3

I have a subdomain set up in Apache httpd, that is front-ending for a Tomcat server, with the httpd server secured by Let's Encrypt.

If I have the following rewrite active in the conf file, then certbot fails.

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

If I comment it out, then certbot works.

I'm not entirely sure, but I think it's 100% consistent. Of course, with challenge-caching, I can't get another meaningful test result for a full month after a successful renewal.

hbquikcomjamesl
  • 259
  • 2
  • 16
  • 1
    Your rewrite is redirecting a non www. to https://{thesame} - e.g. something.domain.com will rewrite to https://something.domain.com. Is that the goal? Or are you trying to redirect non HTTPS to HTTPS? Not sure if that's the certbot issue, but thought I'd ask the question as it seems an odd rewrite (but perhaps you have a need for this setup?) – rjbathgate Nov 03 '20 at 03:17
  • Right, please tell us what you're trying to do with the rewrite. There has to be another way to do it that doesn't break certbot. – Andrew Schulman Nov 03 '20 at 08:11
  • This particular subdomain is set up to forward *all* https requests to the Tomcat server (on the same box), handling the https itself. With the rewrite active, http requests get changed to https, and are then passed to the Tomcat server as well. With the rewrite commented out, the httpd server handles all http requests, and the default page is a simple static page that says "test page." – hbquikcomjamesl Nov 03 '20 at 17:03
  • And to clarify: the httpd server is secured by Let's Encrypt; the Tomcat server is not secured at all, but is only reachable via the httpd server. I've adjusted the wording of the question to reflect this. – hbquikcomjamesl Nov 03 '20 at 17:07
  • try to run the lets encrypt without the rewriterule. then you can add it afterwards. only issue is manual renewal – Lukas Mittun Alexander Guldstv Nov 09 '20 at 19:59
  • "add it afterwards" did *NOT* work. The only renewals that work with the existing rewrite rule in place are those made with a *cached* challenge. – hbquikcomjamesl Nov 11 '20 at 16:53

2 Answers2

3

If I understand correctly, you want to redirect all non-HTTPS requests to HTTPS. So I guess your rewrites are in a <VirtualHost *:80> container, for a non-HTTPS site.

Now you want to add another condition, to not redirect Lets Encrypt challenges. I think you're probably using the HTTP-01 challenge, which means you want to not redirect requests to http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. So does the following work?

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
  • It looks like this will probably work: (1) what is *supposed* to redirect to the https port, and pass through to the Tomcat server, seems to be working correctly, and (2) if I give it http://sub.domain.com/.well-known/acme-challenge/foo, it stays on http, and gives me the expected "Not Found" message. I won't know for sure until the cached challenge expires and I'm able to run another test renewal, but I'm giving you the check-mark and the bounty anyway, based on my manual tests. Thanks. – hbquikcomjamesl Nov 11 '20 at 17:29
  • Cool. Good luck. Remember, with Let's Encrypt you can always just throw away your existing cert, and start over with a new one. I guess that will reset the challenge timer. – Andrew Schulman Nov 11 '20 at 17:39
  • The cached challenge has expired, so I've done another certbot renew --force-renewal, and it all appears to work properly. I've given your answer an upvote (in addition to having given it the checkmark and the bounty, back on 11/11). Thanks again. – hbquikcomjamesl Dec 04 '20 at 18:59
  • Great news!..... – Andrew Schulman Dec 04 '20 at 20:01
1

Another approach, it will redirect http->https everything but /.well-known:

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.well-known/
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
Arvy
  • 131
  • 8