Verification via redirect

jbril · April 3, 2019, 10:11am

LS,

certbot renew failed with ‘timeout on verification’ error. This happened while Apache24 was configured:
[…]
<VirtualHost :80>
ServerName camelopardus.nl
ServerAlias www.camelopardus.nl*
Redirect permanent / https://www.camelopardus.nl/*
*
[…]
<VirtualHost :443>
ServerName camelopardus.nl
ServerAlias www.camelopardus.nl
SSLEngine On
DocumentRoot /usr/local/www/drupal7
<Directory /usr/local/www/drupal7>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted

Alias /.well-known/acme-challenge /usr/local/www/acme/.well-known/acme-challenge
<Directory /usr/local/www/acme/.well-known/acme-challenge>
Options None
AllowOverride None
Require all granted
Order allow,deny
Allow from all

When I took out the redirect:
<VirtualHost :80>
ServerName camelopardus.nl
ServerAlias www.camelopardus.nl
Alias /.well-known/acme-challenge /usr/local/www/acme/.well-known/acme-challenge*
<Directory /usr/local/www/acme/.well-known/acme-challenge>*
Options None*
AllowOverride None*
Require all granted*
Order allow,deny*
Allow from all*
*
#Redirect permanent / https://www.camelopardus.nl/*
*

It worked like a charm

It seems like redirect is not working, but:

“Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.”

What am I missing?

JuergenAuer · April 3, 2019, 10:24am

Hi @jbril

your redirect is wrong. Only "/" is redirected.

Use something like

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

so all requests are redirected.

jbril · April 3, 2019, 2:25pm

LS,

If the redirect is wrong, why does it (seem to?) work:

GET
http://camelopardus.nl/.well-known/acme-challenge/test-file
[HTTP/1.1 301 Moved Permanently 0ms]
GET
https://www.camelopardus.nl/.well-known/acme-challenge/test-file
[HTTP/1.1 200 OK 0ms]

JuergenAuer · April 3, 2019, 2:31pm

Perhaps you have additional definitions.

But checking your domain there is another error

You have ipv4 and ipv6 ( https://check-your-website.server-daten.de/?q=camelopardus.nl ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
camelopardus.nl	A	83.161.65.240	yes	1	0
	AAAA	2001:981:4cee:20::bebe	yes
www.camelopardus.nl	A	83.161.65.240	yes	1	0
	AAAA	2001:981:4cee:20::bebe	yes

But your ipv6 doesn’t work:

Domainname	Http-Status	redirect	Sec.	G
• http://camelopardus.nl/
83.161.65.240	301	https://www.camelopardus.nl/	0.043	E

• http://www.camelopardus.nl/
83.161.65.240	301	https://www.camelopardus.nl/	0.040	A

• http://camelopardus.nl/
2001:981:4cee:20::bebe	-14		10.026	T
Timeout - The operation has timed out

• http://www.camelopardus.nl/
2001:981:4cee:20::bebe	-14		10.027	T
Timeout - The operation has timed out

• https://camelopardus.nl/
83.161.65.240	200		0.707	I

• https://camelopardus.nl/
2001:981:4cee:20::bebe	-14		10.027	T
Timeout - The operation has timed out

• https://www.camelopardus.nl/
83.161.65.240	200		0.447	I

• https://www.camelopardus.nl/
2001:981:4cee:20::bebe	-14		10.027	T
Timeout - The operation has timed out

• http://camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
83.161.65.240	301	https://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.043	E
Visible Content: Moved Permanently The document has moved here .

• http://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
83.161.65.240	301	https://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.043	A
Visible Content: Moved Permanently The document has moved here .

• http://camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:981:4cee:20::bebe	-14		10.027	T
Timeout - The operation has timed out
Visible Content:

• http://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:981:4cee:20::bebe	-14		10.027	T
Timeout - The operation has timed out
Visible Content:

• https://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	-14		10.026	T
Timeout - The operation has timed out
Visible Content:

That’s critical, because Letsencrypt prefers ipv6.

But there is already a new Letsencrypt certificate.

CN=camelopardus.nl
	03.04.2019
	02.07.2019
expires in 90 days	
camelopardus.nl, hermes.camelopardus.nl, 
imap.camelopardus.nl, www.camelopardus.nl - 4 entries

Perhaps you have fixed the problem.

system · May 3, 2019, 2:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.