I Must Turn Off HTTPS Redirect to Renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: robjvargas.com

I ran this command: certbot renew --preferred-challenges http

It produced this output:


Processing /etc/letsencrypt/renewal/robjvargas.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for robjvargas.com
http-01 challenge for www.robjvargas.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (robjvargas.com) from /etc/letsencrypt/renewal/robjvargas.com.conf produced an unexpected error: Failed authorization procedure. www.robjvargas.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.robjvargas.com/.well-known/acme-challenge/4nQ0udJvcGBlAXx6ed8kR1xi_i3korg9ZujqsFT-l-8: "

404 Not Found

Not Found

<p", robjvargas.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://robjvargas.com/.well-known/acme-challenge/I2gwsWt6ILS0ZV_RmYToYfq9hNHTs5Kjf08xX_kKaSA: " 404 Not Found

Not Found

<p". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache

The operating system my web server runs on is (include version):

Server version: Apache/2.4.6 (CentOS)

My hosting provider, if applicable, is:

CentOS 7 VPS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Okay, the actual truth is not that I must. My issue is that renewal fails until I turn off HTTPS redirect. I have redirect enabled in httpd.conf thus:

# HTTP to HTTPS redirect
RewriteEngine On
RewriteCond %{HTTPS} off
# RewriteCond %{Request_URI} !^http://www.robjvargas.com/.well-known/acme-challenge/test.txt
# RewriteCond %{REQUEST_URI} !^\/\.well-known\/.*$
RewriteRule (.*) https://www.robjvargas.com$1 [R,L]

I included the commented lines because I think that was part of my troubleshooting last time. With that enabled, I get the results listed above. If I turn off redirect, like so, the renewal has (twice) worked.

# HTTP to HTTPS redirect
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteCond %{Request_URI} !^http://www.robjvargas.com/.well-known/acme-challenge/test.txt
# RewriteCond %{REQUEST_URI} !^\/\.well-known\/.*$
# RewriteRule (.*) https://www.robjvargas.com$1 [R,L]

I just now successfully renewed with HTTP to HTTPS redirect disabled. All seems well with the redirect turned back on.

Just to be explicit, I am performing
systemctl restart httpd.service
after each change of httpd.conf.

Hi @RobJVargas

you redirect both domains robjvargas.com + www.robjvargas.com to https://www.robjvargas.com.

So robjvargas.com is redirected to another domain.

HTTP Challenge

The server SHOULD follow redirects when dereferencing the URL.

But perhaps Letsencrypt doesn't follow redirects to other domains.

So change your rewrite rule.

OK. That makes sense. I'll look in a more appropriate forum for the exact syntax.

Just to make sure I understand: For renewal purposes, I should not redirect the base domain, robjvargas(dot)com?

Also, a side question: I made the choice to explicitly state the preferred challenge. However, that's how I initially subscribed to the certs. Thus, ostensibly, I don't need that flag, do I?

1 Like

The Let's Encrypt validation authority will follow a redirect to another domain (but not to a bare IP address, and not to ports other than 80 or 443).

1 Like

Thanks. I was thinking the same thing. But why does it work without redirect?

Probably because the OP forget a slash ‘/’ after rewrite rule… (Not sure,but it makes the link rewrites to some different things in my environment…)

Hi @RobJVargas,

Can you please try this rewrite code instead of your copy & use certbot --dry-run to test the result?

RewriteEngine On 
RewriteCond %{HTTPS} !=on 
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Thank you

1 Like

I think @stevenzhu is on the right track here (Thanks!): I suspect there is something broken in the redirect or the webserver configuration.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.