I was requested by client to put a redirect in place for a domain and create a sub-domain for the same docroot. The domain redirection is causing a problem with certbot renewing the certificate. The sub-domain renewal is apparently fine. The same acme-challenge folder is used by domain and sub-domain. My effort to create a rewrite exception for the acme-challenge request does not seem to work for Certbot. Looking for a fix/workaround to keep the domain certified and stop the browser ‘not secure’ warning prior to redirection (the target site is secure). If there isn’t a quick/easy solution to this I guess we’ll just buy a cheap certificate instead. Thanks in advance for help!
Domain is: nationalinclusionweek.co.uk
Sub-domain is: 2017.nationalinclusionweek.co.uk
The .conf and le-ssl.conf files each have the following rule:
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule ^ https://www.otherwebsite.co.uk/national_inclusion_week/ [END,NE,R=permanent]
(Have tried the RewriteCond with and without leading slash)
The .htaccess in the docroot has the following rule:
RewriteRule “/.|^.(?!well-known/)” - [F]
When I drop a test file in the acme-challenge directory I can access it from a browser via http and https for both www and non-www.
I ran this command: certbot renew --dry-run
It produced this output:
Processing /etc/letsencrypt/renewal/2017.nationalinclusionweek.co.uk.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for 2017.nationalinclusionweek.co.uk
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/2017.nationalinclusionweek.co.uk/fullchain.pem
Processing /etc/letsencrypt/renewal/nationalinclusionweek.co.uk.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nationalinclusionweek.co.uk
http-01 challenge for www.nationalinclusionweek.co.uk
Waiting for verification…
Cleaning up challenges
…
- The following errors were reported by the server:
Domain: nationalinclusionweek.co.uk
Type: unauthorized
Detail: Invalid response from
http://nationalinclusionweek.co.uk/.well-known/acme-challenge/y7yNxCkyx5_MgnoEidt0nStZo5x7DG0lqm6LvQQiklQ:
Domain: www.nationalinclusionweek.co.uk
Type: unauthorized
Detail: Invalid response from
http://www.nationalinclusionweek.co.uk/.well-known/acme-challenge/mpF9oQqq1hCDoTd15S5yyxJT6nHM_sFadlFl53o4Av4
My web server is : Apache 2.4
The operating system my web server runs on is : Ubuntu 16.04.4 LTS
My hosting provider is: Digital Ocean
I can login to a root shell on my machine : Yes
I’m using a control panel to manage my site : No