Chris
> Am 21.08.2020 um 18:30 schrieb Christopher Schultz
> <ch...@christopherschultz.net>:
>
> Signierter PGP-Teil
> James,
>
> On 8/18/20 19:47, James H. H. Lampert wrote:
> > Something just worked, that I wasn't expecting to work. Or rather,
> > I was expecting it to work, but kill cert renewal.
> >
> > The port 80 virtual host had
> >> RewriteEngine on RewriteCond %{HTTP_HOST} !^www\. [NC]
> >> RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI}
> >> [R=301,L]
> >
> > which I commented out, because https for that virtual host is a
> > pure front-end for Tomcat, and of course, Certbot needs to stick
> > something on the server that Let's Encrypt is expecting to be able
> > to find.
> >
> > So a few minutes ago, just for test purposes, I uncommented the
> > above lines. Initially, it didn't work (it redirected the browser
> > from http://foo.bar.com to a nonexistent https://www.foo.bar.com),
> > but when I removed the "www" in the RewriteRule, changing the block
> > to
> >> RewriteEngine on RewriteCond %{HTTP_HOST} !^www\. [NC]
> >> RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
> >
> > it worked just fine.
> >
> > So then, I did a "certbot renew --force-renewal" (expecting it to
> > fail on the relevant cert, but in fact, it renewed just fine.
> >
> > Not to look a gift equine in the masticatory orifice, but what am
> > I missing here? What went right, when I was expecting it to go
> > wrong? Why didn't the "rewrite" lines break renewal?
>
> Why would you think that redirecting from http -> https would block
> renewal?
>
From my experience I have excluded .well-known from the redirect.
LE will request initially on port 80.
And if the cert hast expired it may be happier when renewing on port 80.
Peter
> -chris
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
