Only reason haven’t implemented HSTS with any long living time is that when renewing a certificate have to (temporarily) enable HTTP to renew the certificate. Understand DNS is an option but using that right now because that would make entire process manual.
If were to implement HSTS with a year max-age what happens when temporarily enable HTTP and try to renew a certificate? If HSTS works correctly Let’s Encrypt validation/ renewal via HTTP should theoretically fail, right? Or does the HTTP agent that validates Let’s Encrypt certificates ignore HSTS?
*On a totally different note, what forum software is used here? Nextcloud uses same but don’t think this is Flarum.
I wouldn’t totally disable HTTP, even with HSTS in place. Browsers without the (or a recent) HSTS preload list (if your site is even on it) will require a redirect from HTTP to HTTPS.
If you have that redirection in place, Let’s Encrypt will respect it and follow it. This means that you don’t need to disable the redirection to perform certificate renewals with Let’s Encrypt. A setup with HTTP → HTTPS redirection, with or without HSTS, is perfectly fine for Let’s Encrypt.
For the HTTP-01 validation method, Let’s Encrypt will
require an initial valid HTTP response on port 80
follow any HTTP 301 redirections, to the same or a different host, in either HTTP or HTTPS protocols
ignore any mismatched or expired certificates on HTTPS URIs reached as a result of such redirections
ignore the presence of HSTS (that is, the validation always starts with HTTP on port 80)
Thanks for that detailed reply. This is really neat how the verification occurs under the hood. Can you clarify that a 301 redirect can send the HTTP verification to a different hostname?
Yes, that is possible and can be rather useful in scenarios with multiple (load-balanced) web servers, where you might want to use a central ACME validation server.
The CA software allows redirects to HTTP on port 80 and HTTPS on port 443. Other ports are not permitted.