mod_md : not possible to use Lets-Encrypt-Win-Simple

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

mod_md : not possible to use Lets-Encrypt-Win-Simple

Steffen




A note from admin/user at  
http://www.apachelounge.com/viewtopic.php?p=36619#36619


Asked the reporter to file at bugzilla:

Not sure it is a issue.

A suggestion from me for the official release:

I would not publish the official release with mod_md, but offer the
two modules (mod_md & mod_ssl) separately for download.

For mod_ssl to work in the vote release, mod_md must also be included
and mod_md will catch access to the .well-know directory. In other
words: With the Vote release it's not possible to use
Lets-Encrypt-Win-Simple (I think).


My response to that:


I think you mean with win-acme client

When it is true what you say then in the Linux world they could maybe
not use e.g.  their Certbot client either.

I would like to see that a Linux users tries it ?


Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Steffen

Did some tests:

http://www.apachelounge.com/viewtopic.php?p=36624#36624


My conclusion (correct me if I am wrong):

When you run mod_md  , you cannot use a client which uses TLS .

It is a limitation when  Apache user has an "old"  LE account and uses
 a acme client with/without mod_md

TLS-SNI challenge was disabled by Let's Encrypt back in January, but
old users can still use it. Old accounts are whitelisted.


Let's Encrypt says:


....whitelisting mechanisms are live. If you have a certificate
renewal that has been failing due to the TLS-SNI disablement, you
should now be able to renew.



On Sunday 18/03/2018 at 16:53, Steffen  wrote:

>
>
>
>
> A note from admin/user at
> http://www.apachelounge.com/viewtopic.php?p=36619#36619
>
>
> Asked the reporter to file at bugzilla:
>
> Not sure it is a issue.
>
> A suggestion from me for the official release:
>
> I would not publish the official release with mod_md, but offer the
> two modules (mod_md & mod_ssl) separately for download.
>
> For mod_ssl to work in the vote release, mod_md must also be included
> and mod_md will catch access to the .well-know directory. In other
> words: With the Vote release it's not possible to use
> Lets-Encrypt-Win-Simple (I think).
>
>
> My response to that:
>
>
> I think you mean with win-acme client
>
> When it is true what you say then in the Linux world they could maybe
> not use e.g.  their Certbot client either.
>
> I would like to see that a Linux users tries it ?
>
>



Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Eric Covener
In reply to this post by Steffen
On Sun, Mar 18, 2018 at 11:52 AM, Steffen <[hidden email]> wrote:

> A note from admin/user at
> http://www.apachelounge.com/viewtopic.php?p=36619#36619
>
> Asked the reporter to file at bugzilla:
>
> Not sure it is a issue.
>
> A suggestion from me for the official release:
>
> I would not publish the official release with mod_md, but offer the two
> modules (mod_md & mod_ssl) separately for download.
>
> For mod_ssl to work in the vote release, mod_md must also be included and
> mod_md will catch access to the .well-know directory. In other words: With
> the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think).
>
>
> My response to that:
>
>
> I think you mean with win-acme client
>
> When it is true what you say then in the Linux world they could maybe not
> use e.g.  their Certbot client either.
>
> I would like to see that a Linux users tries it ?

This is all quite difficult to parse for me.

Is your user saying that loading mod_md blocks some mode of operation
of an external acme client?  By handling request for /.well-known?

I don't think such a thing impacts the release vote or structure
unless it's a regression of using the two things together, and there's
no implication that it is.

After all, mod_md is optional, and its primary role is certificates
via ACME.  I don't see the dilemma, so maybe I am misinterpreting

Spelling out whatever requirement or concern in at the root of this,
in more precise detail, is probably the only way it will move forward.

