Apache 2.4 : HTTPS redirection excepted for ./well-known/acme-challenge

Help
1

My domain is: metmetfamily.fr

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Arch Linux

Hello,

I would like to configure an exception in my HTTP to HTTPS redirection to get the "certbot-auto renew" working. Redirection from HTTP to HTTPS is working, even for URL like http://metmetfamily.fr/.well-known/acme-challenge/xxxxxxx. Consequently, i have to disable HTTPS redirection to get the certification renew with success.

Could you help me to understand what's getting wrong in this configuration please ?

/etc/apache2/sites-enabled/nextcloud.conf :

Alias /nextcloud" "/web/nextcloud/"
<VirtualHost *:80>
ServerName metmetfamily.fr
ServerAlias www.metmetfamily.fr
DocumentRoot "/web/nextcloud"
<Directory /web/nextcloud/>
Require all granted
Options FollowSymlinks MultiViews
AllowOverride All

                <IfModule mod_dav.c>
                        Dav off
                </IfModule>

                SetEnv HOME /web/nextcloud
                SetEnv HTTP_HOME /web/nextcloud
        </Directory>

        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^\.well-known/acme-challenge/.*
        RewriteRule ^https://%{HTTP_HOST}%{REQUEST_URI} [END,NE]
</VirtualHost>

<VirtualHost *:80>
        ServerName stats.metmetfamily.fr
        DocumentRoot "/web/stats"
        DirectoryIndex index.php
        <Directory /web/stats/>
               Require all granted
               Options FollowSymlinks MultiViews
               AllowOverride All
               <IfModule mod_dav.c>
                       Dav off
               </IfModule>
       </Directory>

#       RewriteEngine on
#        RewriteCond %{SERVER_NAME} =stats.metmetfamily.fr
#        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
1 Like
2

Are you using certbot --apache or certbot --webroot? You can check by looking for the authenticator line in /etc/letsencrypt/renewal/*.conf.

With the --apache case, it shouldn’t make any difference how your redirects are configured, the challenge response should always work.

With the --webroot case, you would probably need to do something, yes.

1 Like
3

Hello !
Thanks for your help.
authenticator = apache in metmetfamily.fr.conf
and
authenticator = webroot in stats.metmetfamily.fr.conf

The fact is now i check redirections by loading http://metmetfamily.fr/.well-known/acme-challenge/xxxxxx and i’m always redirected to https://metmetfamily.fr/index.php/login.

4

You don’t show metmetfamily.de anywhere.
You show metmetfamily.fr and stats.metmetfamily.fr only.

5

Yep, sorry, I misspelled the domain. I only have .fr domains.

When i execute certbot-auto renew --force-renewal, i have this output :

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/metmetfamily.fr.conf

Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/metmetfamily.fr/fullchain.pem

Processing /etc/letsencrypt/renewal/stats.metmetfamily.fr.conf

Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (stats.metmetfamily.fr) from /etc/letsencrypt/renewal/stats.metmetfamily.fr.co nf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of d omains: stats.metmetfamily.fr,www.stats.metmetfamily.fr: see Rate Limits - Let's Encrypt. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem (failure)

The following certs were successfully renewed:
/etc/letsencrypt/live/metmetfamily.fr/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

So, after all, redirection rules seem OK to allow certbot renewal with no problem of HTTPS redirection. The problem seems now only to be when i load the URL in a browser. That doesn't matter, right ?
I guess if i apply rewrite rules to stats.metmetfamily.fr, it will be OK ? But i have to wait some days to test it ?

6

Don't use --force-renewal. That uses up Let's Encrypt's resources and prevents you from issuing new certificates. If you want to test renewal, use --dry-run instead.

If this isn't working, try changing it to use the apache authenticator.

