Chris > Am 21.08.2020 um 18:30 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > Signierter PGP-Teil > James, > > On 8/18/20 19:47, James H. H. Lampert wrote: > > Something just worked, that I wasn't expecting to work. Or rather, > > I was expecting it to work, but kill cert renewal. > > > > The port 80 virtual host had > >> RewriteEngine on RewriteCond %{HTTP_HOST} !^www\. [NC] > >> RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} > >> [R=301,L] > > > > which I commented out, because https for that virtual host is a > > pure front-end for Tomcat, and of course, Certbot needs to stick > > something on the server that Let's Encrypt is expecting to be able > > to find. > > > > So a few minutes ago, just for test purposes, I uncommented the > > above lines. Initially, it didn't work (it redirected the browser > > from http://foo.bar.com to a nonexistent https://www.foo.bar.com), > > but when I removed the "www" in the RewriteRule, changing the block > > to > >> RewriteEngine on RewriteCond %{HTTP_HOST} !^www\. [NC] > >> RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] > > > > it worked just fine. > > > > So then, I did a "certbot renew --force-renewal" (expecting it to > > fail on the relevant cert, but in fact, it renewed just fine. > > > > Not to look a gift equine in the masticatory orifice, but what am > > I missing here? What went right, when I was expecting it to go > > wrong? Why didn't the "rewrite" lines break renewal? > > Why would you think that redirecting from http -> https would block > renewal? >
From my experience I have excluded .well-known from the redirect. LE will request initially on port 80. And if the cert hast expired it may be happier when renewing on port 80. Peter > -chris > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org