Let's Encrypt with domain redirect and HSTS

ZipperZapper

Verified User
Joined
Nov 30, 2015
Messages
111
So, I have HSTS (Strict-Transport-Security-header) enabled server-wide trough a custom nginx_server_secure.conf template.
This works fine, apart from one case I'm running into now and can't find a solution for.

One of my clients used to host a personal website, misterexample.com, with a valid SSL-cert from Let's Encrypt.
A while ago the client decided to stop hosting his personal website and redirect it to his LinkedIn profile with the Domain Redirect (301) settings in DirectAdmin.

This creates the following problem:

- After a while, I will get a message the automatic renewal of misterexample.com has failed;
- I can see this too when trying to recreate a cert by hand, it will just redirect to LinkedIn because of the Domain Redirect;
- When the cert expires or when I disable SSL-support for the site, the redirect will no longer work because of the HSTS that was there originally and the internet never forgets and browsers always select the https-one.

The only way to renew the cert is by removing the Domain Redirect, rebuilding the nginx_confs, renew the cert and then add the Domain Redirect again.
This works, but I'm already tired of this weird construction after 2 renew-cycles.

There must be a way to redirect / from misterexample.com to LinkedIn, but to allow /.well-known? I thought /etc/nginx/webapps.conf took care of that, but it obviously isn't. I tried including webapps.conf BEFORE the Domain Redirect parameter in nginx_server_secure.conf, but that makes no difference.
 

HennoBitfactory

New member
Joined
May 12, 2020
Messages
1
I solved it by disabling site redirection and instead adding this snippet in the custom HTTPD configuration for the domain, to CUSTOM3 so it ends up in the same place:

NGINX:
location /.well-known/ {
}
location / {
  # Original site redirection code
  rewrite ^/.*$ https://domain.tld permanent;
}
This causes requests for the /.well-known/ paths to stay on the original domain, allowing validation and therefore auto-renewal as well.

However, not everyone has the access to use custom HTTPD configurations like this, so it would be nice if the Let's Encrypt functionality would change this for us.
 
Top