--
Eric Covener
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Eric Covener
In reply to this post by Steffen
On Sun, Mar 18, 2018 at 1:41 PM, Steffen <[hidden email]> wrote:

>
> Did some tests:
>
> http://www.apachelounge.com/viewtopic.php?p=36624#36624
>
>
> My conclusion (correct me if I am wrong):
>
> When you run mod_md  , you cannot use a client which uses TLS .
>
> It is a limitation when  Apache user has an "old"  LE account and uses a
> acme client with/without mod_md
>
> TLS-SNI challenge was disabled by Let's Encrypt back in January, but old
> users can still use it. Old accounts are whitelisted.
>

> Let's Encrypt says:
>
>
> ....whitelisting mechanisms are live. If you have a certificate renewal that
> has been failing due to the TLS-SNI disablement, you should now be able to
> renew.
>
>

After reading the above and the last post in the forum, it sounds like
the requirement is:

"Need an option to disable the handling of /.well-known by mod_md so
an external ACME client can be used more easily".

It seems a bit weird to load mod_md and not use it as your ACME
client, but it's a reasonable request.
Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Bugzilla from arekm@maven.pl
On Sunday 18 of March 2018, Eric Covener wrote:

> On Sun, Mar 18, 2018 at 1:41 PM, Steffen <[hidden email]> wrote:
> > Did some tests:
> >
> > http://www.apachelounge.com/viewtopic.php?p=36624#36624
> >
> >
> > My conclusion (correct me if I am wrong):
> >
> > When you run mod_md  , you cannot use a client which uses TLS .
> >
> > It is a limitation when  Apache user has an "old"  LE account and uses a
> > acme client with/without mod_md
> >
> > TLS-SNI challenge was disabled by Let's Encrypt back in January, but old
> > users can still use it. Old accounts are whitelisted.
> >
> >
> > Let's Encrypt says:
> >
> >
> > ....whitelisting mechanisms are live. If you have a certificate renewal
> > that has been failing due to the TLS-SNI disablement, you should now be
> > able to renew.
>
> After reading the above and the last post in the forum, it sounds like
> the requirement is:
>
> "Need an option to disable the handling of /.well-known by mod_md so
> an external ACME client can be used more easily".
>
> It seems a bit weird to load mod_md and not use it as your ACME
> client, but it's a reasonable request.

Or better be able to handle both. If no on disk challenge then fallback to
mod_md (or the other way).

--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Eric Covener
>> After reading the above and the last post in the forum, it sounds like
>> the requirement is:
>>
>> "Need an option to disable the handling of /.well-known by mod_md so
>> an external ACME client can be used more easily".
>>
>> It seems a bit weird to load mod_md and not use it as your ACME
>> client, but it's a reasonable request.
>
> Or better be able to handle both. If no on disk challenge then fallback to
> mod_md (or the other way).

IIUC, you are saying that mod_md  could decline to handle /.well-known
if it receives an authentication request it wasn't anticipating
(because it had not recently seen this challenge during a request

Then presumably the /.well-known/whatever alias would point to
somewhere the external ACME client was writing to and the server would
process it "normally".

Sounds reasonable to me (as an ACME/LE layman)
Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Steffen
In reply to this post by Steffen
 
It is indeed a limitation for an "old" account, and when LE enables TLS again (not sure it does already in ACMEv2 protocol) 

You can have mod_md for a few domains and other domains with a client. 

This a a conf most AL  admin/users are using till now, special the seasoned admin's.

In my test mod_md says;

mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge for www.apachelounge.com (/.well-known/acme-challenge/test.txt)


For me case closed., sorry for the clutter. 



For me not related to a vote, therefore I made a seperate topic.

It is not "ÿour user" but our user :)

As I said: 

Not sure it is an issue.
and
correct me if I am wrong

I just trying to help  admin/users out there which where early adopters.


When it is not  appreciated that I share it with dev, say it please.




On Sunday 18/03/2018 at 18:48, Eric Covener wrote:
On Sun, Mar 18, 2018 at 11:52 AM, Steffen <[hidden email]> wrote:
A note from admin/user at
http://www.apachelounge.com/viewtopic.php?p=36619#36619

Asked the reporter to file at bugzilla:

Not sure it is a issue.

A suggestion from me for the official release:

I would not publish the official release with mod_md, but offer the two
modules (mod_md & mod_ssl) separately for download.

For mod_ssl to work in the vote release, mod_md must also be included and
mod_md will catch access to the .well-know directory. In other words: With
the Vote release it's not possible to use Lets-Encrypt-Win-Simple (I think).


