Results 1 to 4 of 4

Thread: Apache - Allow Certbot Renewal on IP Limited Subdomain?

  1. #1
    Join Date
    Jul 2012
    Location
    Illinois, USA
    Beans
    545

    Question Apache - Allow Certbot Renewal on IP Limited Subdomain?

    Hello,

    Maybe a simple question but I haven't had any luck getting it working so far...

    I have a subdomain on an Apache 2.4 server that I am limiting to an IP whitelist:
    Code:
    <Directory "/home/secure/www">
            Options Indexes FollowSymLinks
            AllowOverride All
    
    
            # Allowed IPs
            Require ip a.b.c.d
            Require ip a.b.c.e
            Require all denied
    </Directory>
    I want to allow Certbot \ Let's Encrypt to generate an SSL for this domain, so it needs to complete the ACME challenge.

    Therefore I need to exempt a path from this IP limitation: /home/secure/www/.well-known/acme-challenge

    I tried creating another directory declaration, but I am still getting a 403 response:

    Code:
    <Directory "/home/secure/www/.well-known/acme-challenge">
            Options Indexes FollowSymLinks
            AllowOverride All
    
            Require all granted
    </Directory>
    Anybody have any ideas how I can get this working?

  2. #2
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,169
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Apache - Allow Certbot Renewal on IP Limited Subdomain?

    There are several ways to skin that cat.

    You could find out the IPs used by Certbot and add them to the exception list.
    You could instead use DNS validation instead of HTTP.
    You could setup another apache config using the same domain/port but points to a different folder...then disable your real site, enable the temp site that is not IP-restricted, run the certbot against that, then disable that site, re-enable your real site and modify your real site to use SSL and the certs that were created while the other site was active.

    There are probably a few other ways as well but that is what came to mind without any research.

    LHammonds

  3. #3
    Join Date
    Jul 2012
    Location
    Illinois, USA
    Beans
    545

    Re: Apache - Allow Certbot Renewal on IP Limited Subdomain?

    Quote Originally Posted by LHammonds View Post
    There are several ways to skin that cat.

    You could find out the IPs used by Certbot and add them to the exception list.
    You could instead use DNS validation instead of HTTP.
    You could setup another apache config using the same domain/port but points to a different folder...then disable your real site, enable the temp site that is not IP-restricted, run the certbot against that, then disable that site, re-enable your real site and modify your real site to use SSL and the certs that were created while the other site was active.

    There are probably a few other ways as well but that is what came to mind without any research.

    LHammonds
    Thanks, but I was really hoping for something more permanent. Certbot's IPs could change and those other solutions require manual intervention to perform renewal. I would think it should be possible with the authz module to apply a less restrictive access list to a subdirectory of a more restricted one, or is that just simply not possible?

  4. #4
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,169
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Apache - Allow Certbot Renewal on IP Limited Subdomain?

    Everything I mentioned could be automated.

    However, the DNS method would probably require hosting your own DNS server.

    LHammonds

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •