Certbot’s auto-renew recently failed and when looking into why, it seems it doesn’t follow 308 redirects (301 redirects work fine though). This seems like a bug, given that 301 works. In the meantime I’ve “fixed” it by setting the http -> https redirect to use 301 instead of 308, but this is suboptimal.
@Sharparam, could you provide the full Nginx config you were using? And ideally restore your Nginx server to use that same config? That way we can double check whether this is really a problem with Let’s Encrypt following redirects or it’s an Nginx config problem.
I ask because I briefly tried to configure Nginx to serve 308 redirects with
if ($scheme != "https") {
return 308 https://$host$request_uri;
}
But I found that Nginx handles this incorrectly and does not set a Location header.
Looking at the responses, I notice that nginx is not adding a Location header on 308 like it does for 301. It’s not a requirement in the RFC for 308 but is still recommended. It does enclose the preferred URL in the response body as specified in the RFC though. This behaviour is different from 301 which could be what is causing issues?
Edit: Though on closer inspection, the RFC doesn’t say anything about “SHOULD” like this page (which I usually use for HTTP code references) does while referencing the RFC: https://httpstatuses.com/308
Edit (third time’s the charm): nginx 1.10 (used on sharparam.com) returns the URL in the response body. nginx 1.14 (used on another of my servers) returns it in the Location header. I guess to be completely compatible with how the RFC is written a tool would need to check both places, prioritizing the header?
Sounds like you've found a good solution: Upgrade to Nginx 1.14.
Here's what RFC 7538 says:
Note that it doesn't say anything about User-Agents using the response body as a value for automatic redirection if the response body happens to parse as a URL. I'm pretty sure that would be incorrect behavior.
Testing with curl and Chrome suggests they agree with Go's net/http library: If there's no Location header they don't perform a redirect.
BTW, thanks for providing your Nginx config and setting the server up for testing again! I'm done testing now if you'd like to revert it.
Yeah, the server was stuck on 1.10 since Ubuntu 16.04 doesn’t have later versions in its repo (been holding off on upgrading to 18.04 because I’m lazy). But there’s a PPA that has 1.14 so it’s now running 1.14 like the 18.04 server.
It’s now returning a Location header so should work the next time the renewal runs!