https://www.beulenrechner.de/.well-known/acme-challenge/letsencrypt
Your non-HTTPS website redirects to the HTTPS variant of the same website. But the HTTPS site is āāāprotectedā"" by a self-signed certificate.
While a redirect isnāt going to be a problem (it shouldnāt anyway), I think a redirect to an invalid TLS secured site isnāt going to work.
You could try to disable redirecting for the /.well-known/acme-challenge/
location.
This here is the snippet , which necessary must be entered in the Apache directives sections. As I said I used ispconfig.
The problem must be caused by a change in the LE clients recently.
# Verzeichnis fĆ¼r Let's Encrypt Webroot Methode
<IfModule mod_headers.c>
<LocationMatch "/.well-known/acme-challenge/*">
Header set Content-Type "text/plain"
</LocationMatch>
</IfModule>
# Immer Umleiten auf https
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
@Osiris: Self-signed or expired certificates are generally fine when used with http-01
- the validation is based on the IP address returned by DNS and something that IP address serves in cleartext without authentication, so if that connection is compromised, itās game over anyway.
Iāve seen some issues where boulder was unable to connect because of a self-signed SHA-1 certificate, so it could still be related to the certificate, although this one isnāt SHA-1. I tried debugging this using a local CA server (boulder), but itās succeeding (as in: Iām getting an expected HTTP 404, and not a āgeneralā connection error). Could be a configuration difference between what Iām running and the production boulder instance, though.
@MikeFrizz: Here is one more idea on how to avoid redirecting to HTTPS for .well-known/acme-challenge
. Add the following line:
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
right before
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
If Letās Encrypt is still reporting a connection error with your next run, itās not related to your SSL configuration, but rather some network issue.
You did it. Thx a lot.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.