Univention Bugzilla – Bug 49844
apache2/hsts setting is not used in univention-letsencrypt.conf
Last modified: 2020-03-17 07:38:49 CET
/etc/univention/templates/files/etc/apache2/sites-available/univention-letsencrypt.conf creates separate virtual hosts for each domain in letsencrypt/domains. However it doesn't create Apache configuration for HSTS as /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts does it for the default SSL virtual host. So HSTS is in fact not activated anymore. Proposed fix: /etc/univention/templates/files/etc/apache2/sites-available/univention-letsencrypt.conf should include the code from /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts.
Created attachment 10122 [details] patch (git:fbest/49844-hsts)
Thank you for the feedback, Daniel! Attached is a patch which does your suggestion.
Thanks for the patch. However, I cannot test it. Is there a testing channel for a pre-compiled Let's Encrypt App with this patch?
Today, I had the requirement to have a special VirtualHost configuration for a sub-domain (Separate reverse proxy without the stuff from ucs-sites.d and the appcenter dockers). univention-letsencrypt.conf is a show-stopper for that. It adds VirtualHost sections for each domain which is in letsencrypt/domains. So I had no easy possibility to overwrite that configuration. Finally, I deleted the VirtualHost sections in univention-letsencrypt.conf. So the default SSL virtual host (with HSTS) is used. What's the benefit of having separate VirtualHost sections for each letsencrypt/domains? As far as I see and understand they intend to configure _everything_ the same as the default SSL virtual host.
Maybe Bug #48745 comment 1 is the reason.
Ok, I understand it (at least a little bit). I would like to propose to change the logic for virtual host creation. Maybe to create the virtual hosts for Let's encrypt conditionally. If UCS host fqdn is included in Let's encrypt domain list and UCR variable apache2/ssl/certificate don't point to Let's encrypt certificate for example. At least I like the architecture of UCS, that those template files are part of /etc, so I have the freedom to overwrite them.
Another customer stumbled about this...