Force SSL Options Prevents Let's Encrypt Renewals #4275
Conversation
Modify Force SSL to bypass all Let's Encrypt requests
|
This acme challenge thing has always been a thorn in my side.
Point 1 is fine and works as expected, point 2 also AFAIK (I don't do this myself). But your issue is with point 3. It's hard to respect point 2 at the same time. The backend code fires off the certbot renewal process, so it could put a temporary hijack in place during that execution. |
|
This change should only affect Let's Encrypt flows by preventing them from being redirected to HTTPS. I don't think that this will impact anyone given that LE challenges on HTTP port 80 is standard. This should not impact the host routing of the requests; only the port & protocol. That said, I do also have another fix for host routing of LE challenges to upstream hosts. Let me know if you are interested and I can open another pull request to discuss that in. |
The force-ssl.conf file does the following:
This works but only for "test-challenge". All other Let's Encrypt renewals/challenges will fall through and be upgraded to HTTPS which causes them to fail (not sure why, see thoughts below). By modifying step two to catch all Let's Encrypt challenges and not upgrade those connections, renewals succeed.
It looks like Let's Encrypt should work without the modification since letsencrypt-acme-challenge.conf is included in the server with both the listen 80 and listen 443 directives. Either way, this has never worked for me. I've already implemented this change in my environment by mounting the modified force-ssl.conf file directly and it fixed the issue immedeatly.