7

With --dry-run, i have 404 error for metmetfamily.fr but not for stats.metmetfamily.fr ??
It’s the same error with authenticator = apache and authenticator = webroot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/metmetfamily.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for metmetfamily.fr
http-01 challenge for www.metmetfamily.fr
Using the webroot path /web/nextcloud for all unmatched domains.
Waiting for verification...
Challenge failed for domain metmetfamily.fr
Challenge failed for domain www.metmetfamily.fr
http-01 challenge for metmetfamily.fr
http-01 challenge for www.metmetfamily.fr
Cleaning up challenges
Attempting to renew cert (metmetfamily.fr) from /etc/letsencrypt/renewal/metmetfamily.fr.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stats.metmetfamily.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stats.metmetfamily.fr
http-01 challenge for www.stats.metmetfamily.fr
Using the webroot path /web/stats for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/metmetfamily.fr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/metmetfamily.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: metmetfamily.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://metmetfamily.fr/.well-known/acme-challenge/wjKyVsnEQfluQ1VVBcUYttzL7VNr_qanAfe6OZe91dc
   [82.64.251.152]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: www.metmetfamily.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://www.metmetfamily.fr/.well-known/acme-challenge/8KpZSXLCZyyYapEO7pefjWzwzW7Robt1ttHv-ig15nQ
   [82.64.251.152]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

In renewal/metmetfamily.fr.conf, i now have :

# renew_before_expiry = 30 days
version = 1.5.0
archive_dir = /etc/letsencrypt/archive/metmetfamily.fr
cert = /etc/letsencrypt/live/metmetfamily.fr/cert.pem
privkey = /etc/letsencrypt/live/metmetfamily.fr/privkey.pem
chain = /etc/letsencrypt/live/metmetfamily.fr/chain.pem
fullchain = /etc/letsencrypt/live/metmetfamily.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
#authenticator = apache
#installer = apache
authenticator = webroot
webroot_path = /web/nextcloud,
account = 4a822f2bf1521e90f08097f62d27fa64
server = https://acme-v02.api.letsencrypt.org/directory

[[webroot_map]]
www.metmetfamily.fr = /web/nextcloud
metmetfamily.fr = /web/nextcloud

Here is the nextcloud.conf which redirects 80 to 443 :

Alias /nextcloud" "/web/nextcloud/"
<VirtualHost *:80>
        ServerName metmetfamily.fr
        ServerAlias www.metmetfamily.fr
        DocumentRoot "/web/nextcloud"
        <Directory /web/nextcloud/>
                Require all granted
                Options FollowSymlinks MultiViews
                AllowOverride All

                <IfModule mod_dav.c>
                        Dav off
                </IfModule>

                SetEnv HOME /web/nextcloud
                SetEnv HTTP_HOME /web/nextcloud
        </Directory>

        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^\.well-known/acme-challenge/.*
        RewriteRule ^https://%{HTTP_HOST}%{REQUEST_URI} [END,NE]
</VirtualHost>

<VirtualHost *:80>
        ServerName stats.metmetfamily.fr
        DocumentRoot "/web/stats"
        DirectoryIndex index.php
        <Directory /web/stats/>
               Require all granted
               Options FollowSymlinks MultiViews
               AllowOverride All
               <IfModule mod_dav.c>
                       Dav off
               </IfModule>
       </Directory>
        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^\.well-known/acme-challenge/.*
        RewriteRule ^https://%{HTTP_HOST}%{REQUEST_URI} [END,NE]
</VirtualHost>

<VirtualHost 192.168.1.18:80>
        ServerName 192.168.1.18
        DocumentRoot "/web/stats"
        DirectoryIndex index.php
        <Directory /web/stats/>
               Require all granted
               Options FollowSymlinks MultiViews
               AllowOverride All
               <IfModule mod_dav.c>
                       Dav off
               </IfModule>
       </Directory>

</VirtualHost>
8

I’m sorry, i did many edits of the precedent post, having some troubles with my config files and the layout after copying and pasting here…

9

It seems to be OK for all certificates with certbot-auto renew --dry-run :slight_smile:

My apache configuration /etc/apache2.sites-available/nextlcoud.conf is now just redirecting from 80 to 443 :
<VirtualHost :80>
RewriteEngine on
RewriteRule ^/?(.) https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=301]

And all domains from /etc/letsencrypt/renewal/*.conf have apache as authenticator, no more webroot as suggested by _az :
authenticator = apache
installer = apache

Thank you, i guess i just need to wait some days before testing a real renewal.

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.