HSTS and Let's Encrypt


#1

Only reason haven’t implemented HSTS with any long living time is that when renewing a certificate have to (temporarily) enable HTTP to renew the certificate. Understand DNS is an option but using that right now because that would make entire process manual.

If were to implement HSTS with a year max-age what happens when temporarily enable HTTP and try to renew a certificate? If HSTS works correctly Let’s Encrypt validation/ renewal via HTTP should theoretically fail, right? Or does the HTTP agent that validates Let’s Encrypt certificates ignore HSTS?

*On a totally different note, what forum software is used here? Nextcloud uses same but don’t think this is Flarum.


#2

You can safely use HSTS and Let’s Encrypt.

HSTS header do not impact Let’s Encrypt verification process.

For the side note, it’s https://www.discourse.org/


#3

In addition to the correct answer by @tdelmas:

I wouldn’t totally disable HTTP, even with HSTS in place. Browsers without the (or a recent) HSTS preload list (if your site is even on it) will require a redirect from HTTP to HTTPS.


#4

Of course not. HTTPS redirects should occur at webserver level.

Nginx:
return 301 url$request_uri;

Apache: Forgot exact syntax but something like:
redirect 301 url


#5

If you have that redirection in place, Let’s Encrypt will respect it and follow it. This means that you don’t need to disable the redirection to perform certificate renewals with Let’s Encrypt. A setup with HTTP → HTTPS redirection, with or without HSTS, is perfectly fine for Let’s Encrypt.

For the HTTP-01 validation method, Let’s Encrypt will

  • require an initial valid HTTP response on port 80
  • follow any HTTP 301 redirections, to the same or a different host, in either HTTP or HTTPS protocols
  • ignore any mismatched or expired certificates on HTTPS URIs reached as a result of such redirections
  • ignore the presence of HSTS (that is, the validation always starts with HTTP on port 80)

#6

i have changed this to server subtopic as HSTS is a server configuration rather than an issuance tech


#7

Thanks for that detailed reply. This is really neat how the verification occurs under the hood. Can you clarify that a 301 redirect can send the HTTP verification to a different hostname?


#8

Yes, that is possible and can be rather useful in scenarios with multiple (load-balanced) web servers, where you might want to use a central ACME validation server.

The CA software allows redirects to HTTP on port 80 and HTTPS on port 443. Other ports are not permitted.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.