How to bypass HSTS after a certificate has expired

Help
1

I seem to be in catch-22. I have HSTS enabled and now HTTP is not responding.

curl -i http://db01.businessdatasystems.co.nz/.well-known/acme-challenge/Test404
curl: (28) Failed to connect to db01.businessdatasystems.co.nz port 80 after 75290 ms: Could not connect to server

To complicate matters, this webserver is controlled by Claris FileMaker Server and the Let's Encrypt tools are baked into the product. I can call an API or I can login to a web console to run commands.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: db01.businessdatasystems.co.nz

I ran this command: FileMaker Server "Renew Certificate"

It produced this output: Certificate Renewal Failed

Failure / timeout verifying challenge passed: OpenSSL error (503841036): error:1E08010C:DECODER routines::unsupported

My web server is (include version): Apache/2.4.66 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-164-generic x86_64)

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes. Claris FileMaker Server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

HSTS is just an advisory for browsers to always use HTTPS (and to not allow security overrides). It does not affect HTTP operation for non-browser tools. If your HTTP isn't working, that's not related to HSTS. From the output (both the HTTP error and the openssl error) it looks like your server may have network connectivity issues which is causing the problems.

5 Likes
3

Adding on to @Nummer378 comment

I cannot connect to your domain using HTTP with either your IPv4 or IPv6 address

But, for HTTPS, I get a default FileMaker page using IPv4 but timeout with IPv6

You may have two problems. One, check IPv6 since nothing seems to work. And, check port 80 (HTTP) in general to ensure it is open to your system.

Results for HTTPS

# IPv4 (the k option is needed to ignore the expired cert)
curl -I4k -m8 https://db01.businessdatasystems.co.nz
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
server: Apache

# IPv6
curl -I6k -m8 https://db01.businessdatasystems.co.nz
curl: (28) Failed to connect to db01.businessdatasystems.co.nz port 443 after 4002 ms:
Connection timed out
5 Likes
4

OK. I'll have to dig deeper. The server was functional via HTTPS until the certificate expired.

5

Using IPv6?

nslookup db01.businessdatasystems.co.nz
A    Address: 118.93.14.101
AAAA Address: 2407:7000:8d05:c800::1003

Let's Encrypt favors IPv6 for an HTTP challenge. Although, it will retry a timeout on IPv6 with IPv4. However, it only does that for the initial HTTP request in an HTTP Challenge. If you redirect the HTTP challenge to HTTPS that request will use IPv6 and (again) timeout. See: IPv6 Support - Let's Encrypt

4 Likes
6

I've switched off IPv6 on the network to get it out of the picture and rebooted the server.

Running nslookups I get these results:

[I] ┬─[malcolm@MacBook-Pro-3:~]─[18:47:34]
╰─>$ curl -I4k -m8 https://db01.businessdatasystems.co.nz
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
last-modified: Wed, 03 Dec 2025 21:19:06 GMT
etag: "23b-64512c3256680"
content-length: 571
x-xss-protection: 1; mode=block
access-control-allow-origin: db01.businessdatasystems.co.nz
access-control-allow-headers: Content-Type, Authorization
access-control-allow-credentials: true
x-robots-tag: noindex, noarchive, nosnippet
content-type: text/html; charset=UTF-8
date: Sun, 25 Jan 2026 05:48:37 GMT
server: Apache

[I] ┬─[malcolm@MacBook-Pro-3:~]─[18:48:37]
╰─>$ curl -I6k -m8 https://db01.businessdatasystems.co.nz
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
last-modified: Wed, 03 Dec 2025 21:19:06 GMT
etag: "23b-64512c3256680"
content-length: 571
x-xss-protection: 1; mode=block
access-control-allow-origin: db01.businessdatasystems.co.nz
access-control-allow-headers: Content-Type, Authorization
access-control-allow-credentials: true
x-robots-tag: noindex, noarchive, nosnippet
content-type: text/html; charset=UTF-8
date: Sun, 25 Jan 2026 05:49:20 GMT
server: Apache

When I try to pretend to be a Let's Encrypt browser I get this:

─>$ curl -i http://db01.businessdatasystems.co.nz/.well-known/404.txt -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (28) Failed to connect to db01.businessdatasystems.co.nz port 80 after 75003 ms: Could not connect to server
7

The URI path in your example isn't what Let's Encrypt would use. We can ignore that. It isn't just Let's Encrypt that fails to reach you using HTTP (on port 80).

Using my own test server, I still can't reach your "home" page using IPv4 or IPv6 using HTTP (on port 80). I get the same results as I showed earlier (timeouts). Also see these HTTP failures: Check website performance and response : Check host - online website monitoring

If you switch off IPv6 you need to also remove the AAAA record from your DNS. And, the example commands you showed were curl, not nslookups :slight_smile:

But, did you run those curl from inside your local network? Because from outside your local network HTTPS (on port 443) using IPv6 times out the same as I showed earlier.

HTTPS (port 443) works for IPv4 and sees a default FileMaker page.

In short, I see exactly the same results now as I did in my previous post. My recommendation now is the same as in that post.

4 Likes
8

Thanks @MikeMcQ,

You were spot on.

I was able to attend to this job this evening and after cleaning up the DNS zone records the Let's Encrypt renewal ran successfully.

:trophy:

3 Likes
9

Yes, I see in the public logs you got a fresh cert.

But, your Apache server isn't using it for HTTPS requests. You may need to reload Apache so that it sees the new cert.

See: SSL Server Test: db01.businessdatasystems.co.nz (Powered by Qualys SSL Labs)

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.