301 caching on acme challenge?


#1

Hi,

My question is: does Let’s Encrypt cache 301 redirects for the acme challenge? And, if so, for how long?

I’m using docker-compose-letsencrypt-nginx-proxy-companion to handle my LE cert renewals. I’m using it with several domains, most of which 301 redirect to my main domain. All these redirecting domains also get their own HTTPS certs from LE.

This reverse proxy has a strange failure state where it occasionally loops through all my domains when my main domain is requested, endlessly 301 redirecting until the client gives up. That’s where the above question comes into play. I noticed today that my main domain went down, and LE was having trouble accessing the .well-known directory for that domain. I removed all of my certs, and all of them successfully renewed except for my main domain.

nginx-letsencrypt      | 2018-11-24 21:51:12,082:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxx

I suspect that because I’m using 301 redirects, they’re being cached, thus the question above.


#2

Hi @rickyromero

Letsencrypt doesn’t cache 301 redirects. But follows them.

So if you have some wrong redirects with a loop, Letsencrypt will fail to validate your challenge file.