Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
Michael2019-12-21 20:22:59
Nginx
Michael, 2019-12-21 20:22:59

How to avoid an address call loop when renewing an SSL certificate?

The situation is as follows:
a site has MYSITE.RU
been configured by certbot to automatically obtain and renew an SSL certificate once a month. Everything worked like clockwork until I set up a forced redirect to HTTPS
. The problem is that the server issuing the SSL certificate (Let's Encrypt) tries every time to contact the address

http://MYSITE.RU/.well-known/acme-challenge/какойтодлинныйключ/код

But we turned on the redirect to HTTPS - and it turns out that the bot first goes to:
  1. http://MYSITE.RU/.well-known/acme-challenge/какойтодлинныйключ/код
    receives the code 301and the server sends it to
  2. https://MYSITE.RU/.well-known/acme-challenge/какойтодлинныйключ/код
    and the bot already receives the code404

And so on in a circle to infinity .....
How to get out of this loop? Some kind of nonsense ...
How do you get out of this situation?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
K
ky0, 2019-12-21
@ky0

So it is not necessary to extend the redirect to .well-known- this is standard practice.

server {
        listen 80;

        location /.well-known/acme-challenge {
                root /var/www/letsencrypt;
        }

        location / {
        return 301 https://$server_name$request_uri;
        }
}

Etc.

Report
S
Sergey Sokolov, 2019-12-21
@sergiks

CertBot can also validate domains via DNS .
Give it an API key to manage the domain (if your domain is delegated to one of the well-known hosters / registrars, including Google, DigitalOcean, CloudFlare, Linode) and the bot itself creates a temporary TXTrecord, checks it and generates a certificate.
Only when confirmed via DNS can wildcard certificates be created . Those. for any subdomains: *.mysite.ru
The site is not involved in this case and may even lie down.

Report
V
Vadim Priluzkiy, 2019-12-21
@Oxyd

I suspect that letsencrypt wants to place what letsencrypt wants on the second URL. Now you have nothing there and LE gets a whack. Smoke your NGINX config.

Report
M
Michael, 2019-12-21
@happy-cat

There is a complete utility,
sudo certbot run --nginx
removed the gimor by 99%, it seems everything works, only one site crashed, I just can’t figure out what the cant is ...
PS By the way, try sudo certbot run --nginx, an interesting thing

Similar questions
K
kr_ilya2019-06-02 09:48:53
How to make a subdomain on vps? 1Reply
T
TTV2019-06-05 08:05:05
Setting up virtualhosts in uWSGI? 1Reply
S
StynuBlizz2017-01-12 03:12:33
How can I prevent outsiders from downloading or viewing video from the server? 5Reply
I
Ilya2015-01-15 01:40:38
How to separate nginx, apache, mysql, etc. to different servers? 4Reply
A
Alexander Bagirov2015-01-15 19:53:44
How to run Apache parallel to Nginx? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question