Enforcing ssl breaks acme.sh

vasyugan · May 25, 2018, 5:50am

We are running a nginx server on Ubuntu 17.10 where cert renewal is handled by acme.sh

We would like to enforce https for all sites, but this seems to rely on plain http until a certificate has been issued and installed. So just adding the directive

return 301 https://$host$request_uri;

breaks cert renewal. I tried to work around by

location / { return 301 https://$host$request_uri; }

so as to avoid interfering with acme.sh which uses its own location

but that doesn’t achieve what I want, strangely I can still visit e.g. http://uferwerk.org without getting redirected to https://uferwerk.org

What is the canonical solution to this dilemma?

stevenzhu · May 25, 2018, 5:53am

Hi @honzakuchar,

First, since this is related to your server and software… can you please fill in this form?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you

_az · May 25, 2018, 5:57am

It’s a good idea to answer those questions.

One guess: what appears to be happening with the HTTPS version of your site is that the Typo3 CMS is intercepting requests to the /.well-known/acme-challenge/ path.

You may need to add a block to the HTTPS server in nginx like:

location /.well-known/acme-challenge {
    root /whatever/your/document/root/is/;
}

to prevent the requests from being sent on to the CMS (be it to PHP/fastcgi or proxy_pass or wherever).

Once you fix that, you may be able to keep the HTTPS redirect in place and not break renewal.

vasyugan · May 25, 2018, 6:50am

_az
    May 25
It’s a good idea to answer those questions.

One guess: what appears to be happening with the HTTPS version of your site is that the Typo3 CMS is intercepting requests to the /.well-known/acme-challenge/ path.

You may need to add a block to the HTTPS server in nginx like:

location /.well-known/acme-challenge {
root /whatever/your/document/root/is/;
}
to prevent the requests from being sent on to the CMS (be it to PHP/fastcgi or proxy_pass or wherever).

We actually do have such a block.

location ^~ /.well-known/acme-challenge/ {

default_type “text/plain”;

root /var/www/letsencrypt-root;

}

Once you fix that, you may be able to keep the HTTPS redirect in place and not break renewal.

Do you imply that the renewal also works over a https connection, that is, that it is not going to be broken by the redirect?

Thanks!

_az · May 25, 2018, 6:54am

Yes. Let’s Encrypt will happily follow redirects to other URLs and to HTTPS.

Are you sure that block is effective?

$ curl -i https://uferwerk.org/.well-known/acme-challenge/xxxxxx
HTTP/2 301
server: nginx
date: Fri, 25 May 2018 06:55:04 GMT
content-type: text/html; charset=UTF-8
location: https://uferwerk.org/hallenge/xxxxxx/
x-typo3-realurl-info: postVarSet_failureMode redirect for .well-known
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN

Based purely on the x-typo3-* header, I would say the CMS is receiving the request.

Make sure that the block is in the right virtual host (the https/443 one), and I’m not too sure about the ^~ either - regex can safely be avoided here in any case.

vasyugan · May 25, 2018, 7:00am

My domain is:

uferwerk.org

I ran this command:

See above.

It produced this output:

traffic not redirected to https as it should have been.

My web server is (include version):

nginx 1.12.1-0ubuntu2

The operating system my web server runs on is (include version):

Ubuntu 17.10

My hosting provider, if applicable, is:

(dedicated root server)

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

stevenzhu · May 25, 2018, 7:11am

Hi,

If you are using TYPO3…

Can you go to your backend and see under Page Properties > Behaviour > Use Protocol, there is an selection that choose between http or https?

If so, please just select https on there… avoid messing with your configs… (Since acme.sh breaks?)

P.S. you might want to submit an issue with ACME.sh’s GitHub… just to address the issue…

Thank you

vasyugan · May 25, 2018, 7:40am

Thanks! For the typo3 site this help. I have also got dozens of other sites on the server, therefore I thought it best to have a server-wide solution. But uferwerk.org is the most important one because I need to bring it into compliance with the EU General Data Protection Regulation

system · June 24, 2018, 7:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.