Apache 2.4 : HTTPS redirection excepted for ./well-known/acme-challenge

My domain is: metmetfamily.fr

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Arch Linux

Hello,

I would like to configure an exception in my HTTP to HTTPS redirection to get the “certbot-auto renew” working. Redirection from HTTP to HTTPS is working, even for URL like http://metmetfamily.fr/.well-known/acme-challenge/xxxxxxx. Consequently, i have to disable HTTPS redirection to get the certification renew with success.

Could you help me to understand what’s getting wrong in this configuration please ?

/etc/apache2/sites-enabled/nextcloud.conf :

Alias /nextcloud" “/web/nextcloud/”
<VirtualHost *:80>
ServerName metmetfamily.fr
ServerAlias www.metmetfamily.fr
DocumentRoot “/web/nextcloud”
<Directory /web/nextcloud/>
Require all granted
Options FollowSymlinks MultiViews
AllowOverride All

                <IfModule mod_dav.c>
                        Dav off
                </IfModule>

                SetEnv HOME /web/nextcloud
                SetEnv HTTP_HOME /web/nextcloud
        </Directory>

        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^\.well-known/acme-challenge/.*
        RewriteRule ^https://%{HTTP_HOST}%{REQUEST_URI} [END,NE]
</VirtualHost>

<VirtualHost *:80>
        ServerName stats.metmetfamily.fr
        DocumentRoot "/web/stats"
        DirectoryIndex index.php
        <Directory /web/stats/>
               Require all granted
               Options FollowSymlinks MultiViews
               AllowOverride All
               <IfModule mod_dav.c>
                       Dav off
               </IfModule>
       </Directory>

#       RewriteEngine on
#        RewriteCond %{SERVER_NAME} =stats.metmetfamily.fr
#        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
1 Like

Are you using certbot --apache or certbot --webroot? You can check by looking for the authenticator line in /etc/letsencrypt/renewal/*.conf.

With the --apache case, it shouldn’t make any difference how your redirects are configured, the challenge response should always work.

With the --webroot case, you would probably need to do something, yes.

1 Like

Hello !
Thanks for your help.
authenticator = apache in metmetfamily.fr.conf
and
authenticator = webroot in stats.metmetfamily.fr.conf

The fact is now i check redirections by loading http://metmetfamily.fr/.well-known/acme-challenge/xxxxxx and i’m always redirected to https://metmetfamily.fr/index.php/login.

You don’t show metmetfamily.de anywhere.
You show metmetfamily.fr and stats.metmetfamily.fr only.

Yep, sorry, I misspelled the domain. I only have .fr domains.

When i execute certbot-auto renew --force-renewal, i have this output :

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/metmetfamily.fr.conf


Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/metmetfamily.fr/fullchain.pem



Processing /etc/letsencrypt/renewal/stats.metmetfamily.fr.conf


Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (stats.metmetfamily.fr) from /etc/letsencrypt/renewal/stats.metmetfamily.fr.co nf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of d omains: stats.metmetfamily.fr,www.stats.metmetfamily.fr: see https://letsencrypt.org/docs/rate-limits/. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem (failure)


The following certs were successfully renewed:
/etc/letsencrypt/live/metmetfamily.fr/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

So, after all, redirection rules seem OK to allow certbot renewal with no problem of HTTPS redirection. The problem seems now only to be when i load the URL in a browser. That doesn’t matter, right ?
I guess if i apply rewrite rules to stats.metmetfamily.fr, it will be OK ? But i have to wait some days to test it ?

Don’t use --force-renewal. That uses up Let’s Encrypt’s resources and prevents you from issuing new certificates. If you want to test renewal, use --dry-run instead.

If this isn’t working, try changing it to use the apache authenticator.

