Expired certificate on permanent tld staging / test area


Im am running a seperate staging/test area with ssl on a top level domain for a magento website.

I modified the .htaccess file so that this staging domain is only visible to my ip-address.
this domain is for testing purposes only so it must stay "invisble" to the outside world. This makes it difficult to get the well known acme challenge to work..

I installed the lets' encrypt ssl on this domain a few months ago with no problems, and it run just fine.
I forgot how i modified my .htaccess and know my ssl is expired..

1: how can i renew the ssl and prevent this from happening again..?
2: Which permanent htaccess solution wil work for my staging area to auto - renew ?

I'm on a vps with:
Directadmin 1.53
Maria DB 5.5.41
with no root access
Php 5.6.36
Apache 2.4.33

i remeber i used something like this in my htaccess

RewriteEngine On
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
RewriteCond %{HTTP_HOST} ^www.(.)$ [NC]
RewriteRule ^(.
)$ https://%1/$1 [R=301,L]

If you need more detailed info please let me know..

Thanks for your support



A fairly simple rule you can have is to have this at the very top of your .htaccess:

RewriteEngine On
RewriteRule ^\.well-known - [L]

But it really depends on how all of your website configuration comes together. It’s hard to give generic advice without seeing the site or error logs from your Let’s Encrypt client. If you are using mod_access/mod_authz or similar, then we need to see the specific access control rules that you are using to know how to exclude them.

Maybe try put your domain into letsdebug.net and see how challenge requests are handled.

Your best answer is to come up with a way to make DNS validation work for you. Otherwise, you will have to allow the outside world to access at least some small part of your system. If your DNS host has a supported API, there’s your answer. If not, you can look into acme-dns to handle the challenge.


_az and danb35 thanks for your support.
I’ve read your suggestions and also did a check over letsdebug (which strangely resulted in no problems found…?)

I’m not familiar with dns validation true dns api’s or how to modify them…for me that would be “the hard way” :wink:
maybe there is a workaround to allow the outside world to a small part of the magento setup and block all
other access, no-index no follow for search engine bots etc…

would look unprofessional and could hurt seo when parts of a staging area can be found true google and other search engines…

Thanks for any additional suggestions!



DNS validation works, in principle, a lot like HTTP validation. With HTTP validation, you place a validation token at http://your_fqdn/.well-known/acme-challenge/. With DNS validation, you place the token in a DNS TXT record for _acme-challenge.your_fqdn. Both of them can be done manually, but that's a pain. For DNS validation to be practical, your DNS host needs to have an API that will allow for automated updates.

As far as I've seen, among the ACME clients, acme.sh has the best built-in support for DNS hosts' APIs, supporting around 50 of them; the list (along with instructions on how to use each) is here. If you're using one of those DNS providers and have (or can get) the API credentials, your task is pretty simple.

If you aren't using one of those providers and/or can't get the credentials, another option would be to set up your own limited-purpose DNS server just to answer the validation challenges using acme-dns. This is a bit more advanced, and would require exposing port 53 on something to the Internet--though you could put that server on a small, cheap (or even free) VPS somewhere far outside your regular infrastructure.

Hi Danb35,

Thanks for sharing your knowledge. Your explanation is good to understand and i will try your suggestion of the dns .txt record at first… that indeed isn’t that complicated…

I will look into this deeper, and contact my host the follwing days (very busy and missing the time today…:wink:

Many thanks for your help and provided links!



One more link... I was kind of confused by acme-dns myself when I was first working to implement it a few months ago, so I started a thread here for clarification. Here it is in case it helps:

Okay…many thanks additional link much appreciated!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.