I Must Turn Off HTTPS Redirect to Renew


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: robjvargas.com

I ran this command: certbot renew --preferred-challenges http

It produced this output:


Processing /etc/letsencrypt/renewal/robjvargas.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for robjvargas.com
http-01 challenge for www.robjvargas.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (robjvargas.com) from /etc/letsencrypt/renewal/robjvargas.com.conf produced an unexpected error: Failed authorization procedure. www.robjvargas.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.robjvargas.com/.well-known/acme-challenge/4nQ0udJvcGBlAXx6ed8kR1xi_i3korg9ZujqsFT-l-8: "

404 Not Found

Not Found

<p", robjvargas.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://robjvargas.com/.well-known/acme-challenge/I2gwsWt6ILS0ZV_RmYToYfq9hNHTs5Kjf08xX_kKaSA: " 404 Not Found

Not Found

<p". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache

The operating system my web server runs on is (include version):

Server version: Apache/2.4.6 (CentOS)

My hosting provider, if applicable, is:

CentOS 7 VPS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Okay, the actual truth is not that I must. My issue is that renewal fails until I turn off HTTPS redirect. I have redirect enabled in httpd.conf thus:

# HTTP to HTTPS redirect
RewriteEngine On
RewriteCond %{HTTPS} off
# RewriteCond %{Request_URI} !^http://www.robjvargas.com/.well-known/acme-challenge/test.txt
# RewriteCond %{REQUEST_URI} !^\/\.well-known\/.*$
RewriteRule (.*) https://www.robjvargas.com$1 [R,L]

I included the commented lines because I think that was part of my troubleshooting last time. With that enabled, I get the results listed above. If I turn off redirect, like so, the renewal has (twice) worked.

# HTTP to HTTPS redirect
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteCond %{Request_URI} !^http://www.robjvargas.com/.well-known/acme-challenge/test.txt
# RewriteCond %{REQUEST_URI} !^\/\.well-known\/.*$
# RewriteRule (.*) https://www.robjvargas.com$1 [R,L]

I just now successfully renewed with HTTP to HTTPS redirect disabled. All seems well with the redirect turned back on.

Just to be explicit, I am performing
systemctl restart httpd.service
after each change of httpd.conf.


#2

Hi @RobJVargas

you redirect both domains robjvargas.com + www.robjvargas.com to https://www.robjvargas.com.

So robjvargas.com is redirected to another domain.

HTTP Challenge

https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-8.3

The server SHOULD follow redirects when dereferencing the URL.

But perhaps Letsencrypt doesn’t follow redirects to other domains.

So change your rewrite rule.


#3

OK. That makes sense. I’ll look in a more appropriate forum for the exact syntax.

Just to make sure I understand: For renewal purposes, I should not redirect the base domain, robjvargas(dot)com?

Also, a side question: I made the choice to explicitly state the preferred challenge. However, that’s how I initially subscribed to the certs. Thus, ostensibly, I don’t need that flag, do I?


#4

The Let’s Encrypt validation authority will follow a redirect to another domain (but not to a bare IP address, and not to ports other than 80 or 443).


#5

Thanks. I was thinking the same thing. But why does it work without redirect?


#6

Probably because the OP forget a slash ‘/’ after rewrite rule… (Not sure,but it makes the link rewrites to some different things in my environment…)

Hi @RobJVargas,

Can you please try this rewrite code instead of your copy & use certbot --dry-run to test the result?

RewriteEngine On 
RewriteCond %{HTTPS} !=on 
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Thank you


#7

I think @stevenzhu is on the right track here (Thanks!): I suspect there is something broken in the redirect or the webserver configuration.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.