NEOS breaks CERTBOT SSL renewal

aaarggghhhhhhhhhhhhh · September 2, 2019, 9:34pm

OK, I am new to NEOS… installed fine, using existing https domain.

Now it’s time to renew the expiring SSL certificate, but the certbot renewal FAILS because NEOS is intercepting the call to the ( supposedly hidden) /var/www/html/Neos/Web/.well-known/ folder - and serving up its 404 page there!!

How can I configure NEOS not to serve 404 for that folder ( so that CERTBOT can use it for its http challenge mechanism??)

Thanks In Advance!

aberl · September 2, 2019, 10:07pm

Hey, weclome to the community!

You can tell your webserver to ignore that folder for redirecting to the index.php.
On apache, the following line needs to be changed in Web/.htaccess:

	RewriteRule ^(_Resources/Packages/|robots\.txt|favicon\.ico) - [L]

->

	RewriteRule ^(_Resources/Packages/|\.well-known/|robots\.txt|favicon\.ico) - [L]

This is important enough, that it warrants a PR to fix this:

aaarggghhhhhhhhhhhhh · September 2, 2019, 10:17pm

Thanks for the quick reply!

that sort-of fixes it… I do not get the Neos 404 page any more causing havoc with CERTBOT.

For reasons unknown ( something misconfigured up stream, I guess) I still get CERTBOT renew failure, but the page that is interfering is now the root of another website ( the one whose /var/www/html/ folder my Neos installation is actually a sub-folder of). I have other working webs with the same situation (subfolders of /var/www/html/) - that do not show this problem with certbot…

PS, and oddly, I can actually surf to the certbot-required [web-redacted] /.well-known/acme-challenge/ folder without being redirected to the other web…

aberl · September 3, 2019, 12:05pm

/var/www/html/ folder my Neos installation is actually a sub-folder of

I assume that folder above is a web docroot for another domain (or the default)?
If so, not sure this has anything to do with the issue, but this is bad practice - you should not place the whole neos installation into any docroot, because this will lead to any file e.g. in the Configuration folder to be web-accessible, if not very carefully ruled out via additional configuration.
The typical setup is, to have Neos installed anywhere in e.g. /var/www/Neos, then configure the webserver to make /var/www/Neos/Web the docroot for this Neos website, for example via VirtualHost configuration in Apache.

<VirtualHost *:80>
    DocumentRoot "/var/www/Neos/Web"
    ServerName foo.acme.com
    ErrorLog "logs/foo.acme.com-error.log"
    CustomLog "logs/foo.acme.com-access.log" common
</VirtualHost>

It could be, that the web server configuration of the underlying docroot now catches the .well-known request.

aaarggghhhhhhhhhhhhh · September 3, 2019, 4:15pm

Well, I will uninstall Neos and reinstall in a more ideal location. Can you please advise how to completely uninstall Neos using composer? I can’t seem to find instructions for that in the Neos docs… Thanks!

aberl · September 4, 2019, 5:51pm

Just delete the whole folder there is no uninstall, you can remove single packages, but that’s probably not what you want to do