Univention Bugzilla – Bug 42695
Allow configuration for HTTP(S) exceptions even if apache2/force_https=yes
Last modified: 2017-05-19 13:42:52 CEST
The UCRV apache2/force_https=yes forces the use of encrypted connections by re-directing to https:// That's usually desired, at least for public-facing servers. But in some cases one needs exceptions: One that springs to mind is the ACME protocol / Let's Encrypt clients. There you have a "Simple HTTP validation" that popular clients use to receive a new certificate¹. To make this work you need to expose the ACME challenge tokens via HTTP (and not via HTTPS) at this fixed path: http://fqdn.ofyour.server/.well-known/acme-challenge/ We already have a hardcoded exception for /server-status via Bug 40173 I think we should extend this to something more generic, e.g. specifying the path / URL for the exception via UCR. ¹ https://letsencrypt.github.io/acme-spec/#rfc.section.7.1
See also http://forum.univention.de/viewtopic.php?t=4655&p=22705#p22705
Another good one might be 'http://$master/ucs-root-ca.crt'
You can now simply set: apache2/force_https/exclude/request_uri/letsencrypt=/.well-known/acme-challenge/ *** This bug has been marked as a duplicate of bug 43603 ***