Verification via redirect

LS,

certbot renew failed with ‘timeout on verification’ error. This happened while Apache24 was configured:
[…]
<VirtualHost :80>
ServerName camelopardus.nl

ServerAlias www.camelopardus.nl*
Redirect permanent / https://www.camelopardus.nl/*
*
[…]
<VirtualHost :443>
ServerName camelopardus.nl
ServerAlias www.camelopardus.nl
SSLEngine On
DocumentRoot /usr/local/www/drupal7
<Directory /usr/local/www/drupal7>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted

Alias /.well-known/acme-challenge /usr/local/www/acme/.well-known/acme-challenge
<Directory /usr/local/www/acme/.well-known/acme-challenge>
Options None
AllowOverride None
Require all granted
Order allow,deny
Allow from all


When I took out the redirect:
<VirtualHost :80>
ServerName camelopardus.nl

ServerAlias www.camelopardus.nl

Alias /.well-known/acme-challenge /usr/local/www/acme/.well-known/acme-challenge*
<Directory /usr/local/www/acme/.well-known/acme-challenge>*
Options None*
AllowOverride None*
Require all granted*
Order allow,deny*
Allow from all*
*
#Redirect permanent / https://www.camelopardus.nl/*
*

It worked like a charm

It seems like redirect is not working, but:

“Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.”

What am I missing?

Hi @jbril

your redirect is wrong. Only “/” is redirected.

Use something like

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

so all requests are redirected.

1 Like

LS,

If the redirect is wrong, why does it (seem to?) work:

GET
http://camelopardus.nl/.well-known/acme-challenge/test-file
[HTTP/1.1 301 Moved Permanently 0ms]
GET
https://www.camelopardus.nl/.well-known/acme-challenge/test-file
[HTTP/1.1 200 OK 0ms]

Perhaps you have additional definitions.

But checking your domain there is another error

You have ipv4 and ipv6 ( https://check-your-website.server-daten.de/?q=camelopardus.nl ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
camelopardus.nl A 83.161.65.240 yes 1 0
AAAA 2001:981:4cee:20::bebe yes
www.camelopardus.nl A 83.161.65.240 yes 1 0
AAAA 2001:981:4cee:20::bebe yes

But your ipv6 doesn’t work:

Domainname Http-Status redirect Sec. G
http://camelopardus.nl/
83.161.65.240 301 https://www.camelopardus.nl/ 0.043 E
http://www.camelopardus.nl/
83.161.65.240 301 https://www.camelopardus.nl/ 0.040 A
http://camelopardus.nl/
2001:981:4cee:20::bebe -14 10.026 T
Timeout - The operation has timed out
http://www.camelopardus.nl/
2001:981:4cee:20::bebe -14 10.027 T
Timeout - The operation has timed out
https://camelopardus.nl/
83.161.65.240 200 0.707 I
https://camelopardus.nl/
2001:981:4cee:20::bebe -14 10.027 T
Timeout - The operation has timed out
https://www.camelopardus.nl/
83.161.65.240 200 0.447 I
https://www.camelopardus.nl/
2001:981:4cee:20::bebe -14 10.027 T
Timeout - The operation has timed out
http://camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
83.161.65.240 301 https://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 E
Visible Content: Moved Permanently The document has moved here .
http://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
83.161.65.240 301 https://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 A
Visible Content: Moved Permanently The document has moved here .
http://camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:981:4cee:20::bebe -14 10.027 T
Timeout - The operation has timed out
Visible Content:
http://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:981:4cee:20::bebe -14 10.027 T
Timeout - The operation has timed out
Visible Content:
https://www.camelopardus.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.026 T
Timeout - The operation has timed out
Visible Content:

That’s critical, because Letsencrypt prefers ipv6.

But there is already a new Letsencrypt certificate.

CN=camelopardus.nl
	03.04.2019
	02.07.2019
expires in 90 days	
camelopardus.nl, hermes.camelopardus.nl, 
imap.camelopardus.nl, www.camelopardus.nl - 4 entries

Perhaps you have fixed the problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.