With --dry-run, i have 404 error for metmetfamily.fr but not for stats.metmetfamily.fr ??
It’s the same error with authenticator = apache and authenticator = webroot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/metmetfamily.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for metmetfamily.fr
http-01 challenge for www.metmetfamily.fr
Using the webroot path /web/nextcloud for all unmatched domains.
Waiting for verification...
Challenge failed for domain metmetfamily.fr
Challenge failed for domain www.metmetfamily.fr
http-01 challenge for metmetfamily.fr
http-01 challenge for www.metmetfamily.fr
Cleaning up challenges
Attempting to renew cert (metmetfamily.fr) from /etc/letsencrypt/renewal/metmetfamily.fr.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stats.metmetfamily.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stats.metmetfamily.fr
http-01 challenge for www.stats.metmetfamily.fr
Using the webroot path /web/stats for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/metmetfamily.fr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/stats.metmetfamily.fr/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/metmetfamily.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: metmetfamily.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://metmetfamily.fr/.well-known/acme-challenge/wjKyVsnEQfluQ1VVBcUYttzL7VNr_qanAfe6OZe91dc
   [82.64.251.152]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: www.metmetfamily.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://www.metmetfamily.fr/.well-known/acme-challenge/8KpZSXLCZyyYapEO7pefjWzwzW7Robt1ttHv-ig15nQ
   [82.64.251.152]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

In renewal/metmetfamily.fr.conf, i now have :

# renew_before_expiry = 30 days
version = 1.5.0
archive_dir = /etc/letsencrypt/archive/metmetfamily.fr
cert = /etc/letsencrypt/live/metmetfamily.fr/cert.pem
privkey = /etc/letsencrypt/live/metmetfamily.fr/privkey.pem
chain = /etc/letsencrypt/live/metmetfamily.fr/chain.pem
fullchain = /etc/letsencrypt/live/metmetfamily.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
#authenticator = apache
#installer = apache
authenticator = webroot
webroot_path = /web/nextcloud,
account = 4a822f2bf1521e90f08097f62d27fa64
server = https://acme-v02.api.letsencrypt.org/directory

[[webroot_map]]
www.metmetfamily.fr = /web/nextcloud
metmetfamily.fr = /web/nextcloud

Here is the nextcloud.conf which redirects 80 to 443 :

Alias /nextcloud" "/web/nextcloud/"
<VirtualHost *:80>
        ServerName metmetfamily.fr
        ServerAlias www.metmetfamily.fr
        DocumentRoot "/web/nextcloud"
        <Directory /web/nextcloud/>
                Require all granted
                Options FollowSymlinks MultiViews
                AllowOverride All

                <IfModule mod_dav.c>
                        Dav off
                </IfModule>

                SetEnv HOME /web/nextcloud
                SetEnv HTTP_HOME /web/nextcloud
        </Directory>

        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^\.well-known/acme-challenge/.*
        RewriteRule ^https://%{HTTP_HOST}%{REQUEST_URI} [END,NE]
</VirtualHost>

<VirtualHost *:80>
        ServerName stats.metmetfamily.fr
        DocumentRoot "/web/stats"
        DirectoryIndex index.php
        <Directory /web/stats/>
               Require all granted
               Options FollowSymlinks MultiViews
               AllowOverride All
               <IfModule mod_dav.c>
                       Dav off
               </IfModule>
       </Directory>
        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^\.well-known/acme-challenge/.*
        RewriteRule ^https://%{HTTP_HOST}%{REQUEST_URI} [END,NE]
</VirtualHost>

<VirtualHost 192.168.1.18:80>
        ServerName 192.168.1.18
        DocumentRoot "/web/stats"
        DirectoryIndex index.php
        <Directory /web/stats/>
               Require all granted
               Options FollowSymlinks MultiViews
               AllowOverride All
               <IfModule mod_dav.c>
                       Dav off
               </IfModule>
       </Directory>

</VirtualHost>

I’m sorry, i did many edits of the precedent post, having some troubles with my config files and the layout after copying and pasting here…

It seems to be OK for all certificates with certbot-auto renew --dry-run :slight_smile:

My apache configuration /etc/apache2.sites-available/nextlcoud.conf is now just redirecting from 80 to 443 :
<VirtualHost :80>
RewriteEngine on
RewriteRule ^/?(.
) https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=301]

And all domains from /etc/letsencrypt/renewal/*.conf have apache as authenticator, no more webroot as suggested by _az :
authenticator = apache
installer = apache

Thank you, i guess i just need to wait some days before testing a real renewal.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.