• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Let's encrypt probleem with SSL rewrite

V

vanlier

New Pleskian
We use additional apache directives (not .htaccess!!) to force clients to be redirected to SSL.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST} [R,QSA]
</IfModule>

This works without a problem. We installed the let's encrypt plugin and all was fine until we got a message the certificate was not renewed. I tried a manual renewal and got the following error (plesk team, the html is escaped, needs a fix):

Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: Failed authorization procedure. <domain> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://<domain>/.well-known/acme-challenge/<large code>: &quot;&lt;html&gt;

So it seems that let's encrypt requests a response from an unencrypted url (?, why not use HTTPS and just ignore certificate errors?) and that can't be reached because it will be rewritten to an https url according to our mod_rewrite rules.

So what's to do next: make a rule the excludes the request url from the mod_rewrite. Ive tried all options I could think but but somehow my rule for exluding isn't matched, could be the . at the beginning of the url? I've tried these rules among others:

== variants using a match and stopping rule processing ==

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/\.well\-known/.*$ - [L]
....

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^\.well\-known/.*$ - [L]
....

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/\.well-known/.*$ - [L]
....

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^\.well-known/.*$ - [L]
....

== variants using not-match for ssl redirecting to take place ==

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/.well-known/
....


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/\.well\-known/acme-challenge/
....

Nothing seems to work? Somehow I can't get a match for the requested url... Please help without telling me to use .htaccess or code it in php... I want to know why it isn't working in plesk additional directives.


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/
....
 
Hi vanlier,

For APACHE you could use:

Code: 
# START    Alias definition for Let's Encrypt with full path   
Alias "/.well-known/acme-challenge" "/FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT/.well-known/acme-challenge"
# END    Alias definition for Let's Encrypt with full path   

# START    Additional definition for Let's Encrypt with full path
    <Directory "/FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT/.well-known/acme-challenge">
        Options None
        AllowOverride None
        ForceType text/plain

        <IfModule mod_headers.c>
            Header set Content-Type "application/jose+json"
        </IfModule>

        # START Let's combine some apache version changes with an IfModule
        <IfModule mod_version.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
        </IfModule>

        <IfModule !mod_version.c>
            Order allow,deny
            Allow from all
        </IfModule>
        # END Let's combine some apache version changes with an IfModule
       
        # START ModSecurity could block requests, switch it off if you experience issues
        <IfModule mod_security2.c>
            SecRuleEngine Off
        </IfModule>
        # END    ModSecurity could block requests, switch it off if you experience issues
       
        # START We don't want people to see our redirects
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
        # END    We don't want people to see our redirects
    </Directory>
# END    Additional definition for Let's Encrypt with full path

For NGINX you could use:

Code: 
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        allow all;
        root /FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT;
        rewrite 404 ^/(?!/\.well-known/acme-challenge/[\w-]{43}$) redirect;
    }


Pls. CHECK your configuration by placing a test - file at for example: "/FULL/PATH/TO/YOUR/DOMAIN/OR/SUBDOMAIN/SPECIFIC/DOCROOT/.well-known/acme-challenge/le-test.txt" ( content of "le-test.txt" can be whatever you like ) and try to reach that file with your browser: https://YOUR-DOMAIN.COM/.well-known/acme-challenge/le-test.txt

Pls. inspect your domain - specific log - files, to investigate possible issues/errors/problems and paste the depending log - entries, so that people willing to help you can investigate the issues/error/problem with you together.


Consider to contact the "Plesk - Let's encrypt - developpers" directly at "https://github.com/plesk/letsencrypt-plesk/issues" ( they may not visit this Plesk - Community - Forum ) and consider as well to update your thread with your possible communication over there, so that people with the same or related issue/error/problem could learn from it. :)
 
Hi UFHH01,

thank you for your describing reply. The problem isn't really with the exact url not being reachable because of an error with plesk or Let's encrypt. When I remove my configuration for redirection to the SSL website the renewal process is working (I've tested this).

The real problem is that I've setup custom http directives using mod-rewrite and need to exclude the requested url (doesn't matter if it's for let's encrypt or another package) from the redirection and the match doesn't seem to be working so the url isn't excluded. So it's more of a mod-rewrite problem than anything else. I suspect it has something to do with the subdir beginning with a dot.

For example: when I go to http://<domain>/.well-known/bla.jpg it should give me a 404 not found because it should be exluded from redirection and doesn't exist. Instead I'm still being redirected to the https://<domain> because of mod-rewrite rules.
 
You must log in or register to reply here.

Similar threads

T
Resolved mod_rewrite rules in .htaccess are ignored
Replies
1
Views
220
TinaBura
T
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
327
Daiv
D
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
J
Issue Error when renewing SSL certificate
Replies
1
Views
497
Peter Debik
P
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
251
Azurel
Azurel
Back
Top