How to generate cert for domain which is setup as a redirect?


#1

I have a domain https://xyz.com which is not used anymore but has redirects setup to new https://abc.com. The certs on xyz.com expired and am now trying to use letsencrypt to renew the certs so that redirect still works. I followed the steps to generate the certificate but I get this error:

Domain: xyz.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge [TiBNRvb5e9m_S00puUG0ShuUNOBULXRYr1C7rRTU82g.psvCbrf
weOF_sTsW1zQ8DFRRiCYurT6FJDcTHnC2VsI] != [

<html clas…] To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. The DNS A record is correctly pointing to the right IP address as well. I would appreciate any help.

#2

Looks like there’s something in there inserting javascript in the response. Whatever is being served from http://xyz.com/.well-known/acme-challenge/ needs to be passed directly through.

Edit: Or use one of the alternative clients that supports the DNS challenge, in which case you don’t need to worry about serving the files from that hostname.


#4

Keep in mind that no matter what client you’re using, if you’re using the HTTP-01 challenge, they will require the same thing–the ability to write the challenge file to a place where it can be read by your web server, and served without alteration at, or by redirection from, http://yourhost/.well-known/acme-challenge. This is the default challenge for most of the third-party clients because it’s the simplest to implement and automate.

The DNS challenge doesn’t require serving any files from the hostname in question, but it does require making changes to your DNS records. I know that letsencrypt.sh supports this challenge, and I understand many of the other clients do as well, but the official client doesn’t (at least yet).

But just for clarity, my suggestion to try an alternate client was for the purpose of using the DNS challenge, not just to try a different client.


#5

Thanks. All I had to do was temporarily update my configuration to not redirect to abc.com, generate the certificate and then update the config back to redirect correctly.


#6

That will work in the short term, but consider that you’ll be renewing the certificate every two months or so. A better long-term solution would be to change the redirect so that requests for .well-known/acme-challenge/ are not redirected to the other host, or otherwise allow renewals to run properly.


#7

Great point Sir. I will do that. Thank you!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.