# Use Apache2 as reverse proxy for lacme's internal webserver using the # provided snippet # bind the webserver to the default listening address sed -i 's|^listen\s*=|#&|' /etc/lacme/lacme.conf DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends apache2 curl ln -fs /etc/lacme/apache2.conf /etc/apache2/conf-available/lacme.conf a2enmod proxy_http a2enconf lacme mkdir /run/apache2 ( set +eux && . /etc/apache2/envvars && apache2 ) # ensure that requests to the root URI and challenge URIs yield 502 Bad Gateway before starting the webserver rv="$(curl -w"%{http_code}" -so/dev/null http://127.0.0.1/.well-known/acme-challenge/)"; [ $rv -eq 503 ] rv="$(curl -w"%{http_code}" -so/dev/null http://127.0.0.1/.well-known/acme-challenge/foo)"; [ $rv -eq 503 ] lacme --debug newOrder 2>"$STDERR" || fail test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key grepstderr -Fq "Forking ACME webserver bound to /run/lacme-www.socket, child PID " grepstderr -Fq "Forking lacme-accountd, child PID " grepstderr -Fq "Forking /usr/libexec/lacme/client, child PID " grepstderr -Fq "Shutting down lacme-accountd" grepstderr -Fq "Shutting down ACME webserver bound to /run/lacme-www.socket" grepstderr -Eq "Incoming connection: GET /\.well-known/acme-challenge/\S+ HTTP/[0-9.]+$" # ensure apache2 was indeed used to serve challenge responses (Let's Encrypt caches validation results) grep -E "\"GET /\.well-known/acme-challenge/\S+ HTTP/[0-9.]+\" 200 .* \(([^)]+; )*Let's Encrypt validation server(; [^)]+)*\)\"$" \ /var/log/apache2/access.log # vim: set filetype=sh :