It’s a bad experience when a commercial domain’s emails get discarded due to a failure to renew the LetsEncrypt certificate. Therefore, being able to ensure that, when the time comes for autorenewal, it will actually, for certain and for sure, actually work is a really big deal.
Simply looking at configuration settings and, from that, inferring that it will work is, shall we say, inadequate.
So, how does one test this critical function?
I had the following on .htaccess file and domain dint renew.
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.)$ https://domain.com/$1 [R,L]
[Probably it would be better to use RewriteRule ^(.)$ https://www.domain.com/$1 [R,L] ?]
Apparently letsencrypt was not able to download their file from http://www.domain.com and when i disabled htaccess i ws able to renew manually.
I have added follow BUT i am not sure if this will work as I am waiting for a domain to renew today as now it tries renewals after a week
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+$
Despite so many threads nothing is clear how to enable letsencrypt renewal so that it can access http file on an SSL enabled domain.
I still cant find any way on to put the .wellknown/acme-challenge as exception. Nobody there to share their experience?
Hi,
The easiest way to do so is to create a “Website Redirect” from within Virtualmin. This will place the redirect code into the servers VirtualHost configuration rather than you having to use a “.htaccess” file.
Navigate over to Server Configuration > Website Redirects
Once there click Add a new website redirect.
Source URL path: ^/((?!.well-known).*)$
Destination: URL at other website / https://yourdomain.com/$1
Include sub-paths in redirect: Yes
Dear TPNsolutions thank you for your guidance. I have used .htaccess directives for each domain and it usually works. I used ewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+$ and it does work but when I try access a file of letsencrypt thats stored as 777 root is not accesible via browser.
It gives Forbidden you dont have permission to access 403 error. I am trying to understand what Do i need to change so that http://domain.com/.well-known/ files are downloadable. I also added this following on httpd conf <Directory “/home/domain/public_html/.well-known/acme-challenge”>
allow from all
Hi,
The “.well-known” will intentionally produce a 403 error as it doesn’t contain an “index” file within it. The folder is used by the “Acme Protocol” to verify a domain’s existence and should NOT be altered in any way. You should just leave the folder and it’s content “as-is”.
Yes right but how does one fix the issue of file not downloading? See here the error on virtualmin when it attempts to renew:
By altering httpd or adding code to htaccess it still gives 403 error and is not renewing:
Registering account…
Already registered!
Verifying domain.com…
Wrote file to /home/domuser/public_html/.well-known/acme-challenge/WYRbjUwp-x4GIWK75_w31vfEtRuEdfZxICFkd32mXeM, but couldn’t download http://domain.com/.well-known/acme-challenge/WYRbjUwp-x4GIWK75_w31vfEtRuEdfZxICFkd32mXeM
Traceback (most recent call last):
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 235, in
main(sys.argv[1:])
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 231, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 184, in get_crt
domain, challenge_status))
I’m seeing a sequence of responses addressing how one gets automatic renewal to work – not how to test whether it will work when the critical time comes.