Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid character error on valid ServerName directive containing scheme:// #321

Open
Sp1l opened this issue Aug 22, 2023 · 3 comments
Open

Invalid character error on valid ServerName directive containing scheme:// #321

Sp1l opened this issue Aug 22, 2023 · 3 comments

Comments

@Sp1l
Copy link
Contributor

Sp1l commented Aug 22, 2023

We're running into an error for domains where the ServerName contains a scheme:// prefix.

For servers where there's an SSL off-load in front of the Apache server, you must add scheme:// to the ServerName to force correct generation of redirect URLs.

incomplete: certificate(rsa) is missing        LetsEncrypt    on        Error[Missing parameter for the specified command line option]: urn:ietf:params:acme:error:rejectedIdentifier Error creating new order :: Cannot issue for "https://origin.www.example.com": Domain name contains an invalid character Next run in ~17 hours
@icing
Copy link
Owner

icing commented Aug 22, 2023

Oh, did not even know that was a thing. Is this in the base server or in virtual hosts contexts? Would a ServerAlias with just the DNS name help as a temporary workaround?

@Sp1l
Copy link
Contributor Author

Sp1l commented Aug 23, 2023
edited
Loading

Oh, did not even know that was a thing.

Neither did I until I ran into the failing redirects 😃

Is this in the base server or in virtual hosts contexts?

This is in a VirtualHost context

Would a ServerAlias with just the DNS name help as a temporary workaround?

It is the ServerAlias that causes the issue.

We've just removed the scheme:// prefix to make it work, our newer installs don't use SSL offloading. Created this issue more as a future improvement.

For completeness, this works:

Define vhost somevhost.subdom.example.com

MDomain ${vhost}

<VirtualHost *:443>
ServerName  https://${vhost}

...

</VirtualHost>

But this results in the "invalid character" error:

Define vhost somevhost.subdom.example.com

MDomain ${vhost}
MDomain origin.${vhost}

<VirtualHost *:443>
ServerName  https://${vhost}
ServerAlias https://origin.${vhost}

...

</VirtualHost>

We're now using:

Define vhost somevhost.subdom.example.com
MDomain ${vhost} origin.${vhost}

<VirtualHost *:443>
ServerName  ${vhost}
ServerAlias origin.${vhost}

...

</VirtualHost>

All in all, replacing acme.sh with mod_md has been a very good experience!

@icing
Copy link
Owner

icing commented Aug 24, 2023

Thanks. I read httpd's code here:

  • ServerName supports setting the scheme. If you set https://${vhost}, it correctly splits this into internal vars server_scheme and server_hostname. The latter is used by mod_md for matching and everything works.
  • ServerAlias does not support this. It just take in the string configured. This means SNI will not match here when you configure ServerAlias https://origin.${vhost}. And mod_md will not work also, as Lets Encrypt rejects this correctly as invalid DNS name.

tl;dr

What should work in your setup is:

<VirtualHost *:443>
ServerName  https://${vhost}
ServerAlias origin.${vhost}
...
</VirtualHost>

The server_scheme extracted from ServerName is also used for alias matches.

Therefore, I do not see anything to fix in mod_md regarding this. Do you agree?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@icing @Sp1l