christopher735 Posted Monday at 09:01 AM Posted Monday at 09:01 AM The automatic renewal of the certificate for my domain borbach.com does not work. So my site is not reachable via https anymore. The settings in plesk seem to be ok, see screenshot.
wolstech Posted Monday at 11:18 AM Posted Monday at 11:18 AM Let's encrypt cannot reach that domain to verify it. Settings are correct, DNS looks fine (resolves to our IP), no cloudflare so not a CF issue, and let's encrypt doesn't publish a list of IP addresses, so I can't check the firewall. Maybe Krydos has an idea? Quote Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/431895316397. Details: Type: urn:ietf:params:acme:error:connection Status: 400 Detail: 65.19.154.90: Fetching https://borbach.com/.well-known/acme-challenge/p1UQ73Dr1MXgJYotZDlSWDaTFVkMBXvUjT7Y02MtimU: Timeout during connect (likely firewall problem)
Krydos Posted Monday at 04:45 PM Posted Monday at 04:45 PM The problem is .well-known has to be accessible via http. # curl "http://borbach.com/.well-known/acme-challenge/ysITPUa8hTIqNhE7FjrKF9WjF0QDi4AUgdjhK5ioL3U" <html> <head><title>301 Moved Permanently</title></head> <body> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html> As you can see requests for http get redirected to https so SSL verification will always fail. I disabled redirection to https and now it returns the contents of the verification file instead of redirecting to https. # curl "http://borbach.com/.well-known/acme-challenge/ysITPUa8hTIqNhE7FjrKF9WjF0QDi4AUgdjhK5ioL3U" ysITPUa8hTIqNhE7FjrKF9WjF0QDi4AUgdjhK5ioL3U.JYseh45lQBxj41K6qwq7KQASWpf6M7NBo1lNHke015E Here is the recommended way to redirect to https, while making an exception for .well-known to be accessed via http RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{THE_REQUEST} !/.well-known/(.*)$ [NC] RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] I added the above code to your .htaccess and I reissued Let's Encrypt via Plesk for you and now everything is working as expected. https://www.sslshopper.com/ssl-checker.html#hostname=borbach.com 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now