New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let's Encrpt Prevented from Renewing with Default .htaccess file #1251

Closed
jcohlmeyer opened this Issue Feb 10, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@jcohlmeyer

jcohlmeyer commented Feb 10, 2017

Expected behavior

Let's Encrypt to be able to renew certificates with the default .htaccess file.

Actual behavior

Let's Encrypt gets a 404 when trying to renew the certificate as it tries to verify a challenge by posting a temporary file to http://example.com/.well-known/some-challenge as the default .htaccess file has the following rule:

# Prevent .git/, .env, etc from being served
RedirectMatch 404 /\.

Steps to reproduce

  1. Use Let's Encrypt
  2. Wait for certificate to expire

Server configuration

Operating system: Cent OS

Control Panel: Cpanel / WHM

Web server: Apache

PHP version: 5.6.29

Statamic version: 2.5.2

Updated from an older Statamic or fresh install: 2.1.x + upgrades

List of installed addons: N/A

@jcohlmeyer

This comment has been minimized.

jcohlmeyer commented Feb 10, 2017

Possible Solution:

# Prevent .git/, .env, etc from being served (but let Let's Encrypt auto-renew)
RedirectMatch 404 /(?!.well-known)(\.)\w+
@jcohlmeyer

This comment has been minimized.

jcohlmeyer commented Feb 11, 2017

This is how HTML5 Boilerplate handles the issue:

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# Block access to all hidden files and directories with the exception of
# the visible content from within the `/.well-known/` hidden directory.
#
# These types of files usually contain user preferences or the preserved
# state of an utility, and can include rather private places like, for
# example, the `.git` or `.svn` directories.
#
# The `/.well-known/` directory represents the standard (RFC 5785) path
# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible
# content should not be blocked.
#
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
</IfModule>
@edalzell

This comment has been minimized.

edalzell commented Feb 11, 2017

I've added this to keep things consistent w/ the Statamic sample files:

# ------------------------------------------------------------------------------
# PROTECT SYSTEM FILES AND DIRECTORIES
#
# Not necessary when running above webroot.
# ------------------------------------------------------------------------------

RewriteRule ^site/(?!themes) - [F,L]
RewriteRule ^local - [F,L]
RewriteRule ^statamic - [F,L]
RewriteRule ^(?!.well-known)(\.)\w+ - [F,L]
@jasonvarga

This comment has been minimized.

Member

jasonvarga commented Feb 13, 2017

We added the . as a catch all for anyone who just dumps a .htaccess file in their root. We'll add this to the sample (or at least a commented example)

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment