New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cert renewal process failing due to failed redirection #161

Closed
dlowhorn opened this Issue Oct 20, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@dlowhorn
Copy link

dlowhorn commented Oct 20, 2018

Has anyone encountered a problem with renewals? My renewal is failing with an error in the log that the attempt to load the .well-known/acme-challenge test file is failing with a 404 error. My full setup follows the norm for SSL redirection. I have my primary application which is served only by HTTPS, then I have another application (named ssl_redirect) in my WF account that only serves HTTP and has the following .htaccess:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This all works great, except for the renewal process. If I manually attempt to access one of the files in the .well-known/acme-challenge subdirectory using HTTPS then the browser finds it just fine, but if I switch to the HTTP protocol, the protocol redirection by my ssl_redirect fails. It just keeps returning 404.

I'm trying to figure this out before my cert expires, so any help would be greatly appreciated.

@eliot-akira

This comment has been minimized.

Copy link

eliot-akira commented Oct 20, 2018

I've been struggling to solve the same issue this afternoon. I have a similar setup, with a single "redirect" application that points from HTTP -> HTTPS sites.

For some reason, the HTTP request to the challenge file is not getting redirected to the HTTPS site, only returning 404 not found.

It seems to be bypassing the .htaccess file, and I'm starting to think that maybe WebFaction is handling the route .well-known/acme-challenge differently.

Hopefully we can figure out a solution!

@dlowhorn

This comment has been minimized.

Copy link

dlowhorn commented Oct 20, 2018

I just cracked it, with some help from WF's support. I didn't understand what they said at first, but now I've got it. They sent me this:

Hello,

Our integrated setup can break these pre existing scripts.

One fix I have found which typically works is to use a 'symbolic link to static only' type app and the URI routing in our control panel.

  1. Create a new symbolic link app, use the full path to

/home/you/webapps/appname/.well-known/acme-challenge/

  1. Bind this app to the domain in the website configuration to this uri,

/.well-known/acme-challenge

This should override our nginx config in place for lets encrypt.

John S.
WebFaction Support

So, you need to create a new symbolic link application that points directly to the .well-known/acme-challenge subdir of your site. Then add that application to your redirect application such that the symbolic app serves content only for the .well-known/acme-challenge subdir, like so:

selection_495

@eliot-akira

This comment has been minimized.

Copy link

eliot-akira commented Oct 20, 2018

Aha, I see, it was an issue caused by the "nginx config in place for lets encrypt". That makes sense why it was ignoring the .htaccess. Bit of a pain to do this step for all sites, but I suppose it's only necessary once per site.

Thank you very much for the info.

@will-in-wi will-in-wi closed this Oct 24, 2018

@vegemite4me

This comment has been minimized.

Copy link

vegemite4me commented Nov 4, 2018

I had this problem, but did not understand what you meant by "a new symbolic link application". I ended up following the instructions here and the renewal now works. The rewrite section of my .htaccess now looks like this:

RewriteEngine On
RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment