Validating webmail subdomain with http-01

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ralmond.net

I ran this command: ./getssl -f ralmond.net

It produced this output:

Verifying webmail.ralmond.net
copying challenge token to /home/ralmond/public_html/.well-known/acme-challenge/CqTx7saRKvCD8OP7u0zck__AaWdzOk1rUSDSaKqC2Dk
getssl: for some reason could not reach http://webmail.ralmond.net/.well-known/acme-challenge/CqTx7saRKvCD8OP7u0zck__AaWdzOk1rUSDSaKqC2Dk - please check it manually

My web server is (include version): Apache/2.4.57 (cPanel) OpenSSL/1.1.1w mod_bwlimited/1.4 PHP/5.5.38

The operating system my web server runs on is (include version):
centos-release-6-10.el6.centos.12.3.x86_64

My hosting provider, if applicable, is: accunet

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 86.0.40

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): getssl V2.48


More details. I can register subdomains which serve http context (e.g., ecd.ralmond.net as I can symlink the .well-known directory in the subdomain to to the .well-known in the main domain. However, for webmail.ralmond.net (and a few similar service subdomains) the web server automatically redirect http calls to the webmail application, so http://webmail.ralmond.net/.well-known/acme-challenge redirects to the app.

The DNS-01 validation method would require me changing my DNS.

Why can't you just change the VirtualHost for the webmail subdomain so that it does not redirect HTTP to HTTPS?

There are many ways to manage redirects for this. Here is one example

Update:
Oh, you should avoid using -f (force). This is needed only for rare specific cases. It does not force issuance or bypass any problems. And, when used incorrectly, like here, it can lead you to become Rate Limited.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.