From: Stefan Hagen <sh+openbsd-tech@codevoid.de>
Subject: Re: /etc/examples/httpd.conf: remove acme-challenge location from tls block
To: Lucas de Sena <lucas@seninha.org>
Cc: tech@openbsd.org
Date: Fri, 17 Jan 2025 07:56:42 +0100

Lucas de Sena wrote (2025-01-13 23:53 CET):
> This patch removes the acme-challenge location from the TLS block in
> httpd.conf(5) example for port 443 (HTTPS).  Per RFC 8555, section 8.3
> (https://www.rfc-editor.org/rfc/rfc8555#section-8.3):
> 
> > the challenge must be completed over HTTP, not HTTPS
> 
> There is no point in providing that location on HTTPS too.
> 
> diff /usr/src
> path + /usr/src
> commit - 7b08975fc0d222558ca53c00d21416b54423d3bb
> blob - 3083d9703824057bf4645397afdcb308298aeb14
> file + etc/examples/httpd.conf
> --- etc/examples/httpd.conf
> +++ etc/examples/httpd.conf
> @@ -20,8 +20,4 @@ server "example.com" {
>  	location "/pub/*" {
>  		directory auto index
>  	}
> -	location "/.well-known/acme-challenge/*" {
> -		root "/acme"
> -		request strip 2
> -	}
>  }


Agreed, the challenge types that run over 443 are working differently.

ok sdk@

Best regards,
Stefan