Redirect Causing Possible Issue

I recently switched settings so that my main domain stanragets.com redirects to the subdomain fineart.stanragets.com
I did this so as not to loose the SEO links I have created over the years.

Since this change, when I run certbot -renew all of the domains renew except for the main stanragets.com domain which gives me an error and says to check my DNS settings, spefically the A Record. Props to whoever thought to have this information instead of a generic error (think http 500 errors argh!).

Anyhow, is this issue because I have the redirect in place? Is there a way around it? I wouldn’t care so much, but I’m concerned there might be issues when emailing clients or potential clients since my email domain is @stanragets.com

Any insight you have is greatly appreciated! Thank you in advance.

most likely yes - it has something to do with the changes you have made.
normally LE will follow redirections without any issues.

There should be, but implementation is dependent on the OS and web server in use.
Generically you should just exclude redirections for /.well-known/acme-challenge/* requests and handle them as you were previously.

Thank you for the quick response!
Please pardon my ignorance, but how do I go about excluding redirections?

That depends on the service making the redirection.
Are you using Apache, NGINX, IIS ?

I’m using CentOS and Apache

Please show all the redirection lines from the vhost config file.

$ curl -sI http://stanragets.com/.well-known/acme-challenge/test | grep Location
Location: https://fineart.stanragets.com

Let’s Encrypt supports redirects, but that specific redirect won’t work, unless you temporarily replace your home page with the ACME challenge file.

If it preserved the path, redirecting to “https://fineart.stanragets.com/.well-known/acme-challenge/test” in this example, and the ACME client was configured to place files in https://fineart.stanragets.com/'s document root, it would work.

I’m certain you’ve explained this well, but could you do so more for a noob? I’m learning all of this on the fly. I do have a background in programming and web development, but the server side of things, as well as administration, is very new to me.

Could you provide the Apache configuration lines containing “Redirect”, “RewriteCond” or “RewriteRule”?

Redirecting is allowed, but the type of redirect the site is currently using won’t work.

Ok. I couldn’t find a single redirect statement in httpd.conf

I dug a little further, in the /usr/local/apps/apache/etc/conf.d/webuzoVH.conf I found the following
RedirectMatch permanent ^ https://fineart.stanragets.com

This same line appears once with SSL certs and then again in another section without.

I forgot “RedirectMatch”. Yes, that looks like the culprit.

If you replace it with “Redirect / https://fineart.stanragets.com/” (the “/” at the end is important), and pass the correct document root to your ACME client, everything ought to work.

Awesome.
Where do I find the document root to my ACME client?

Oh, you’re using Certbot. I missed it last time I looked.

Does “certbot renew” or “certbot renew --dry-run” work right now?

Is anything broken?

This is what I get:

Performing the following challenges:

http-01 challenge for stanragets.com
http-01 challenge for www.stanragets.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/stanragets.com.conf produced an unexpected error: Failed authorization procedure. www.stanragets.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.stanragets.com/.well-known/acme-challenge/nxO6v6R2bpEvjbzya3UxDpnrE3FXJXpCiS2K7DtOerA: "

<meta name="viewport" content="width=device-width, initial-s", stanragets.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://stanragets.com/.well-known/acme-challenge/kQjoFmsyLBb0-q0FIdNv26_z2UADAv94QDFJbqhe1KY: " <meta name="viewport" content="width=device-width, initial-s". Skipping.

The following certs are not due for renewal yet:
/etc/letsencrypt/live/d.stanragets.com/fullchain.pem (skipped)
/etc/letsencrypt/live/design.stanragets.com/fullchain.pem (skipped)
/etc/letsencrypt/live/fineart.stanragets.com/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stanragets.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.stanragets.com
  Type: unauthorized
  Detail: Invalid response from
  http://www.stanragets.com/.well-known/acme-challenge/nxO6v6R2bpEvjbzya3UxDpnrE3FXJXpCiS2K7DtOerA:
  "

  <meta name="viewport" content="width=device-width, initial-s"

  Domain: stanragets.com
  Type: unauthorized
  Detail: Invalid response from
  http://stanragets.com/.well-known/acme-challenge/kQjoFmsyLBb0-q0FIdNv26_z2UADAv94QDFJbqhe1KY:
  "

  <meta name="viewport" content="width=device-width, initial-s"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address.