My response to that:


I think you mean with win-acme client

When it is true what you say then in the Linux world they could maybe not
use e.g. their Certbot client either.

I would like to see that a Linux users tries it ?

This is all quite difficult to parse for me.

Is your user saying that loading mod_md blocks some mode of operation
of an external acme client? By handling request for /.well-known?

I don't think such a thing impacts the release vote or structure
unless it's a regression of using the two things together, and there's
no implication that it is.

After all, mod_md is optional, and its primary role is certificates
via ACME. I don't see the dilemma, so maybe I am misinterpreting

Spelling out whatever requirement or concern in at the root of this,
in more precise detail, is probably the only way it will move forward.

--
Eric Covener
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Eric Covener
On Sun, Mar 18, 2018 at 2:25 PM, Steffen <[hidden email]> wrote:
>
> It is indeed a limitation for an "old" account, and when LE enables TLS
> again (not sure it does already in ACMEv2 protocol)

When did this become about TLS-SNI challenges and how does that tie
into the external ACME client?

Can you connect the dots for me or is this unrelated?

> In my test mod_md says;
>
> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
> for www.apachelounge.com (/.well-known/acme-challenge/test.txt)
>
>
> For me case closed., sorry for the clutter.

Does this confirm something beyond "mod_md works"?

> When it is not  appreciated that I share it with dev, say it please.

My own 2 cents: It would be helpful and take much less of a toll on
this volunteers time/patience/morale if this kind of feedback were
refined before being brought forward.

For example, here are hypothetical concise requirements / complaints
that someone could meaningfully address without having to pull teeth:

mod_md could do something specifically different with TLS-SNI
challenges for old users
mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
mod_md can't decline/defer to an Alias for /.well-known if it has no
stored challenge

But instead we have several paragraphs about votes and releases and
mod_ssl depending on mod_md and two different clients and a request to
test "it" on Linux.
Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Rainer Jung-3
Am 18.03.2018 um 20:07 schrieb Eric Covener:

> On Sun, Mar 18, 2018 at 2:25 PM, Steffen <[hidden email]> wrote:
>>
>> It is indeed a limitation for an "old" account, and when LE enables TLS
>> again (not sure it does already in ACMEv2 protocol)
>
> When did this become about TLS-SNI challenges and how does that tie
> into the external ACME client?
>
> Can you connect the dots for me or is this unrelated?
>
>> In my test mod_md says;
>>
>> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
>> for www.apachelounge.com (/.well-known/acme-challenge/test.txt)
>>
>>
>> For me case closed., sorry for the clutter.
>
> Does this confirm something beyond "mod_md works"?
>
>> When it is not  appreciated that I share it with dev, say it please.
>
> My own 2 cents: It would be helpful and take much less of a toll on
> this volunteers time/patience/morale if this kind of feedback were
> refined before being brought forward.
>
> For example, here are hypothetical concise requirements / complaints
> that someone could meaningfully address without having to pull teeth:
>
> mod_md could do something specifically different with TLS-SNI
> challenges for old users
> mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
> mod_md can't decline/defer to an Alias for /.well-known if it has no
> stored challenge
>
> But instead we have several paragraphs about votes and releases and
> mod_ssl depending on mod_md and two different clients and a request to
> test "it" on Linux.

To add to Eric: typically if something does not work, it would be
helpful to get the typical information:

- version and platform info (might be clear from the context)
- configuration used
- steps to reproduce
- expected result
- actual result
- regression or not, ie. is it a new problem or does it exist in older
versions too

Sometimes one can shortcut but very often it is really necessary to get
that type of information to be able to analyze/understand what the
problem is.

Thanks and regards,

Rainer
Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Gregg Smith (gsmith)
In reply to this post by Eric Covener
My read on the original post:

First we have stated that "For mod_ssl to work in the vote release,
mod_md must also be included..."

That is what I honed in on. Apache will not start if there's a module
specific directive without that module being loaded. Since the OP states
that *mod_ssl* will not work without without mod_md included, there must
be some mod_md directives not contained inside <IfModule> laying around
in the OP's config. I believe this is the first of two parts.

