christopher735 Posted November 18, 2024 Posted November 18, 2024 The automatic renewal of the certificate for my domain borbach.com does not work. So my site is not reachable via https anymore. The settings in plesk seem to be ok, see screenshot.
wolstech Posted November 18, 2024 Posted November 18, 2024 Let's encrypt cannot reach that domain to verify it. Settings are correct, DNS looks fine (resolves to our IP), no cloudflare so not a CF issue, and let's encrypt doesn't publish a list of IP addresses, so I can't check the firewall. Maybe Krydos has an idea? Quote Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/431895316397. Details: Type: urn:ietf:params:acme:error:connection Status: 400 Detail: 65.19.154.90: Fetching https://borbach.com/.well-known/acme-challenge/p1UQ73Dr1MXgJYotZDlSWDaTFVkMBXvUjT7Y02MtimU: Timeout during connect (likely firewall problem)
Krydos Posted November 18, 2024 Posted November 18, 2024 The problem is .well-known has to be accessible via http. # curl "http://borbach.com/.well-known/acme-challenge/ysITPUa8hTIqNhE7FjrKF9WjF0QDi4AUgdjhK5ioL3U" <html> <head><title>301 Moved Permanently</title></head> <body> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html> As you can see requests for http get redirected to https so SSL verification will always fail. I disabled redirection to https and now it returns the contents of the verification file instead of redirecting to https. # curl "http://borbach.com/.well-known/acme-challenge/ysITPUa8hTIqNhE7FjrKF9WjF0QDi4AUgdjhK5ioL3U" ysITPUa8hTIqNhE7FjrKF9WjF0QDi4AUgdjhK5ioL3U.JYseh45lQBxj41K6qwq7KQASWpf6M7NBo1lNHke015E Here is the recommended way to redirect to https, while making an exception for .well-known to be accessed via http RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{THE_REQUEST} !/.well-known/(.*)$ [NC] RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] I added the above code to your .htaccess and I reissued Let's Encrypt via Plesk for you and now everything is working as expected. https://www.sslshopper.com/ssl-checker.html#hostname=borbach.com 1
Recommended Posts