Could not connect to .well-known

https://www.beulenrechner.de/.well-known/acme-challenge/letsencrypt

Your non-HTTPS website redirects to the HTTPS variant of the same website. But the HTTPS site is ā€œā€ā€œprotectedā€"" by a self-signed certificate.

While a redirect isnā€™t going to be a problem (it shouldnā€™t anyway), I think a redirect to an invalid TLS secured site isnā€™t going to work.

You could try to disable redirecting for the /.well-known/acme-challenge/ location.

This here is the snippet , which necessary must be entered in the Apache directives sections. As I said I used ispconfig.

The problem must be caused by a change in the LE clients recently.

# Verzeichnis fĆ¼r Let's Encrypt Webroot Methode
<IfModule mod_headers.c>
    <LocationMatch "/.well-known/acme-challenge/*">
        Header set Content-Type "text/plain"
    </LocationMatch>
</IfModule>
# Immer Umleiten auf https
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

@Osiris: Self-signed or expired certificates are generally fine when used with http-01 - the validation is based on the IP address returned by DNS and something that IP address serves in cleartext without authentication, so if that connection is compromised, itā€™s game over anyway.

Iā€™ve seen some issues where boulder was unable to connect because of a self-signed SHA-1 certificate, so it could still be related to the certificate, although this one isnā€™t SHA-1. I tried debugging this using a local CA server (boulder), but itā€™s succeeding (as in: Iā€™m getting an expected HTTP 404, and not a ā€œgeneralā€ connection error). Could be a configuration difference between what Iā€™m running and the production boulder instance, though.

@MikeFrizz: Here is one more idea on how to avoid redirecting to HTTPS for .well-known/acme-challenge. Add the following line:

RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/

right before

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

If Letā€™s Encrypt is still reporting a connection error with your next run, itā€™s not related to your SSL configuration, but rather some network issue.

1 Like

You did it. Thx a lot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.