Existing tls site with no http redirect


#1

I have (or had) a vhost with an existing TLS certificate. I’ve never bothered setting up a redirect from a regular http request to the https site, the site never ran as a regular http site.

When I tried to get a certificate (certonly --webroot method) i got an authorization error. After setting up a redirect from the http to https it worked fine. Seems like the client should check for an https site if http fails.


#2

did you site originally have HSTS header set ? that would force subsequent visiting folks to go to https version too even if you didn’t set a http to https redirect

curious what was your full webroot command line syntax you used ?


#3

the https does have HSTS header. When I setup the http redirect I added an HSTS header on that request as well.

command line:
letsencrypt certonly --webroot -w /sites/subdomain.example.com/web -d subdomain.example.com

I use nginx so don’t use the fully automated version.

Also this is on Gentoo Linux and I used the client from their package manager.


#4

HSTS header must never be sent over plain HTTP, it violates RFC6797.


#5

ah, i’ll remove it then, but that isn’t related to this the issue since let’s encrypt worked once the redirect was in place, even with an invalid header.


#6

[quote=“Kevin, post:5, topic:5994, full:true”]
ah, i’ll remove it then, but that isn’t related to this the issue since let’s encrypt worked once the redirect was in place, even with an invalid header.
[/quote] yeah strange

have you checked /var/log/letsencrypt/letsencrypt.log for clues as to what happened ?


#7

Have you tried using –tls-sni-01 instead of –webroot?


#8

I did not realize --tls-sni-01 was an option. It didn’t show up in help for me (in the full help it only shows an --tls-sni-01-port option).

Digging in github it appears that might be for standalone only mode? If it works in webroot too then that might be my fix. I don’t want to issue a bunch of certs from LE just to test various options but I’ll probably try this with a different site.


#9

ugh, think i kind of figured out some of this. I may have defeated a check in LE for a non-existant site.

I have several vhosts. My main blog one does have an http redirect (previously with an HSTS header, now gone). It’s also set as the default server. So when LE tried to connect to http://subdomain.example.net my default server redirect grabbed it and sent it to by blog’s ssl site instead. I can see the 404 request errors in that site’s weblog.


#10

I can also say that if LE have to goal to support encryption every where, the requirement for HTTP on verification,
even if i know the reason because of stupid setups, is an more than arguable decision. Even DNS records could
be hard to manage. So there should be an options to enable HTTPS for example after email authorisation via whois record.