Adding the 'www' prefix with 301 redirect breaks validation?

Today I noticed that the HTTP-01 verificaton did not follow the redirect which changed the protocol from http to https and added the 'www' prefix.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]

where %{SERVER_NAME} is the domain with the 'www' prefix.

I made it work by adding

RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$

just before the RewriteRule.

The certificate was issued with the domain (without prefix) listed first...

Is this expected behaviour?

Hi @danci1973

please explain your question:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello @JuergenAuer,

here you go:

  • My domain is: stud-dom-lj.si
  • I ran this command: certbot renew
  • It produced this output: unfortunately the exact output is no longer available / screen buffer ran out - essentially renewal failed; logs on the server show that requests have only been sent to HTTP, never to HTTPS (I have separate logs)
  • My web server is (include version): Apache/2.4.6
  • The operating system my web server runs on is (include version): CentOS 7.9.2009
  • My hosting provider, if applicable, is: n.a.
  • I can login to a root shell on my machine (yes or no, or I don't know): yes
  • I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
  • The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.2.0

Your configuration can't work - see https://check-your-website.server-daten.de/?q=stud-dom-lj.si

Your main domain has ipv4 and ipv6:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
stud-dom-lj.si A 91.233.163.196 Maribor/Slovenia (SI) - AGENDA d.o.o No Hostname found yes 1 0
AAAA 2001:1470:8000:402:2::952 Ljubljana/Slovenia (SI) - ARNES provider yes
www.stud-dom-lj.si A 91.233.163.196 Maribor/Slovenia (SI) - AGENDA d.o.o No Hostname found yes 1 0

But ipv6 doesn't work, there is a timeout:

Domainname Http-Status redirect Sec. G
http://stud-dom-lj.si/ 91.233.163.196 301 https://stud-dom-lj.si/ Html is minified: 100,00 % 0.077 A-
http://www.stud-dom-lj.si/ 91.233.163.196 301 https://www.stud-dom-lj.si/ Html is minified: 100,00 % 0.053 A-
http://stud-dom-lj.si/ 2001:1470:8000:402:2::952 -14 10.046 T
Timeout - The operation has timed out

That's fatal because checking your domain Letsencrypt prefers ipv6. So validation of your main domain fails.

  • I ran this command: certbot renew

That doesn't show the authenticator. If you use --apache, a temporary rule is added, so only http is checked, a redirect is skipped.

But that's not the problem of your failing domain, that's the timeout.

  • Remove the ipv6 (or, better)
  • fix it, so you have a working ipv6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.