Solve Letsencrypt (including Certbot) problems caused by rogue .htaccess files

Solve Letsencrypt (including Certbot) problems caused by rogue .htaccess files

At RimuHosting we're enthusiastic about how Let's Encrypt gives website owners a great way to secure their websites. And certbot is the tool we usually recommend to get a Let's Encrypt certificate. We find it's easy to use and works well on recent distributions.

However, sometimes issuing or renewing a certificate fails. A common reason is that certbot cannot complete the authentication requirements with the Let's Encrypt servers.

If you run in to this type of problem when getting a certificate we are happy to fix it for you.  Lodge an SSL Cert ticket at https://rimuhosting.com/ticket/startticket.jsp, and we'll get your certificate sorted and website secured quickly.  If you'd rather tackle it yourself, read on to find how to fix one possible cause of this problem.

To issue a certificate, the Let's Encrypt servers must make a successful "callback" to your server to verify your domain.

This can cause a problem when an .htaccess file, perhaps installed by a framework or a custom file created by a developer, is blocking or interfering with the callback because of rewrite rules. This will prevent your certificate being issued or renewed. If you are issuing or testing from the command line, you may get a message similar to the following:


Waiting for verification...
Cleaning up challenges
Failed authorization procedure. testing.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from ....

(Note there are many possible reasons for this error, perhaps the most common being DNS problems or not having a website set up yet at all.  Or the software you are using is outdated.)  But in the case where Apache rewrite rules in .htaccess files are causing the problem you can fix it with the following configuration in your the VirtualHost definition:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteOptions InheritDownBefore
  RewriteRule "^/.well-known/acme-challenge/" - [END]
</IfModule>

Or for a server-wide solution where you might be having this problem on more than one virtualhost, create the file /etc/apache2/conf-available/no-acme-challenge-rewrite.conf (for recent Debian and Ubuntu versions):

<IfModule mod_rewrite.c>
  RewriteOptions InheritDownBefore
  RewriteRule "^/.well-known/acme-challenge/" - [END]
</IfModule>

Enable this configuration with "sudo a2enconf no-acme-challenge-rewrite", and "systemctl reload apache2".

Now rouge .htaccess files will not prevent LetsEncrypt certificates being issued. This assumes challenge files will be placed in the DocumentRoot of the relevant virtualhost, which is the most common setup, including in virtualmin installs.
 

مصطفی برمشوری

Just me, myself and I, exploring the universe of uknownment. I have a heart of love and a interest of lorem ipsum and mauris neque quam blog. I want to share my world with you.

Tags


Software development outsourcing: how to avoid contract loopholes

Signing a contract is the last stage in the vendor selection process. Once you have gone through the vendor evaluation and analysis activities, here comes the final step - forging a contract. To strike a win-win deal, businesses need to scrutinize the contract far and wide remaining no issue unsettled.

What is Outsourcing? 4 Common Things Companies Outsource

There has never been a better time to outsource work to other agencies in order to save money and/or time on projects that will give your business a boost. So what are some outsourcing examples for you to fully understand the scope of the trend?

Wordpress Professional Editorial Board

WordPress Professional Editorial Board is a dashboard to monitor and manage publications on your WordPress sites. You can manage posts for editing, reviewing and publishing on one or more WordPress sites through one integrated dashboard.

How to Design Website Footer to Engage More Visitor

Aside from the main body content, a website includes a header and footer, which serve a particular purpose to help visitors. We believe that website footer design is just as important. First of all let’s answer two vital questions: What is a website footer? What should be in the website footer?

How does a switch learn a MAC address which is not in its lookup table?

Suppose the Switch just started, and it received a frame that contains a destination MAC address for a network device not in its MAC addresses table. What happens then? We describe it briefly.

How to download videos from Linkedin?

Here I show you how to simply download videos from LinkedIn to share it on any other social media. It could be done only by the some simple steps. It does not need to install any tools other than your browser (Chrome or Firefox)