Bug 42695

Summary: Allow configuration for HTTP(S) exceptions even if apache2/force_https=yes
Product: UCS Reporter: Michael Grandjean <grandjean>
Component: ApacheAssignee: UMC maintainers <umc-maintainers>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: P5 CC: best, michelsmidt
Version: UCS 4.1   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=43603
What kind of report is it?: Feature Request What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2016101721000211 Bug group (optional): External feedback
Max CVSS v3 score:

Description Michael Grandjean univentionstaff 2016-10-17 13:14:49 CEST 
The UCRV apache2/force_https=yes forces the use of encrypted connections by re-directing to https://

That's usually desired, at least for public-facing servers. But in some cases one needs exceptions:

One that springs to mind is the ACME protocol / Let's Encrypt clients. There you have a "Simple HTTP validation" that popular clients use to receive a new certificate¹.  To make this work you need to expose the ACME challenge tokens via HTTP (and not via HTTPS) at this fixed path:

http://fqdn.ofyour.server/.well-known/acme-challenge/

We already have a hardcoded exception for /server-status via Bug 40173
I think we should extend this to something more generic, e.g. specifying the path / URL for the exception via UCR.

¹ https://letsencrypt.github.io/acme-spec/#rfc.section.7.1
Comment 1 Michael Grandjean univentionstaff 2016-10-17 13:24:13 CEST 
See also http://forum.univention.de/viewtopic.php?t=4655&p=22705#p22705
Comment 2 Florian Best univentionstaff 2016-10-18 11:53:36 CEST 
Another good one might be 'http://$master/ucs-root-ca.crt'
Comment 3 Florian Best univentionstaff 2017-05-19 13:42:52 CEST 
You can now simply set:
apache2/force_https/exclude/request_uri/letsencrypt=/.well-known/acme-challenge/

*** This bug has been marked as a duplicate of bug 43603 ***