Possible change alias?

Hello.

Tell me how you can change the name of the alias used in the client lets'encrypt in the apache settings?

Alias /.well-known/acme-challenge/ /var/www/demo/.well-known/acme-challenge/

this is generally accepted.

And need for example:

Alias /.well-known/acme-challenge_balancer/ /var/www/demo/.well-known/acme-challenge/

I can't find directives in the configuration files of clients responsible for the specified alias.

Thank you in advance

1 Like

/.well-known/acme-challenge is the URL request path used by Let's Encrypt for HTTP challenges.

It can't be changed.

You can change where on the filesystem you serve those files from (i.e. /var/www/demo/.well-known/acme-challenge/), but you cannot change the request path itself.

1 Like

Thanks for the answer.

Advise a solution:

Task keep for the site example.ru certificates for frontend apache (mod_balancer) and backend apache and update them with a difference of one hour every 70 days. In the balancer settings, nodes are also called over https.

but since the url is the same, either it will only reach the frontend or the backend, depending on the apache settings.

I wanted to achieve unification of the process and use the same client software (dehydrated) for updating in both cases. And without changing the virtualhost settings on frontend at the time of certificate renewal.

2 Likes

That is a tricky situation, but I think you are not the only person who has encountered it.

I have solved it in the past by using try_files in nginx, which allows checking whether the challenge file exists on the frontend, and if so, serving it. If not, it proxies the request to the backend. That way, either the frontend or backend can request the certificate, and the request will go the right place.

Obviously, that is not too helpful to you as you are not using nginx.

I came across https://serverfault.com/a/290806, which suggests that you can use mod_rewrite's ability to check for file existence, using RewriteCond's -f attribute test. If you combined mod_rewrite and mod_balancer somehow, you might be able to convince Apache to emulate the behavior of try_files. I am not sure of the exact invocation of directives which would do this, though.

3 Likes

Thanks for the idea. I will try to unsubscribe on the implementation on apache.

As a wish, you can accept the ability to change the url through the client configuration.

Then the issue would be solved without additional modules:
<virtualhost *:80>
ProxyPass "/.well-known/acme-challenge" "!"
.....
<virtualhost *:80>

And all other URLs are sent to node.

The method is verified. Works for apache as well.

Frontend working configuration

Alias /.well-known/acme-challenge /var/www/dehydrated
<VirtualHost *:80>
    ProxyRequests Off
    ProxyPreserveHost On
    ServerName example.ru
    ServerAlias www.example.ru

    #We do not send a request to the backend if there is a certificate request.
    #What to do with it next is decided by the rewrite rule below.

    ProxyPass "/.well-known/acme-challenge" "!"


    ProxyPass / balancer://example-http/
    ProxyPassReverse / balancer://example-http/
    <Proxy balancer://example-http/>
         BalancerMember http://example.loc
    </Proxy>

    #Search for a file on the backend if it is not on the frontend
    RewriteEngine On
    RewriteCond /var/www/dehydrated/%{REQUEST_FILENAME} !-f
    RewriteRule ^/(.*)$ balancer://example-http%{REQUEST_URI} [P,QSA,L]
    #Search for a file on the backend if it is not on the frontend

    CustomLog ${APACHE_LOG_DIR}/example.ru.access.log combined
    ErrorLog ${APACHE_LOG_DIR}/example.ru.error.log

</VirtualHost>

The result is that the certificate is updated by the same method on both the frontend and backend.

2 Likes