actually work alongside an EPrints install.

In the EPrints::Apache::Rewrite module (which would normally handle anything in the EPrints' domain, there is a specific rule declining access to anything including '/.'.
The normal LetsEncrypt issuance/renewal process uses an asynchronous challenge/response to the server - normally to a URL like:
http://DOMAIN/.well-known/acme-challenge/[random<http://DOMAIN/.well-known/acme-challenge/%5brandom> string]

This contains the '/.' string, so the EPrints stack rejects the request.

There are two resolutions to this:

1)      Add a rule to the Apache config to prevent the EPrints stack handling the '.well-known' directory

2)      Add a URL rewrite trigger to serve the '.well-known' directory (if it exists).

For my test server, I have gone down the second of these routes - and will add details to the Wiki page.

Can someone using LetsEncrypt confirm that the above is correct - and provide an example of the Apache config used?
There may be other approaches - LetsEncrypt has various mechanisms, but the Apache or Webroot ones are the most relevant here I think.

Cheers,
John

John Salter
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Forcid.org%2F0000-0002-8611-8266&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Ce0eec4bb467e4c67348008d7f283fe12%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=a2iiSgrK%2BhRT9epHJH7bSz9cmS%2B0a0kfe9WoQNyLtos%3D&amp;reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20200507/b5618b23/attachment.html 


More information about the Eprints-tech mailing list