I tried this morning to build a new way to renew without downtime my certificates, with Apache 2.4.18, on Ubuntu 16.04, using 0.21.1 certbot client. I have two domains, and I followed this way : https://gist.github.com/daronco/45eeb9223c57d240e60d094f8bee457e to build a common folder. One domain works perfectly fine, but the other donesn’t work… The ACME server can’t get the validation data, the URL doesn’t seem to be the good one… :
Why can’t it reach mydomain.com/.well-known ? and not mydomain.com.well-known ? The other domain has the exact same configuration, and it works perfectly. On Firefox, at https://mydomain.com/well-known/acme-challenge, I see the folder and the file who appears and disappears during the test, so the folder is publicy reachable… Thanks for your ideas !!
Look closely: there is a slash missing between domain and path. Your redirect is probably missing this slash, so it creates a wrong url.
That’s the problem ! But using this method : https://gist.github.com/daronco/45eeb9223c57d240e60d094f8bee457e and by creating a folder “/var/www/html” outside the domain sites roots, I should have no redirection, right ?
Of course you have a redirection. Most likely it will be a http -> https redirect, since the authorization you use will be tried for http first, but it ends up trying a https url.
Have a look into your configuration:
grep -ri Redirect /etc/apache2
grep -ri RewriteRule /etc/apache2
BTW: please show the affected domain name.
/etc/apache2/sites-available/000-default.conf:Redirect permanent / https://notrecourrier.net/
/etc/apache2/sites-available/000-default.conf:Redirect permanent / https://floriandelaruelle.com
ok, I see what you mean, ACME server try to access first in HTTP, and during the redirection, something wrongs ?
There is a way to avoid redirection just for something like http://floriandelaruelle.com/.well-known/acme-challenge ?
The second one is wrong because it needs to be
https://floriandelaruelle.com/ rather than
https://floriandelaruelle.com. This isn't Let's Encrypt-specific.
Oh my god ! It explains so many bugs I coulnd’t resolve these past years… Thanks a lot ! the dry-run worked, but I can’t recreate fresh certificates because the rates limits…
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.