mod_md icon indicating copy to clipboard operation
mod_md copied to clipboard
verified publisher icon icing

Invalid character error on valid ServerName directive containing scheme://

Open Sp1l opened this issue 2 years ago • 3 comments

We're running into an error for domains where the ServerName contains a scheme:// prefix.

For servers where there's an SSL off-load in front of the Apache server, you must add scheme:// to the ServerName to force correct generation of redirect URLs.

incomplete: certificate(rsa) is missing        LetsEncrypt    on        Error[Missing parameter for the specified command line option]: urn:ietf:params:acme:error:rejectedIdentifier Error creating new order :: Cannot issue for "https://origin.www.example.com": Domain name contains an invalid character Next run in ~17 hours

Sp1l avatar Aug 22 '23 12:08 Sp1l

Oh, did not even know that was a thing. Is this in the base server or in virtual hosts contexts? Would a ServerAlias with just the DNS name help as a temporary workaround?

icing avatar Aug 22 '23 13:08 icing

Oh, did not even know that was a thing.

Neither did I until I ran into the failing redirects 😃

Is this in the base server or in virtual hosts contexts?

This is in a VirtualHost context

Would a ServerAlias with just the DNS name help as a temporary workaround?

It is the ServerAlias that causes the issue.

We've just removed the scheme:// prefix to make it work, our newer installs don't use SSL offloading. Created this issue more as a future improvement.

For completeness, this works:

Define vhost somevhost.subdom.example.com

MDomain ${vhost}

<VirtualHost *:443>
ServerName  https://${vhost}

...

</VirtualHost>

But this results in the "invalid character" error:

Define vhost somevhost.subdom.example.com

MDomain ${vhost}
MDomain origin.${vhost}

<VirtualHost *:443>
ServerName  https://${vhost}
ServerAlias https://origin.${vhost}

...

</VirtualHost>

We're now using:

Define vhost somevhost.subdom.example.com
MDomain ${vhost} origin.${vhost}

<VirtualHost *:443>
ServerName  ${vhost}
ServerAlias origin.${vhost}

...

</VirtualHost>

All in all, replacing acme.sh with mod_md has been a very good experience!

Sp1l avatar Aug 23 '23 09:08 Sp1l

Thanks. I read httpd's code here:

  • ServerName supports setting the scheme. If you set https://${vhost}, it correctly splits this into internal vars server_scheme and server_hostname. The latter is used by mod_md for matching and everything works.
  • ServerAlias does not support this. It just take in the string configured. This means SNI will not match here when you configure ServerAlias https://origin.${vhost}. And mod_md will not work also, as Lets Encrypt rejects this correctly as invalid DNS name.

tl;dr

What should work in your setup is:

<VirtualHost *:443>
ServerName  https://${vhost}
ServerAlias origin.${vhost}
...
</VirtualHost>

The server_scheme extracted from ServerName is also used for alias matches.

Therefore, I do not see anything to fix in mod_md regarding this. Do you agree?

icing avatar Aug 24 '23 07:08 icing