Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Scott Faulkner 3 posts 73 karma points
    Jan 15, 2021 @ 19:24
    Scott Faulkner
    0

    Umbraco 8 + appservice-acmebot Let's Encrypt

    Has anyone integrated Umbraco 8+ with appservice-acmebot (https://github.com/shibayan/appservice-acmebot) to automate the issuance and renewal of certificates through Let's Encrypt? Just not able to get it working while keeping the site and backoffice working, too. The problem is that Umbraco always intercepts the call to http://domain/.well-known/... Have set both Umbraco.Core.ReservedUrls and Umbraco.Core.ReservedPaths to various combinations of ~/.well-known, ~/.well-known/, ~/.well-known/acme-challenge, ~/.well-known/acme-challenge/ with no luck. It's as if those settings are not actually implemented within Umbraco.

  • Bo Jacobsen 475 posts 1922 karma points
    Jan 15, 2021 @ 21:24
    Bo Jacobsen
    0

    Hi Scott.

    You need a rewrite rule like

    <rule name="Allow LetsEncrypt" patternSyntax="Wildcard" stopProcessing="true">
         <match url=".well-known/*" />
          <action type="None" />
    </rule>
    
  • Scott Faulkner 3 posts 73 karma points
    Jan 15, 2021 @ 21:50
    Scott Faulkner
    0

    Forgot to mention that I tried that, too. Still handled by Umbraco.

  • Bo Jacobsen 475 posts 1922 karma points
    Jan 16, 2021 @ 10:39
    Bo Jacobsen
    2

    You might have to set the reservedUrls and put a web.config inside the .well-known folder.

    When i am back om work on monday, i will post what we do to make it work.

  • Ilyas Balgabekov 15 posts 126 karma points
    Jan 18, 2021 @ 04:51
    Ilyas Balgabekov
    0

    Hello, Scott. I'm just adding that in my web.config.

    <appSettings>
        <add key="umbracoReservedPaths" value="~/umbraco,~/install/,~/.well-known" />
    </appSettings>
    
  • Bo Jacobsen 475 posts 1922 karma points
    Jan 18, 2021 @ 09:53
    Bo Jacobsen
    0

    Hi Scott.

    We do this to be 100% sure that it works. (You might not need it all)

    web.config

      <appSettings>
        <add key="Umbraco.Core.ReservedPaths" value="~/.well-known" />
      </appSettings>
      <system.webServer>
        <rewrite>
          <rules>
            <!-- This have to be the first rule -->
            <rule name="Allow SSL renewal" patternSyntax="Wildcard" stopProcessing="true">
              <match url=".well-known/acme-challenge/*" />
              <action type="None" />
            </rule>
          </rules>
        </rewrite>
      </system.webServer>
    

    .well-known/web.config

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.webServer>
        <validation validateIntegratedModeConfiguration="false"/>
        <handlers>
          <remove name="aspNetCore"/>
        </handlers>
        <rewrite>
          <rules>
            <clear />
            <rule name="AcmeChallenge" stopProcessing="true">
              <match url=".*" />
              <action type="Rewrite" url="{R:0}.txt" appendQueryString="false" />
            </rule>
          </rules>
        </rewrite>
      </system.webServer>
      <system.web>
        <authorization>
          <allow users="*"/>
        </authorization>
      </system.web>
    </configuration>
    
  • Chris Kim 44 posts 215 karma points c-trib
    Aug 02, 2021 @ 23:11
    Chris Kim
    0

    This got me on the right track, but I had to make a few more modifications to the .well-known/web.config to reset some of the system.web and system.webServer config of the Umbraco application. This is what I ended up with:

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <system.webServer>
        <validation validateIntegratedModeConfiguration="false"/>
        <modules runAllManagedModulesForAllRequests="true">
          <remove name="WebDAVModule"/>
          <remove name="UmbracoModule"/>
          <remove name="ScriptModule"/>
          <remove name="ClientDependencyModule"/>
          <remove name="FormsAuthentication"/>
          <remove name="ImageProcessorModule"/>
          <remove name="TelemetryCorrelationHttpModule" />
          <remove name="ApplicationInsightsWebTracking" />
        </modules>
        <handlers>
          <clear />
          <add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" />
        </handlers>
        <staticContent>
          <remove fileExtension="." />
          <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
        <rewrite>
          <rules>
            <clear />
          </rules>
        </rewrite>
      </system.webServer>
      <system.web>
        <compilation>
          <assemblies>
            <clear />
          </assemblies>
        </compilation>
        <membership defaultProvider="">
          <providers>
            <clear />
          </providers>
        </membership>
        <roleManager enabled="false">
          <providers>
            <clear />
          </providers>
        </roleManager>
        <authorization>
          <allow users="*"/>
        </authorization>
      </system.web>
    </configuration>
    

    Note that you should also upload a file called configured (no extension) to the .well-known folder, to tell acmebot not to overwrite your modified web.config.

  • Steven 3 posts 92 karma points
    Jun 24, 2021 @ 07:49
    Steven
    0

    Hi,

    for this to work, should the .well-known folder be placed inside the wwwroot folder of the appservice?

    In our setup this folder is placed outside of the wwwroot folder, directly in the site folder.

    In that case would it be possible to add a virtual path?

  • Scott Faulkner 3 posts 73 karma points
    Jun 24, 2021 @ 12:45
    Scott Faulkner
    0

    I finally gave up because nothing worked consistently. It seems as if Umbraco just ignored the reserved paths and reserved url settings and tried to serve the .well-known path anyway. In the end, I scrapped it altogether. Since we are using Microsoft Azure for hosting, and they've greatly improved their free cert offering, we switched to that. No more hassles.

Please Sign in or register to post replies

Write your reply to:

Draft