tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: /.well-known Hidden directory url returns 404
Date Mon, 01 May 2017 22:11:57 GMT
Hash: SHA256


On 5/1/17 3:11 PM, Ian Brown wrote:
> I am trying to https/SSL enable my tomcat application server and 
> have a problem when I request verification from the CA.
> Let's Encrypt requires the certificate request to be placed in 
> mydomain.tld/.well-known/acme-challenge/ which they query to check 
> that I control the site.
> Tomcat does not appear to handle hidden directories correctly.
> There as several on-line references to Tomcat being an issue, but I
> have yet to find a Tomcat solution.
I'm doing this in a completely-scripted environment using certbot-auto,
etc. I'm presenting everything at ApacheCon/TomcatCon in two weeks in
Miami if you'd like to join us. After my presentation, the slides, etc.
will be available online.

There is nothing "hidden" about a directory that starts with a period.
It's just an indication to "ls" that the directory entry should not be
shown unless a certain flag is present.

Tomcat is ignorant of that convention, and the "hiddenness" of your
directory is a red herring.

> The hidden directory problem manifest in two ways. 1. If I create a
> site/app with th directory /.well-known/ Tomcat
creates two contexts where there should be one, one for my app and
another for /.well-known (i.e. a sub directory of the app)

What is your application's context-path? If it's anything other than ""
(empty string, for the ROOT web application) then requests to
/.well-known won't be served by your application. Period.

> 2. If I don't create a /.well-known/ directory, but try and do a
urlrewrite from /.well-known/ to say /well-known/ it still sees the
url as trying to access a separte context /.well-known/
> and does not rewrite it as expected.

Note that url-rewrite must be configured within an application -- it
can't be done globally. Basically, if you want to serve responses to a
URL like /.well-known/whatever, then you either need an application with
a context-path of "/.well-known", or you need the ROOT application to
respond to those requests.

> Request-dumper shows ( some lines removed for clarity)
> requestURI=/.well-known/acme-challenge/test.html 
> contextPath=/.well-known serverName=mydomain.tld serverPort=80 
> servletPath=/acme-challenge/test.html status=404
> The above fails if /.well-known/acme-challenge/test.html exists or 
> not since it is looking in the wrong context path.

What context-path did you expect?

> Contrasts with a correctly served (not hidden) page.
> requestURI=/stats/index.html contextPath= 
> header=host=www.mydomain.tld contextPath= 
> serverName=www.mydomain.tld serverPort=80 
> servletPath=/stats/index.html status=200

Those are all being served by the ROOT web application. Why not put your
/.well-known files within the ROOT web application? Or leave them in
/.well-known as above? Please post some more details for what you are
doing in case #1 above where the context-path of the application is
/.well-known. For example, what files are on the disk, and where? Where
is the <Context> defined?

- -chris

Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message