How to bypass HSTS after a certificate has expired

budasy · January 25, 2026, 3:41am

I seem to be in catch-22. I have HSTS enabled and now HTTP is not responding.

curl -i http://db01.businessdatasystems.co.nz/.well-known/acme-challenge/Test404
curl: (28) Failed to connect to db01.businessdatasystems.co.nz port 80 after 75290 ms: Could not connect to server

To complicate matters, this webserver is controlled by Claris FileMaker Server and the Let's Encrypt tools are baked into the product. I can call an API or I can login to a web console to run commands.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: db01.businessdatasystems.co.nz

I ran this command: FileMaker Server "Renew Certificate"

It produced this output: Certificate Renewal Failed

Failure / timeout verifying challenge passed: OpenSSL error (503841036): error:1E08010C:DECODER routines::unsupported

My web server is (include version): Apache/2.4.66 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-164-generic x86_64)

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes. Claris FileMaker Server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Nummer378 · January 25, 2026, 3:47am

HSTS is just an advisory for browsers to always use HTTPS (and to not allow security overrides). It does not affect HTTP operation for non-browser tools. If your HTTP isn't working, that's not related to HSTS. From the output (both the HTTP error and the openssl error) it looks like your server may have network connectivity issues which is causing the problems.

MikeMcQ · January 25, 2026, 3:56am

Adding on to @Nummer378 comment

I cannot connect to your domain using HTTP with either your IPv4 or IPv6 address

But, for HTTPS, I get a default FileMaker page using IPv4 but timeout with IPv6

You may have two problems. One, check IPv6 since nothing seems to work. And, check port 80 (HTTP) in general to ensure it is open to your system.

Results for HTTPS

# IPv4 (the k option is needed to ignore the expired cert)
curl -I4k -m8 https://db01.businessdatasystems.co.nz
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
server: Apache

# IPv6
curl -I6k -m8 https://db01.businessdatasystems.co.nz
curl: (28) Failed to connect to db01.businessdatasystems.co.nz port 443 after 4002 ms:
Connection timed out

budasy · January 25, 2026, 4:02am

OK. I'll have to dig deeper. The server was functional via HTTPS until the certificate expired.

MikeMcQ · January 25, 2026, 4:12am

Using IPv6?

nslookup db01.businessdatasystems.co.nz
A    Address: 118.93.14.101
AAAA Address: 2407:7000:8d05:c800::1003

Let's Encrypt favors IPv6 for an HTTP challenge. Although, it will retry a timeout on IPv6 with IPv4. However, it only does that for the initial HTTP request in an HTTP Challenge. If you redirect the HTTP challenge to HTTPS that request will use IPv6 and (again) timeout. See: IPv6 Support - Let's Encrypt

budasy · January 25, 2026, 5:55am

I've switched off IPv6 on the network to get it out of the picture and rebooted the server.

Running nslookups I get these results:

[I] ┬─[malcolm@MacBook-Pro-3:~]─[18:47:34]
╰─>$ curl -I4k -m8 https://db01.businessdatasystems.co.nz
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
last-modified: Wed, 03 Dec 2025 21:19:06 GMT
etag: "23b-64512c3256680"
content-length: 571
x-xss-protection: 1; mode=block
access-control-allow-origin: db01.businessdatasystems.co.nz
access-control-allow-headers: Content-Type, Authorization
access-control-allow-credentials: true
x-robots-tag: noindex, noarchive, nosnippet
content-type: text/html; charset=UTF-8
date: Sun, 25 Jan 2026 05:48:37 GMT
server: Apache

[I] ┬─[malcolm@MacBook-Pro-3:~]─[18:48:37]
╰─>$ curl -I6k -m8 https://db01.businessdatasystems.co.nz
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
last-modified: Wed, 03 Dec 2025 21:19:06 GMT
etag: "23b-64512c3256680"
content-length: 571
x-xss-protection: 1; mode=block
access-control-allow-origin: db01.businessdatasystems.co.nz
access-control-allow-headers: Content-Type, Authorization
access-control-allow-credentials: true
x-robots-tag: noindex, noarchive, nosnippet
content-type: text/html; charset=UTF-8
date: Sun, 25 Jan 2026 05:49:20 GMT
server: Apache

When I try to pretend to be a Let's Encrypt browser I get this:

─>$ curl -i http://db01.businessdatasystems.co.nz/.well-known/404.txt -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (28) Failed to connect to db01.businessdatasystems.co.nz port 80 after 75003 ms: Could not connect to server

MikeMcQ · January 25, 2026, 1:02pm

The URI path in your example isn't what Let's Encrypt would use. We can ignore that. It isn't just Let's Encrypt that fails to reach you using HTTP (on port 80).

Using my own test server, I still can't reach your "home" page using IPv4 or IPv6 using HTTP (on port 80). I get the same results as I showed earlier (timeouts). Also see these HTTP failures: Check website performance and response : Check host - online website monitoring

If you switch off IPv6 you need to also remove the AAAA record from your DNS. And, the example commands you showed were curl, not nslookups

But, did you run those curl from inside your local network? Because from outside your local network HTTPS (on port 443) using IPv6 times out the same as I showed earlier.

HTTPS (port 443) works for IPv4 and sees a default FileMaker page.

In short, I see exactly the same results now as I did in my previous post. My recommendation now is the same as in that post.

budasy · January 29, 2026, 7:36am

Thanks @MikeMcQ,

You were spot on.

I was able to attend to this job this evening and after cleaning up the DNS zone records the Let's Encrypt renewal ran successfully.

MikeMcQ · January 29, 2026, 5:22pm

Yes, I see in the public logs you got a fresh cert.

But, your Apache server isn't using it for HTTPS requests. You may need to reload Apache so that it sees the new cert.

See: SSL Server Test: db01.businessdatasystems.co.nz (Powered by Qualys SSL Labs)

Topic		Replies	Views
Unable to renew certificate using certbot - 404 for HTTP-01 challenge request Help	8	9951	July 14, 2017
Unable to renew certificate due to HSTS Help	6	5795	December 15, 2019
Implemented HSTS now cant renew Help	7	2131	August 16, 2017
HSTS and expired certificate gotcha Help	8	3784	January 7, 2021
Cannot renew “Failed authorization procedure” Help	8	1255	May 20, 2018

How to bypass HSTS after a certificate has expired

Related topics