It’s still doing the problematic redirect.

Location: https://fineart.stanragets.com

I did the part quoted above. I don't know how to do the ACME part.

I found this file in the webuzo config call redirects:
This is the contents
a:1:{s:14:"stanragets.com";a:1:{s:1:"/";a:3:{s:4:"path";s:1:"/";s:4:"type";s:9:"permanent";s:7:"address";s:30:"https://fineart.stanragets.com";}}}

Perfect.

(On second thought, you may want to change "Redirect" to "RedirectPermanent", but it's not critical.)

It might be configured acceptably already.

Does "certbot renew --dry-run" work now?

I have no idea what to do about that. Webuzo might break the redirect again in the future. You probably need to adjust its configuration... somewhere.

On second thought, why not use “certbot --apache”?

Or does Webuzo have Let’s Encrypt integration of some sort?

Webuzo does, but it doesn’t work. It can never find the certs even though it puts them on the server, so you have to renew them yourself then copy and paste all three parts for every domain name. It’s ridiculous.

Here’s what I got on the last dry run I ran.

[root@stanragets webuzo]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/d.stanragets.com.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for d.stanragets.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/d.stanragets.com.conf produced an unexpected error: Failed authorization procedure. d.stanragets.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for d.stanragets.com. Skipping.

---

Processing /etc/letsencrypt/renewal/design.stanragets.com.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for design.stanragets.com
http-01 challenge for fineart.stanragets.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/design.stanragets.com.conf produced an unexpected error: Failed authorization procedure. design.stanragets.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for design.stanragets.com, fineart.stanragets.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for fineart.stanragets.com. Skipping.

---

Processing /etc/letsencrypt/renewal/fineart.stanragets.com.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fineart.stanragets.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/fineart.stanragets.com.conf produced an unexpected error: Failed authorization procedure. fineart.stanragets.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for fineart.stanragets.com. Skipping.

---

Processing /etc/letsencrypt/renewal/stanragets.com.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stanragets.com
http-01 challenge for www.stanragets.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/stanragets.com.conf produced an unexpected error: Failed authorization procedure. stanragets.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://stanragets.com/.well-known/acme-challenge/kyuM5cZzQU1_ivJdOe0u4Iuu0pX7r9qJqubZOGKtW9w: "

<meta name="viewport" content="width=device-width, initial-s", www.stanragets.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.stanragets.com/.well-known/acme-challenge/9qfpJWJxCWW3Lm7Z568kayeBfgzvMQnt0-iaEIIbfCw: " <meta name="viewport" content="width=device-width, initial-s". Skipping. ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/d.stanragets.com/fullchain.pem (failure)
/etc/letsencrypt/live/design.stanragets.com/fullchain.pem (failure)
/etc/letsencrypt/live/fineart.stanragets.com/fullchain.pem (failure)
/etc/letsencrypt/live/stanragets.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
4 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: d.stanragets.com
  Type: connection
  Detail: DNS problem: SERVFAIL looking up CAA for d.stanragets.com

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

• The following errors were reported by the server:

  Domain: design.stanragets.com
  Type: connection
  Detail: DNS problem: SERVFAIL looking up CAA for
  design.stanragets.com

  Domain: fineart.stanragets.com
  Type: connection
  Detail: DNS problem: SERVFAIL looking up CAA for
  fineart.stanragets.com

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

• The following errors were reported by the server:

  Domain: fineart.stanragets.com
  Type: connection
  Detail: DNS problem: SERVFAIL looking up CAA for
  fineart.stanragets.com

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

• The following errors were reported by the server:

  Domain: stanragets.com
  Type: unauthorized
  Detail: Invalid response from
  http://stanragets.com/.well-known/acme-challenge/kyuM5cZzQU1_ivJdOe0u4Iuu0pX7r9qJqubZOGKtW9w:
  "

  <meta name="viewport" content="width=device-width, initial-s"

  Domain: www.stanragets.com
  Type: unauthorized
  Detail: Invalid response from
  http://www.stanragets.com/.well-known/acme-challenge/9qfpJWJxCWW3Lm7Z568kayeBfgzvMQnt0-iaEIIbfCw:
  "

  <meta name="viewport" content="width=device-width, initial-s"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address.