SSL auto renewal blocked by www redirect

Hello,
I am using the apache config files (not .htaccess) for my website and I had an issue with my SSL certificate failing to automatically renew. This is what my server guy had to say about it:

I've picked up your ticket this evening to try and assist you with your SSL problems. I reviewed the server, and see in the AutoSSL logs that the renewal is failing because the domain cannot be validated. AutoSSL creates validation files on disk under each domain, and then the SSL provider tries to retrieve those files from the domain to verify ownership. This validation does not allow redirections to occur, the validation file must be served under the domain it was requested from.

I traced the source of the redirections to some code included in your Apache configuration. The file /etc/apache2/h5bp/rewrites/rewrite_www.conf is being loaded, and it includes this rewriterule on line 43:

RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

That line seems to be rewriting any request that doesn't include www in the domain to start with www, even requests to subdomains. This rewrite is causing the SSL renewals to fail as well.

As this seems like part of a website framework intentionally installed on the server, I have not made any changes to it. I suggest you have your developers check that code and see if they can allow non-rewritten requests to go through for SSL validation.

Anybody ever had that issue? Is it something I did wrong, or is there a way around it?

Thank you in advance.

Thanks for opening this issue @mnakalay.
That said, it is directly linked to the app "AutoSSL" used by your host, which gives no clue on what is required.
It is for the same reason there is no default exceptions for redirection, since it depends on the needs of each app.

In any case, you still can add a condition on the redirection block to exclude the endpoint required for your app validation.

server-configs-apache/h5bp/rewrites/rewrite_www.conf

Lines 27 to 45 in c7b582a

    
           <IfModule mod_rewrite.c> 
        
               RewriteEngine On 
        
               # (1) 
        
               RewriteCond %{HTTPS} =on 
        
               RewriteRule ^ - [E=PROTO:https] 
        
               RewriteCond %{HTTPS} !=on 
        
               RewriteRule ^ - [E=PROTO:http] 
        
               # (2) 
        
               # RewriteCond %{HTTPS} !=on 
        
               RewriteCond %{HTTP_HOST} !^www\. [NC] 
        
               RewriteCond %{SERVER_ADDR} !=127.0.0.1 
        
               RewriteCond %{SERVER_ADDR} !=::1 
        
               RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 
        
           </IfModule>

You can find examples on RewriteCond directive usage inside the block for http to https rewrite.

server-configs-apache/h5bp/rewrites/rewrite_http_to_https.conf

Lines 19 to 22 in c7b582a

    
           # (1) 
        
           # RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ 
        
           # RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[\w-]+$ 
        
           # RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

Thank you this is very helpful.

	<IfModule mod_rewrite.c>

	RewriteEngine On

	# (1)
	RewriteCond %{HTTPS} =on
	RewriteRule ^ - [E=PROTO:https]
	RewriteCond %{HTTPS} !=on
	RewriteRule ^ - [E=PROTO:http]

	# (2)
	# RewriteCond %{HTTPS} !=on

	RewriteCond %{HTTP_HOST} !^www\. [NC]
	RewriteCond %{SERVER_ADDR} !=127.0.0.1
	RewriteCond %{SERVER_ADDR} !=::1
	RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

	</IfModule>

	# (1)
	# RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
	# RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[\w-]+$
	# RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$