Creating SAN cert with 301 redirects in place

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: letsencrypt.exe --san --warmup

It produced this output:

My web server is (include version): IIS

The operating system my web server runs on is (include version): Win Server 2012

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Im having issues when a SAN certificate I created for 3 different domains renews.
This is created using commandline connecting to IIS.
All sites have domain bindings for www and non www
e.g. &

The problem, is that the applications which run on them have 301 redirects for:

  • nonwww to www
  • http to https

This is a requirement from an SEO and operational perspective.

However, this causes issue with the validation process for letsencrypt, because it needs to access the “.well-known” directories and files under each of these separately.
This fails, and so the certificate cant be updated.

Do you have any suggestions please?


There are two ways forward for you which don’t involve big changes

  1. The Let’s Encrypt service follows 301 redirects just fine, so put those /.well-known/ files in the place the redirections will lead to and it should pass validation just fine. If it doesn’t please make sure you fill out the “It produced this output” part of the standard questions so people have some idea what went wrong.

  2. You can exempt the /.well-known/ directory from the redirect rule, how to do this will depend on how IIS is configured and I’m not an expert on that, but I’m sure IIS web sites or the documentation can explain how to redirect other parts of the site (for SEO) without changing that one directory.

1 Like

If you're just using the IIS HTTP Redirect Module, you'll need to have both check boxes in the Redirect Behavior section unchecked so the path to the verification file is preserved on redirect. You can then just specify the webroot used by the redirect destination when issuing your certificate.

If you're using rewrite rules or another method to redirect and are getting errors, you likely need to fix them to preserve the paths, or else bypass them entirely for verification (option 2).

OK thanks yes thats given me an idea. The redirection happens in the application rather than in IIS settings in web.config, but if I stop this, and move to web.config, I can then just put in a rule to only do the redirects if its not processing a validation for /well-known/.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.