Renew failed due to redirect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: slat.org

I ran this command: certbot renew

It produced this output: https://pastebin.com/sQW7Ur35

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian GNU/Linux 9 (Jessie)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Description:
In my apache configuration I redirect the / of http://slat.org to https://slat.org. When renew certification it gave me error like in the pastebin.

I tried some different ways and found that I need to remove the redirect and let it go directly to http://slat.org/.well-known/acme-challenge/ to make it work. If I keep the Redirect it would go to https://slat.org/.well-known/acme-challenge/ and would return invalid response, even if I set up the Alias in my https://slat.org too.

It should be able to work.

Certbot is configured to place the file in /var/www/letsencrypt/.well-known/acme-challenge/JHNm2rrkaeh0neRoPznugVbt4Mfb9fJRqIHiM_7Ry7w.

If http://slat.org/.well-known/acme-challenge/JHNm2rrkaeh0neRoPznugVbt4Mfb9fJRqIHiM_7Ry7w loads that file, or if it redirects to https://slat.org/.well-known/acme-challenge/JHNm2rrkaeh0neRoPznugVbt4Mfb9fJRqIHiM_7Ry7w and that URL loads that file, validation ought to work.

How is Apache configured?

My Apache configuration is here:

https://pastebin.com/juAHYjfa

Currently if I connect to http://slat.org/.well-known/ it will be directed to https://slat.org/.well-known/. But when renew it would still try to get http://slat.org/.well-known/acme-challenge/* and failed.

That looks correct to me. Maybe you have some more virtual hosts elsewhere in your config? What does apachectl -S say?

Yes, I have many virtual hosts in this machine, though I have no idea how it would affect letsencrypt renewal.

My apache2ctl -S output is here:

https://pastebin.com/SBb4duBE

All the hosts now goes to https, and all have their own letsencrypt SSL certifications.

I really don’t see anything wrong that could account for the problem you’re seeing.

All I can suggest is that if it’s working without the redirect, maybe you could try excluding /.well-known/acme-challenge/ from the redirect, eg:

RedirectMatch ^(?!/\.well-known/acme-challenge/)(.*)$ https://slat.org$1

Thank you for your suggestion. The basic concept is to make the visit of acme-challenge keep in http instead of redirecting to https. (For this time I changed the config to remove the Redirect temporarily. It then renewed my certification successfully.) I’ll try your setting suggestion when having the same issue at next renewal :wink:

I don’t know how many people facing the same problem. If anyone have the same problem please feedback here and maybe it can be put in the FAQ. (Or it can be solved?)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.