Apache multidomain webroot


#1

Hi,
I want to submit my configuration for validate more domain under one server without stop apache2 service during the validation/renew procedure.

in the apache2 configuration file /etc/apache2/apache2.conf I added this line:
AliasMatch ^/.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1

this configuration will be redirect all the letsencrypt’s acme request in the default webroot.
To submit the validation you have to run:
letsencrypt certonly --webroot -w /var/www/html/ -d example.com -d example.net -d example.org --renew-by-default

you can create a bash script in /etc/cron.monthly/ directory to automatic renew. Seems apache2 needs a restart to reload the new ssl certificate but the downtime is really short.


#2

You might also need to allow apache reading the folder (and prevent script from being executed):

Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/
<Directory "/var/www/html/.well-known/acme-challenge/">
    Options None
    AllowOverride None
    ForceType text/plain
    RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Directory>

The redirect match is not required, but helps preventing an information leak so that other people can see that this folder is redirected.

PS: if you are a hoster, this also prevents users from requesting a LetsEncrypt certificate.
PPS: apache reload should be enough.


#3

This configuration is for-domain configuration right? But using apache2.conf you don’t need to change all the domain’s configuration but only one file.

even better :smile:


#4

This configuration is for-domain configuration right? But using apache2.conf you don’t need to change all the domain’s configuration but only one file.

No, I put this into apache2.conf (or being more specific I have a conf-enabled/le.conf) and, thus, it works for all virtual domains.


#5

Sorry, I did not understand.
I’ll try your suggested configuration


#6

As a side note, I was having trouble with vhosts rewrites overriding my global alias… here is my workaround.

Global:

<IfModule alias_module>
    Alias /.well-known/ /var/www/html/.well-known/
</IfModule>
<IfModule mod_rewrite.c>
    # prevent vhost rewrites from killing the alias
    RewriteEngine On
    RewriteOptions InheritDownBefore
    RewriteCond %{REQUEST_URI} ^/\.well\-known
    RewriteRule . - [L,PT]
</IfModule>

Example vhost that uses rewrite that now cannot clobber the Alias above:

<VirtualHost *:80>
    ....
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/.*            /index.php [L,PT]
    </IfModule>
</VirtualHost>