Now, Apache serving a 404 on /.well-known/acme-challenge/test.txt when
mod_md is loaded I think is because mod_md stores this stuff under
MDStoreDir where the acme client puts it elsewhere IIRC. So this
behavior I see as by design since mod_md intercepts the requests coming
from the acme server obviously to serve what is stored under MDStoreDir.

My guess anyway.


On 3/18/2018 12:07 PM, Eric Covener wrote:

> On Sun, Mar 18, 2018 at 2:25 PM, Steffen <[hidden email]> wrote:
>>
>> It is indeed a limitation for an "old" account, and when LE enables TLS
>> again (not sure it does already in ACMEv2 protocol)
>
> When did this become about TLS-SNI challenges and how does that tie
> into the external ACME client?
>
> Can you connect the dots for me or is this unrelated?
>
>> In my test mod_md says;
>>
>> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
>> for www.apachelounge.com (/.well-known/acme-challenge/test.txt)
>>
>>
>> For me case closed., sorry for the clutter.
>
> Does this confirm something beyond "mod_md works"?
>
>> When it is not  appreciated that I share it with dev, say it please.
>
> My own 2 cents: It would be helpful and take much less of a toll on
> this volunteers time/patience/morale if this kind of feedback were
> refined before being brought forward.
>
> For example, here are hypothetical concise requirements / complaints
> that someone could meaningfully address without having to pull teeth:
>
> mod_md could do something specifically different with TLS-SNI
> challenges for old users
> mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
> mod_md can't decline/defer to an Alias for /.well-known if it has no
> stored challenge
>
> But instead we have several paragraphs about votes and releases and
> mod_ssl depending on mod_md and two different clients and a request to
> test "it" on Linux.
>
Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Stefan Eissing
In reply to this post by Bugzilla from arekm@maven.pl
Thanks, Arkadiusz, that sounds reasonable. I will make that change and let you know.

For tracking and so that other Apache user can find it more easily, could you open a short bug report here? Thanks!

> Am 18.03.2018 um 19:00 schrieb Arkadiusz Miśkiewicz <[hidden email]>:
>
>> On Sunday 18 of March 2018, Eric Covener wrote:
>>> On Sun, Mar 18, 2018 at 1:41 PM, Steffen <[hidden email]> wrote:
>>> Did some tests:
>>>
>>> http://www.apachelounge.com/viewtopic.php?p=36624#36624
>>>
>>>
>>> My conclusion (correct me if I am wrong):
>>>
>>> When you run mod_md  , you cannot use a client which uses TLS .
>>>
>>> It is a limitation when  Apache user has an "old"  LE account and uses a
>>> acme client with/without mod_md
>>>
>>> TLS-SNI challenge was disabled by Let's Encrypt back in January, but old
>>> users can still use it. Old accounts are whitelisted.
>>>
>>>
>>> Let's Encrypt says:
>>>
>>>
>>> ....whitelisting mechanisms are live. If you have a certificate renewal
>>> that has been failing due to the TLS-SNI disablement, you should now be
>>> able to renew.
>>
>> After reading the above and the last post in the forum, it sounds like
>> the requirement is:
>>
>> "Need an option to disable the handling of /.well-known by mod_md so
>> an external ACME client can be used more easily".
>>
>> It seems a bit weird to load mod_md and not use it as your ACME
>> client, but it's a reasonable request.
>
> Or better be able to handle both. If no on disk challenge then fallback to
> mod_md (or the other way).
>
> --
> Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Stefan Eissing
In reply to this post by Gregg Smith (gsmith)


> Am 18.03.2018 um 20:34 schrieb Gregg Smith <[hidden email]>:
>
> My read on the original post:
>
> First we have stated that "For mod_ssl to work in the vote release, mod_md must also be included..."
>
> That is what I honed in on. Apache will not start if there's a module specific directive without that module being loaded. Since the OP states that *mod_ssl* will not work without without mod_md included, there must be some mod_md directives not contained inside <IfModule> laying around in the OP's config. I believe this is the first of two parts.

Exactly. Everything works as before when one does not load mod_md.

