I am running a publicly available domain at foo.bar.gzonk.com.
I am not normally using http, so I figured I would reserve that for letsencrypt.
Alas, safari still defaults to using http, so I am adding HSTS and a redirect to all requests that don't ask for a path under /.well_known
I have noticed that some letsencrypt challenge requests now use HTTPS instead of HTTP, including for /.well_known paths.
This is bad: if the certificate expired, this means I couldn't renew it using HTTP challenge and would have to intervene manually with DNS. This also stops bootstrapping efforts.
I believe the letsencrypt verification probe should never respect HSTS.
I see. I will confirm that my web serving configuration is correct then because that's the other explanation, that it somehow gets served with a redirect. thanks.
Sure you can. Let's Encrypt isn't checking for a valid cert during a renewal using the HTTP-01 challenge, even when it follows a redirect to HTTPS. It's only looking for the matching token.
Let's Encrypt will follow https redirects if you provide them (it ignores HSTS, that's a "red herring" here). If your cert is expired or self-signed (but TLS is otherwise working) then validation will work.
If you have a specific failure that you are trying to debug, please let us know the real domain and provide a log.
Example Domain
This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.
