[Solved] Bypassing client ssl certificate authentication for LE renewals

I use nginx v1.13.6.

I know this is not your purview but was hoping someone here has dealt with this and can offer some insight.

How can I require client ssl cert authentication for a site but allow LE to bypass the client cert check for automatic cert renewal? i have not found a configuration that works.

1 Like

The easiest solution would be to disable redirecting from http to https for .well-known/acme-challenge. Webroot authentication takes place over HTTP, not HTTPS, so if you can avoid redirecting, you avoid the client certificate issue altogether.

For example, the block you already have that does this redirection probably looks something like this:

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    return 302 https://example.com$request_uri;
}

So to avoid redirecting to HTTPS where a client certificate is necessary, you would instead do this:

server {
    listen 80;
    listen [::]:80;
    server_name example.com;

    location / {
        return 302 https://example.com$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}
5 Likes

That worked. Thank you so much! It was so simple I was over complicating it. Thanks again. Case closed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.