I had my http server redirect with a 301 to https at HAProxy level. Now I’m unable to authorize the request as the request is being blocked because of HSTS.
Is there a way to clear the cache in Letsencrypt to circumvent the 301 which I disabled at the moment?
So the 301 is not enabled anymore, but as Letsencrypt did cache the 301, I’m unable to make the certification request on my server, meaning I have locked in myself to do the request.
Does anyone have an idea how I can bypass the HSTS or how I can get rid of those 301 redirects and just use my http endpoint?
How do you know this is the problem? From my experience, Let’s Encrypt follows redirects and ignores problems (expired certs, etc).
Good question. Finally I managed to solve it, by adding the following header to all responses from my server.
rspadd Strict-Transport-Security:\ max-age=0;\ includeSubdomains
Now it works again, so that is kind of my only proof it was the HSTS. I had the same issue in google chrome.
You have the problem with Google Chrome, but Let’s Encrypt won’t have that issue. HSTS and a permanent redirect shouldn’t be a problem and are actually pretty common and the expected setup longterm. Let’s Encrypt follows the redirect, so your problem is a different one.
Then I have no clue what happened as that is the only thing I have added to my haproxy. Anyway it is solved now.
I had to put the acme challenge folders above my domain directories and not inside them (during the renewal process). I’ve found out about it after looking at the Apache error_log and a couple of erroneous acme challenge attempts. I have HSTS enabled by .htaccess btw.
A post was split to a new topic: Problem with redirect to HTTPS