HSTS and expired certificate gotcha

Is there any way out of this gotcha? I have a site where the certificate has accidentally expired. The server had HSTS set. Although I can unset it, the expiry on the header is 2 years (as recommended). Letsencrypt will not renew the certificate (using DNS method) because it cannot access the site. It cannot access it as non-SSL because of HSTS. It cannot access it SSL because the certificate is expired. Is there any solution to this (apart from waiting for 2 years)?

HSTS doesn't have any influence over the certificate renewal process. It's mainly a browser thing - Let's Encrypt just ignores it.

If you're having problems, the issue is going to lie elsewhere.

However, to help you with that, we'll need details, like your domain name and the output of your ACME client.

3 Likes

OK, thanks. The domain is thirskandmalton.greenparty.org.uk.

I've had no end of a struggle to persuade a browser to serve the non-SSL site. Browsers seem determined to switch to SSL and to refuse to forget about SSL. But I think I got there in the end.

The certificate renewal is being handled using dehydrated and DNS challenge. The output from the attempted renewal is:

./dehydrated --cron --force

INFO: Using main config file /root/certhelper/config

Processing thirskandmalton.greenparty.org.uk with alternative names: *.thirskandmalton.greenparty.org.uk

  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Dec 6 02:37:21 2020 GMT (Less than 30 days). Renewing!
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
  • Received 2 authorizations URLs from the CA
  • Handling authorization for thirskandmalton.greenparty.org.uk
  • Handling authorization for thirskandmalton.greenparty.org.uk
  • 2 pending challenge(s)
  • Deploying challenge tokens...
    curl: (60) SSL certificate problem: certificate has expired
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
ERROR: deploy_challenge hook returned with non-zero exit code

The output above indicates the HTTP validation method is used, not DNS.

You have two options:

  1. Fix the config, so validation does occur over DNS method, or
  2. Disable HTTP→HTTPS redirection for /.well-known/acme-challenge/*, so the path can be served by your server through HTTP.
    2a. As a last resort, you can temporarily disable HTTP→HTTPS redirection for a site, let certificate issue, then enable HTTP→HTTPS redirection again. If you keep renewing before certificate expires, the redirection should not impair future renewals.
1 Like

Let's Encrypt ignores HTTPS certificate errors while trying to validate an HTTP-01 challenge, specifically to help handle this kind of case. It may be that dehydrated doesn't understand that though and is attempting to validate the file itself before sending it to Let's Encrypt?

In any event, it's definitely not trying to do DNS authentication, and it may be easier to set that up (especially if you've had that working before) than to try to convince Dehydrated to continue with the expired HTTPS certificate.

1 Like

Thanks for trying to help. In fact, it was the complexity of the whole process that confused me. Authentication was being done by DNS. As with many awkward IT problems, there were two issues. In addition to the expired certificate for the domain in question, the certificate for the server that automates the DNS changes had also expired. The message related to the request to update the TXT records. That certainly wasn't clear to me, and I guess it wasn't clear to people who kindly tried to help either!

2 Likes

Glad you figured it out. I do apologize if we misled you, clearly the message from Dehydrated confused all of us. (If error messages about failing to connect to URLs always included the URL they were trying to connect to, I know I personally would have saved many man-weeks of development time over the years…)

1 Like

No problem, I appreciate people taking the trouble to try to help. It's only by stepping through possibilities that one ever gets to a solution.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.