Can't validate domain after add domain to HSTS and delete the certificate


#1

I used to use let’s Encrypt, and it work well. A few weeks ago I move my project to aws, but deleted all the let’s encrypt certificate I own by mistake. I also added my domain unicooo.com to HSTS which force people only can access my domain from https.

So now I can’t visit my site by http or https now ( because it force to https but my certificate is miss) as well as let’s encrypt can’t download the file for validate now, Any ideas?

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

ValueError: Wrote file to /home/xxx/www/challenges/oJbvpIhkwkBGBAQUklWJXyC8VbWAdQqlgpwUJkgC1Vg, but couldn’t download http://www.yoursite.com/.well-known/acme-challenge/oJbvpIhkwkBGBAQUklWJXyC8VbWAdQqlgpwUJkgC1Vg


#2

You’re providing acme_tiny with the directory ~/www/challenges/, but Let's Encrypt expects the challenge to be in ~/www/.well-known/acme-challenge/.

So unless you’ve got some kind of redirect, it’s not going to work like your current set up.


#3

But I can’t access my domain now, how let’s encrypt download the file using the domain?


#4

Unless I’m mistaken, the Let’s Encrypt servers don’t honor HSTS. If they do (and you’re not also using HPKP), you could always generate a self-signed certificate.


#5

Should I remove my domain out of HSTS first? then validate my domain? Or I have other way to validate my domain?


#6

I strongly doubt that HSTS has anything to do with the problem you’re seeing (and you shouldn’t be serving the HSTS header over HTTP anyway, and HTTP is how Let’s Encrypt requests the validation token). The problem is almost certainly, as @Osiris says, that you’re putting the challenge token in the wrong directory.


#7

You are right, It’s about the directory!! Thank you very much!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.