Https challenge for certificate renewal


#1

I generate/renew my certificates using the challenge by running: “letsencrypt-auto certonly -a manual …”

But my domains normally redirect all http requests to https, so I’ve been temporarily disabling that redirect when doing the challenge so that it succeeds from http, which is a bit annoying.

Is there any way I can complete the challenge using https directly, to save myself this trouble? Is this what the TLS-SNI-01 challenge is for? Do I just pass some command-line flag to letsencrypt-auto?

Thanks for the help!


#2

The manual authenticator only works with the http-01 challenge. At the moment, in the official client, the tls-sni-01 challange is only used by the apache and standalone authenticators.

Perhaps you can use a HTTP to HTTPS redirect as the following:

RedirectMatch permanent ^(?!/\.well-known/acme-challenge/).* https://example.com$0

?


#3

The challenge verification code follows redirects (HTTP 301 and 302) from HTTP to HTTPS, so that should work just fine. Make sure you’re redirecting to a URL that actually serves the challenge token (and not back to /or something like that).


#4

Just bumped into this myself… is it more difficult than simply attempting to fetch the challenge string with the unique URL from both http and https before failing?


#5

Yes, there’s security issues over using HTTPS for this (except when following a redirect). Mainly that on a shared server with only some site HTTPS enabled, requests for one that isn’t could be sent to the default HTTPS site.


#6

Thanks! I just had the opportunity to try this out and it does indeed work without a hitch, much to my relief!