The shared cloud hosting service I use provides a useful button to deploy let’s encrypt (with no guarantees). It worked fine for me. I have https! I followed google’s advice and setup a redirect (rewrite rule) so http requests go to https. Great! some months later I got news that my certificate had expired. It turns out the host does run an auto renewal script as a cron job, but they told me it failed because my website:
"has a forced https which has prevented the Lets Encrypt from auto-renewing. Please bear in mind that due to the nature of the free third party SSL Lets Encrypt it cannot be manually or auto-renewed as long as it has https or any other redirect in place. I have temporary disabled your website https and I have renewed your Lets Encrypt and I have then re-enabled your https: https://www.sslshopper.com/ssl-checker.html#hostname=spucnottingham.org.uk "
It was kind they fixed it this time round, but I wanted to know what to do for the future. After some conversations with them I’m none the wiser, and the best we came up with is I can disable the redirect for a day on day 89, every quarter.
This seems to me unsatisfactory. My thoughts on the matter are:
-
if google advise preventing access to plain http, then allowing it even for just 4 days a year can’t be good.
-
if google penalise plain http, then exposure of plain http versions even for a day could be harmful. (by the way I do provide canonical pointers to https in the html headers). I have seen than many sites do run both plain http and https versions alongside, but they do this I think because of past search reputation, giving time to build a new reputation on https. In my case I just want one site.
-
I haven’t found anything over many internet searches about https preventing auto renewal. Can anyone confirm if that’s so, and provide a low-tech explanation of why that’s so?
Standard answers:
My domain is: spucnottingham.org.uk, though I have others I want to deploy the same way.
I ran this command: n/a my host does some magic to auto renew the certificate for me, but hasn’t revealed whether they use certbot or some home grown solution
It produced this output: n/a
My web server is (include version): don’t know, but it may help if I say I’m not using cloudflare
The operating system my web server runs on is (include version): some version of linux
My hosting provider, if applicable, is: www.tsohost.com
I can login to a root shell on my machine (yes or no, or I don’t know): I can ssh to a limited zone, but not the whole tree
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): tsohost’s home grown cloud panel
Thanks folks!