> Now, Apache serving a 404 on /.well-known/acme-challenge/test.txt when mod_md is loaded I think is because mod_md stores this stuff under MDStoreDir where the acme client puts it elsewhere IIRC. So this behavior I see as by design since mod_md intercepts the requests coming from the acme server obviously to serve what is stored under MDStoreDir.
>
> My guess anyway.

Correct. And as noted in another mail, the fallback behaviour will be added so that md and external clients can co-exist.

I did not foresee this mixed run mode and therefore decided to deny any fallback here. Seems like this security reduced the usability too much.

Stefan

>> On 3/18/2018 12:07 PM, Eric Covener wrote:
>>> On Sun, Mar 18, 2018 at 2:25 PM, Steffen <[hidden email]> wrote:
>>>
>>> It is indeed a limitation for an "old" account, and when LE enables TLS
>>> again (not sure it does already in ACMEv2 protocol)
>> When did this become about TLS-SNI challenges and how does that tie
>> into the external ACME client?
>> Can you connect the dots for me or is this unrelated?
>>> In my test mod_md says;
>>>
>>> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge
>>> for www.apachelounge.com (/.well-known/acme-challenge/test.txt)
>>>
>>>
>>> For me case closed., sorry for the clutter.
>> Does this confirm something beyond "mod_md works"?
>>> When it is not  appreciated that I share it with dev, say it please.
>> My own 2 cents: It would be helpful and take much less of a toll on
>> this volunteers time/patience/morale if this kind of feedback were
>> refined before being brought forward.
>> For example, here are hypothetical concise requirements / complaints
>> that someone could meaningfully address without having to pull teeth:
>> mod_md could do something specifically different with TLS-SNI
>> challenges for old users
>> mod_md pre-empts HTTP challenges for domains that are not mod_md managed.
>> mod_md can't decline/defer to an Alias for /.well-known if it has no
>> stored challenge
>> But instead we have several paragraphs about votes and releases and
>> mod_ssl depending on mod_md and two different clients and a request to
>> test "it" on Linux.

Reply | Threaded
Open this post in threaded view
|

Re: mod_md : not possible to use Lets-Encrypt-Win-Simple

Bugzilla from arekm@maven.pl
In reply to this post by Stefan Eissing
On Monday 19 of March 2018, Stefan Eissing wrote:
> Thanks, Arkadiusz, that sounds reasonable. I will make that change and let
> you know.
>
> For tracking and so that other Apache user can find it more easily, could
> you open a short bug report here? Thanks!

https://bz.apache.org/bugzilla/show_bug.cgi?id=62189

>
> > Am 18.03.2018 um 19:00 schrieb Arkadiusz Miśkiewicz <[hidden email]>:
> >> On Sunday 18 of March 2018, Eric Covener wrote:
> >>> On Sun, Mar 18, 2018 at 1:41 PM, Steffen <[hidden email]> wrote:
> >>> Did some tests:
> >>>
> >>> http://www.apachelounge.com/viewtopic.php?p=36624#36624
> >>>
> >>>
> >>> My conclusion (correct me if I am wrong):
> >>>
> >>> When you run mod_md  , you cannot use a client which uses TLS .
> >>>
> >>> It is a limitation when  Apache user has an "old"  LE account and uses
> >>> a acme client with/without mod_md
> >>>
> >>> TLS-SNI challenge was disabled by Let's Encrypt back in January, but
> >>> old users can still use it. Old accounts are whitelisted.
> >>>
> >>>
> >>> Let's Encrypt says:
> >>>
> >>>
> >>> ....whitelisting mechanisms are live. If you have a certificate renewal
> >>> that has been failing due to the TLS-SNI disablement, you should now be
> >>> able to renew.
> >>
> >> After reading the above and the last post in the forum, it sounds like
> >> the requirement is:
> >>
> >> "Need an option to disable the handling of /.well-known by mod_md so
> >> an external ACME client can be used more easily".
> >>
> >> It seems a bit weird to load mod_md and not use it as your ACME
> >> client, but it's a reasonable request.
> >
> > Or better be able to handle both. If no on disk challenge then fallback
> > to mod_md (or the other way).


--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )