Home / server / Questions / 1041047
Accepted
hbquikcomjamesl
Asked: 2020-11-03 16:50:57 +0800 CST

I have a rewrite in an apache httpd conf file, that breaks certbot. Is there a way to change it so that it doesn't?

  • 772

I have a subdomain set up in Apache httpd, that is front-ending for a Tomcat server, with the httpd server secured by Let's Encrypt.

If I have the following rewrite active in the conf file, then certbot fails.

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

If I comment it out, then certbot works.

I'm not entirely sure, but I think it's 100% consistent. Of course, with challenge-caching, I can't get another meaningful test result for a full month after a successful renewal.

httpd.conf httpd certbot lets-encrypt

2 Answers

  1. Best Answer

    If I understand correctly, you want to redirect all non-HTTPS requests to HTTPS. So I guess your rewrites are in a <VirtualHost *:80> container, for a non-HTTPS site.

    Now you want to add another condition, to not redirect Lets Encrypt challenges. I think you're probably using the HTTP-01 challenge, which means you want to not redirect requests to http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. So does the following work?

    RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
    • 3

  2. Another approach, it will redirect http->https everything but /.well-known:

    RewriteEngine On

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.well-known/
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
    • 1