Certbot not renewing for domain with redirection

minoque · July 4, 2018, 8:45am

I was requested by client to put a redirect in place for a domain and create a sub-domain for the same docroot. The domain redirection is causing a problem with certbot renewing the certificate. The sub-domain renewal is apparently fine. The same acme-challenge folder is used by domain and sub-domain. My effort to create a rewrite exception for the acme-challenge request does not seem to work for Certbot. Looking for a fix/workaround to keep the domain certified and stop the browser ‘not secure’ warning prior to redirection (the target site is secure). If there isn’t a quick/easy solution to this I guess we’ll just buy a cheap certificate instead. Thanks in advance for help!

Domain is: nationalinclusionweek.co.uk
Sub-domain is: 2017.nationalinclusionweek.co.uk

The .conf and le-ssl.conf files each have the following rule:

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule ^ https://www.otherwebsite.co.uk/national_inclusion_week/ [END,NE,R=permanent]
(Have tried the RewriteCond with and without leading slash)

The .htaccess in the docroot has the following rule:

RewriteRule “/.|^.(?!well-known/)” - [F]

When I drop a test file in the acme-challenge directory I can access it from a browser via http and https for both www and non-www.

I ran this command: certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/2017.nationalinclusionweek.co.uk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for 2017.nationalinclusionweek.co.uk
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/2017.nationalinclusionweek.co.uk/fullchain.pem

Processing /etc/letsencrypt/renewal/nationalinclusionweek.co.uk.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nationalinclusionweek.co.uk
http-01 challenge for www.nationalinclusionweek.co.uk
Waiting for verification…
Cleaning up challenges

…

The following errors were reported by the server:

Domain: nationalinclusionweek.co.uk
Type: unauthorized
Detail: Invalid response from
http://nationalinclusionweek.co.uk/.well-known/acme-challenge/y7yNxCkyx5_MgnoEidt0nStZo5x7DG0lqm6LvQQiklQ:

Domain: www.nationalinclusionweek.co.uk
Type: unauthorized
Detail: Invalid response from
http://www.nationalinclusionweek.co.uk/.well-known/acme-challenge/mpF9oQqq1hCDoTd15S5yyxJT6nHM_sFadlFl53o4Av4

My web server is : Apache 2.4
The operating system my web server runs on is : Ubuntu 16.04.4 LTS
My hosting provider is: Digital Ocean
I can login to a root shell on my machine : Yes
I’m using a control panel to manage my site : No

_az · July 4, 2018, 8:50am

Can you try a much simpler rule at the very top (seriously, nothing above it) of your .htaccess ?

RewriteEngine On
RewriteRule ^\.well-known - [L]

Whatever is generating the redirect to inclusiveemployers.co.uk is not heeding your existing rules.

If it’s coming from the .conf files, then perhaps try change your existing RewriteCond to:

RewriteRule ^\.well-known - [L]

minoque · July 4, 2018, 9:20am

Thanks for replying. Indeed that is a much simpler rule, easier to read than mine.

http://www testfile works and so does http://non-www testfile

Sadly Certbot still fails with reason ‘unauthorized’. Certbot reads and writes to the same directory for the sub-domain certificate without a problem.

_az · July 4, 2018, 9:24am

Neither of those test files work. They’re both doing unconditional redirects to the other site:

$ curl -X GET -I http://www.nationalinclusionweek.co.uk/.well-known/acme-challenge/testfile
HTTP/1.1 301 Moved Permanently
Date: Wed, 04 Jul 2018 09:22:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://www.inclusiveemployers.co.uk/national_inclusion_week/

Are you sure you’re not using some kind of /etc/hosts trick? Does the domain actually point to this server in DNS?

minoque · July 4, 2018, 9:28am

Ah, Chrome had cached the testfile pages apparently. Yes your’e right they do redirect.

I’ve not touched the hosts file or the DNS records. Just checked again now, all is as they were prior to the redirect.

This is the sub-domain working with SSL https://2017.nationalinclusionweek.co.uk/

_az · July 4, 2018, 9:43am

I’m not sure then.

I just set up a domain with:

<VirtualHost *:80>
	ServerName my-test-domain.invalid
	RewriteEngine on
	RewriteRule ^ https://www.inclusiveemployers.co.uk/national_inclusion_week/ [END,NE,R=permanent]
</VirtualHost>

then ran

certbot --apache -d my-test-domain.invalid

and Certbot was able to deal with the redirect and issue the certificate successfully.

I’m not able to figure out what piece of info is different in your situation, maybe schoen or bmw can help you out once they’re available.

_az · July 4, 2018, 9:46am

Ugh I'm an idiot. You're using the apache authenticator for 2017., which is why it works.

Change the base domain/www domain to use apache instead of webroot, it'll work fine:

minoque · July 4, 2018, 9:53am

DOH!!!

Thank you for spotting that! I spent so long looking and tinkering I could not see the wood for the trees!

Its fixed now, yay! Also thanks for showing me letsdebug, I was unaware of it until now!

system · August 3, 2018, 10:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.