da-letsencrypt icon indicating copy to clipboard operation
da-letsencrypt copied to clipboard
verified publisher icon zenire

Can't retrieve certificate when forcing SSL with .htaccess

Open ghost opened this issue 10 years ago • 7 comments

Greetings again :)

First of all my apologies for my bad English.

On topic: When i'm trying to install Let's Encrypt based certificates on for example a HTML site. It does work without .htaccess redirects to https, but if they exist, the challenge cannot be completed.

I'm not sure if thats normal or not. I'm wondering how auto renewal will behave with this seems to be issue.

I've found a work around for the .htaccess, where te REMOTE_ADDR is the main IP of your server:

Force SSL

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ RewriteRule ^.$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] RewriteCond %{HTTP_HOST} !^www. RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ RewriteRule . https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

ghost avatar Dec 27 '15 03:12 ghost

The HTTP-01 challenge, which is used for Domain Validation, requires the validation file to be server over http.

Your current .htaccess file doesn't work with the validation, unless you add the IP adress of the ACME client. It also includes multiple redirects if you visit http://example.com/ (First a redirect http://example.com => https://example.com, and after that a redirect https://example.com => https://www.example.com)

I suggest you to use the following .htaccess file:

RewriteEngine On
# prepend www. to url if host not starts with www.
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{REQUEST_URI} !\.well-known
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# enforce HTTPS if url does start with www.
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !\.well-known
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Maybe its even better to include also the acme-challenge dir to the ignore path.

sjerdo avatar Dec 27 '15 10:12 sjerdo

The Challenge doesn't require it, it's a configurable option. So perhaps this could be a configurable option as well? Once installed, it's likely that the site is forced over HTTPS.

barryvdh avatar Dec 27 '15 16:12 barryvdh

I used the Let's Encrypt client a few times now on sites that already forced https. For the client that does not seem to be a problem.

Tralapo avatar Dec 28 '15 20:12 Tralapo

I've experimented a little bit with the Custom Apache Templates, you can create in /usr/local/directadmin/data/templates/custom/

I've added the following code to:

  • virtual_host2.conf
  • virtual_host2_secure.conf
<Location /.well-known>
Require all granted
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^.*$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
</Location>

You can even simplify it per file, to explain my code:

First of all i grant all access to /.well-known Second and lastly i make sure the request is done over plain old HTTP (NON SSL) in case someone else is forcing SSL by .htaccess for example.

I didn;t experiment with subdomains, but this seems to work for me. Now i don't have to examine every user/.htaccess fule

Again my apologies for the bad English:P

ghost avatar Jan 02 '16 11:01 ghost

I couldn't find where Let's Encrypt states a http-connection is needed? I have a few websites on a different server with Nginx which have HTST enabled and rewrite all urls to https, but it was no problem for de LE client using webroot?

Tralapo avatar Jan 03 '16 09:01 Tralapo

When traffic is forced over https:// it will fail if there is no valid SSL certificate. This is the reason that a http connection is default.

zenire avatar Jan 03 '16 11:01 zenire

I think this is a something i'll need to look at. Most sites are indeed forced to HTTPs, so it should also work over HTTPS (for reissuing).

Wouter0100 avatar Jan 06 '16 12:01 Wouter0100