Enforcing ssl breaks acme.sh


#1

We are running a nginx server on Ubuntu 17.10 where cert renewal is handled by acme.sh

We would like to enforce https for all sites, but this seems to rely on plain http until a certificate has been issued and installed. So just adding the directive

return 301 https://$host$request_uri;

breaks cert renewal. I tried to work around by

location / { return 301 https://$host$request_uri; }

so as to avoid interfering with acme.sh which uses its own location

but that doesn’t achieve what I want, strangely I can still visit e.g. http://uferwerk.org without getting redirected to https://uferwerk.org

What is the canonical solution to this dilemma?


#2

Hi @honzakuchar,

First, since this is related to your server and software… can you please fill in this form?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you


#3

It’s a good idea to answer those questions.

One guess: what appears to be happening with the HTTPS version of your site is that the Typo3 CMS is intercepting requests to the /.well-known/acme-challenge/ path.

You may need to add a block to the HTTPS server in nginx like:

location /.well-known/acme-challenge {
    root /whatever/your/document/root/is/;
}

to prevent the requests from being sent on to the CMS (be it to PHP/fastcgi or proxy_pass or wherever).

Once you fix that, you may be able to keep the HTTPS redirect in place and not break renewal.


#4

_az

    May 25

It’s a good idea to answer those questions.

One guess: what appears to be happening with the HTTPS version of your site is that the Typo3 CMS is intercepting requests to the /.well-known/acme-challenge/ path.

You may need to add a block to the HTTPS server in nginx like:

location /.well-known/acme-challenge {
root /whatever/your/document/root/is/;
}

to prevent the requests from being sent on to the CMS (be it to PHP/fastcgi or proxy_pass or wherever).

We actually do have such a block.

location ^~ /.well-known/acme-challenge/ {

default_type “text/plain”;

root /var/www/letsencrypt-root;

}

Once you fix that, you may be able to keep the HTTPS redirect in place and not break renewal.

Do you imply that the renewal also works over a https connection, that is, that it is not going to be broken by the redirect?

Thanks!


#5

Yes. Let’s Encrypt will happily follow redirects to other URLs and to HTTPS.

Are you sure that block is effective?

$ curl -i https://uferwerk.org/.well-known/acme-challenge/xxxxxx
HTTP/2 301
server: nginx
date: Fri, 25 May 2018 06:55:04 GMT
content-type: text/html; charset=UTF-8
location: https://uferwerk.org/hallenge/xxxxxx/
x-typo3-realurl-info: postVarSet_failureMode redirect for .well-known
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN

Based purely on the x-typo3-* header, I would say the CMS is receiving the request.

Make sure that the block is in the right virtual host (the https/443 one), and I’m not too sure about the ^~ either - regex can safely be avoided here in any case.


#6

My domain is:

uferwerk.org

I ran this command:

See above.

It produced this output:

traffic not redirected to https as it should have been.

My web server is (include version):

nginx 1.12.1-0ubuntu2

The operating system my web server runs on is (include version):

Ubuntu 17.10

My hosting provider, if applicable, is:

(dedicated root server)

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no


#7

Hi,

If you are using TYPO3…

Can you go to your backend and see under Page Properties > Behaviour > Use Protocol, there is an selection that choose between http or https?

If so, please just select https on there… avoid messing with your configs… (Since acme.sh breaks?)

P.S. you might want to submit an issue with ACME.sh’s GitHub… just to address the issue…

Thank you


#8

Thanks! For the typo3 site this help. I have also got dozens of other sites on the server, therefore I thought it best to have a server-wide solution. But uferwerk.org is the most important one because I need to bring it into compliance with the EU General Data Protection Regulation


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.