PD-Admin v4.60
SE 4-0.325
Hallo zusammen,
vor zwei Tagen bekam ich eine Mail von Lets Encrypt, dass mein Zertifikat für die PD-Admin Oberfläche bald abläuft. Irgendwas stimmt(e) also nicht. Wegen HSTS ist es mir zunächst nicht aufgefallen, aber das Problem ist, dass Lets Encrypt die Validierungsdatei per http:// abruft aber nicht finden kann. Manuell per http:// aufgerufen wird mir die Datei auch nicht angezeigt.
Es scheint, als wäre dieser Fehler mit einem der letzten beides Updates aufgetreten. Kann das Problem jemand bestätigen?
Auszug aus /usr/local/pd-admin2/httpd-2.4/conf/httpd24.conf-template:
ServerName $$SERVERNAME
ServerTokens Minor
ServerRoot /usr/local/pd-admin2/httpd-2.4
DocumentRoot /usr/local/pd-admin2/htdocs/forbidden
HostnameLookups off
LogLevel warn
Timeout 240
User www
Group www
Listen 80
Listen 443
Protocols h2 h2c http/1.1
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule request_module modules/mod_request.so
#LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule mpm_event_module modules/mod_mpm_event.so
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so
#LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule include_module modules/mod_include.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule logio_module modules/mod_logio.so
LoadModule expires_module modules/mod_expires.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule asis_module modules/mod_asis.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule actions_module modules/mod_actions.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule http2_module modules/mod_http2.so
#LoadModule php4_module modules/libphp4.so
#LoadModule php5_module modules/libphp5.so
#LoadFile lib/libxml2.so
#LoadModule security2_module modules/mod_security2.so
DirectoryIndex index.html index.htm index.cgi index.php
AddType text/html .shtml
AddHandler server-parsed .shtml
<FilesMatch "^\.ht">
Order Deny,Allow
Deny from All
</FilesMatch>
<FilesMatch "\.inc$">
Order Deny,Allow
Deny from All
</FilesMatch>
<Directory />
AllowOverride AuthConfig FileInfo
Options -Indexes +FollowSymLinks
</Directory>
<Directory /usr/local/pd-admin2/htdocs>
# AddType application/x-httpd-php .php
AllowOverride AuthConfig FileInfo
Options +ExecCGI -Indexes +FollowSymLinks
</Directory>
<Directory /home>
AllowOverride All
Options +ExecCGI -Indexes +SymLinksIfOwnerMatch +Includes
</Directory>
<Directory /opt/pdadmin/www>
AllowOverride All
Options ExecCGI
SetEnv no-gzip
</Directory>
#mod_deflate
<Location />
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|mp3|mp4|swf)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
</Location>
# PCI Compliance Test
FileETag None
TraceEnable Off
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES:RSA+3DES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!ADH:!AECDH:!MD5:!DSS:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SH
A:!KRB5-DES-CBC3-SHA:!3DES
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder on
<VirtualHost $$STANDARD_IP:80>
ServerName $$SERVERNAME
## REDIRECT_TO_HTTPS ##
DocumentRoot /usr/local/pd-admin2/htdocs
AddHandler cgi-script .cgi .pl
RewriteEngine On
