Proposal add into FAQ how to use HTTP-01 + webroot without redirecting .well-known/acme-challenge

Transferal from https://github.com/certbot/certbot/issues/6925#

My setup is:

  • apache2
  • SSL proxy front-end
  • certbot
  • port80 was NOT exposed to the proxy host running certbot

Was previously using the SNI method, but since it’s now deprecated, we need a workaround.

My server setup only exposed port 443 HTTPS. There was a default file for port 80, but it was not enabled. So then I enabled it, but definitely don’t want to enable it permanently unless there’s a port 80 redirect to 443.

Thinking it would be good to add into the FAQ something like this:

  • Q: How can I leverage HTTP-01 renewal method when I'm redirecting all HTTP port 80 to HTTPs port 443?
    
  • A: Exclude the .well-known/acme-challenge directory used during renewal by certbot from the redirect rule.
    

For example, if using Apache2:

RewriteEngine on
# Redirect ALL HTTP requests to HTTPS
# (except) - the acme-challenge path required for certbot
RewriteCond %{HTTPS} !=on
RewriteRule !^/?.well-known/acme-challenge https://%{SERVER_NAME}/$1 [R=301,L]

I’m not sure this is exactly necessary in most cases. The LE validation server will follow a redirect to HTTPS on port 443 just fine. It only needs to start with port 80 for the http-01 challenge. After the initial request on port 80, it may redirect to any HTTP host on port 80 or even HTTPS on port 443.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.