• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Let's encrypt probleem with SSL rewrite

V

vanlier

New Pleskian
We use additional apache directives (not .htaccess!!) to force clients to be redirected to SSL.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST} [R,QSA]
</IfModule>

This works without a problem. We installed the let's encrypt plugin and all was fine until we got a message the certificate was not renewed. I tried a manual renewal and got the following error (plesk team, the html is escaped, needs a fix):

Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: Failed authorization procedure. <domain> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://<domain>/.well-known/acme-challenge/<large code>: &quot;&lt;html&gt;

So it seems that let's encrypt requests a response from an unencrypted url (?, why not use HTTPS and just ignore certificate errors?) and that can't be reached because it will be rewritten to an https url according to our mod_rewrite rules.

So what's to do next: make a rule the excludes the request url from the mod_rewrite. Ive tried all options I could think but but somehow my rule for exluding isn't matched, could be the . at the beginning of the url? I've tried these rules among others:

== variants using a match and stopping rule processing ==

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/\.well\-known/.*$ - [L]
....

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^\.well\-known/.*$ - [L]
....

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/\.well-known/.*$ - [L]
....

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^\.well-known/.*$ - [L]
....

== variants using not-match for ssl redirecting to take place ==

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/.well-known/
....


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/\.well\-known/acme-challenge/
....

Nothing seems to work? Somehow I can't get a match for the requested url... Please help without telling me to use .htaccess or code it in php... I want to know why it isn't working in plesk additional directives.


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/
....
 
Hi vanlier,

For APACHE you could use:

Code: 
# START    Alias definition for Let's Encrypt with full path   
Alias "/.well-known/acme-challenge" "/FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT/.well-known/acme-challenge"
# END    Alias definition for Let's Encrypt with full path   

# START    Additional definition for Let's Encrypt with full path
    <Directory "/FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT/.well-known/acme-challenge">
        Options None
        AllowOverride None
        ForceType text/plain

        <IfModule mod_headers.c>
            Header set Content-Type "application/jose+json"
        </IfModule>

        # START Let's combine some apache version changes with an IfModule
        <IfModule mod_version.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
        </IfModule>

        <IfModule !mod_version.c>
            Order allow,deny
            Allow from all
        </IfModule>
        # END Let's combine some apache version changes with an IfModule
       
        # START ModSecurity could block requests, switch it off if you experience issues
        <IfModule mod_security2.c>
            SecRuleEngine Off
        </IfModule>
        # END    ModSecurity could block requests, switch it off if you experience issues
       
        # START We don't want people to see our redirects
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
        # END    We don't want people to see our redirects
    </Directory>
# END    Additional definition for Let's Encrypt with full path

For NGINX you could use:

Code: 
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        allow all;
        root /FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT;
        rewrite 404 ^/(?!/\.well-known/acme-challenge/[\w-]{43}$) redirect;
    }


Pls. CHECK your configuration by placing a test - file at for example: "/FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT/.well-known/acme-challenge/le-test.txt" ( content of "le-test.txt" can be whatever you like ) and try to reach that file with your browser: https://YOUR-DOMAIN.COM/.well-known/acme-challenge/le-test.txt

Pls. inspect your domain - specific log - files, to investigate possible issues/errors/problems and paste the depending log - entries, so that people willing to help you can investigate the issues/error/problem with you together.


Consider to contact the "Plesk - Let's encrypt - developpers" directly at "https://github.com/plesk/letsencrypt-plesk/issues" ( they may not visit this Plesk - Community - Forum ) and consider as well to update your thread with your possible communication over there, so that people with the same or related issue/error/problem could learn from it. :)
 
Hi UFHH01,

thank you for your describing reply. The problem isn't really with the exact url not being reachable because of an error with plesk or Let's encrypt. When I remove my configuration for redirection to the SSL website the renewal process is working (I've tested this).

The real problem is that I've setup custom http directives using mod-rewrite and need to exclude the requested url (doesn't matter if it's for let's encrypt or another package) from the redirection and the match doesn't seem to be working so the url isn't excluded. So it's more of a mod-rewrite problem than anything else. I suspect it has something to do with the subdir beginning with a dot.

For example: when I go to http://<domain>/.well-known/bla.jpg it should give me a 404 not found because it should be exluded from redirection and doesn't exist. Instead I'm still being redirected to the https://<domain> because of mod-rewrite rules.
 
You must log in or register to reply here.

Similar threads

T
Resolved mod_rewrite rules in .htaccess are ignored
Replies
1
Views
823
TinaBura
T
M
Resolved Lets Encrypt not issuing certs for subdomains
Replies
2
Views
273
mendip_discovery
M
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
348
Leta
L
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
2K
Daiv
D
J
Issue Let's encrypt for Plesk cannot be renewed status 500
Replies
1
Views
349
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top