Alias /html /opt/pdadmin/www/html
Alias /assets /opt/pdadmin/www/assets
Alias /js /opt/pdadmin/www/js
Alias /css /opt/pdadmin/www/css
Alias /images /opt/pdadmin/www/images
Alias /customer /opt/pdadmin/www/customer
Alias /administrator /opt/pdadmin/www/administrator
Alias /pop3 /opt/pdadmin/www/pop3
RewriteRule /customer/sid/[a-z0-9]+/(.*) /opt/pdadmin/www/customer/$1
RewriteRule /administrator/sid/[a-z0-9]+/(.*) /opt/pdadmin/www/administrator/$1
RewriteRule /pop3/sid/[a-z0-9]+/(.*) /opt/pdadmin/www/pop3/$1
# SetEnv RLIMIT_CPU 45
SetEnv RLIMIT_CPU 240
SetEnv RLIMIT_NPROC 64
SetEnv RLIMIT_AS 256000000
SetEnv RLIMIT_NOFILE 200
# WEBMAILER / phpMyAdmin
ScriptAlias /cgi-sys/ /usr/local/pd-admin2/cgi-sys/
AddHandler php5wrap .php .php3 .php4
Action php5wrap /cgi-sys/php5-cgiwrap//usr/local/pd-admin2/htdocs/
Alias /pda-ssl-validation-files /opt/pdadmin/etc/ssl-validation
</VirtualHost>
Alias /pda-validate-ssl-files /opt/pdadmin/etc/validate-ssl
<FilesMatch "[A-Z0-9]+\.txt">
RewriteEngine on
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{REQUEST_FILENAME} ([A-Z0-9]+.txt)$
RewriteCond /opt/pdadmin/etc/validate-ssl/%1 -f
RewriteRule /.+ /pda-validate-ssl-files/%1 [L,DPI]
</FilesMatch>
Alles anzeigen
In der httpd.conf kommt dann folgendes bei raus:
<VirtualHost x.x.x.x:80>
ServerName admin.web4.x.y
RedirectMatch ^(?!/.well-known/acme-challenge).* https://admin.web4.x.ye$0
DocumentRoot /usr/local/pd-admin2/htdocs
...
<VirtualHost x.x.x.x:443>
SetEnvIf Request_URI "/roundcubemail" PHP5_VERSION=5.6.99
ServerName admin.web4.x.y
DocumentRoot /usr/local/pd-admin2/htdocs
AddHandler cgi-script .cgi .pl
RewriteEngine On
Alias /assets /opt/pdadmin/www/assets
Alias /html /opt/pdadmin/www/html
Alias /js /opt/pdadmin/www/js
Alias /css /opt/pdadmin/www/css
Alias /images /opt/pdadmin/www/images
Alias /customer /opt/pdadmin/www/customer
Alias /administrator /opt/pdadmin/www/administrator
Alias /pop3 /opt/pdadmin/www/pop3
Alias /assets /opt/pdadmin/www/assets
Alias /img /opt/pdadmin/www/img
Alias /pda-ssl-validation-files /opt/pdadmin/etc/ssl-validation
Alias /.well-known/acme-challenge/ /opt/pdadmin/etc/ssl-validation/.well-known/acme-challenge/
RewriteRule /customer/sid/[a-z0-9]+/(.*) /opt/pdadmin/www/customer/$1
RewriteRule /administrator/sid/[a-z0-9]+/(.*) /opt/pdadmin/www/administrator/$1
RewriteRule /pop3/sid/[a-z0-9]+/(.*) /opt/pdadmin/www/pop3/$1
SetEnv RLIMIT_CPU 480
SetEnv RLIMIT_NPROC 64
SetEnv RLIMIT_AS 1024000000
SetEnv RLIMIT_NOFILE 200
# WEBMAILER / phpMyAdmin
ScriptAlias /cgi-sys/ /usr/local/pd-admin2/cgi-sys/
AddHandler php5wrap .php .php3 .php4
Action php5wrap /cgi-sys/php5-cgiwrap//usr/local/pd-admin2/htdocs/
SSLEngine on
SSLCertificateFile /opt/pdadmin/sslcerts/admin.web4.x.y-cert
SSLCertificateKeyFile /opt/pdadmin/sslcerts/admin.web4.x.y-key
SSLCertificateChainFile /opt/pdadmin/sslcerts/admin.web4.x.y-cacert
Header add Strict-Transport-Security "max-age=15768000"
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Alles anzeigen
Irgendwas scheint bei der Umleitung nicht zu funktionieren. Wenn ich in der Templatedatei den Alias /.well-known/acme/challenge/ hinzufüge, funktioniert es hingegen: