Replies: 19 comments 1 reply
-
Hi, Do you mean the container self verification or the (external) verification made by Lets Encrypt ? |
Beta Was this translation helpful? Give feedback.
-
Hi @buchdag, I mean the verification that certbot does, where it checks if there is a file in I just now found some documentation stating that certbot does indeed verify over http (which makes sense), https://certbot.eff.org/docs/using.html#webroot. So what I'm now wondering, does the standard configuration of https://github.com/jwilder/nginx-proxy coupled with this container redirect all http requests to https? Also the ones to |
Beta Was this translation helpful? Give feedback.
-
Yes, the standard configuration (which depends on |
Beta Was this translation helpful? Give feedback.
-
@buchdag I think you might have misinterpreted my comment a little bit :-) Boulder does follow redirections from HTTP to HTTPS. I was saying it ignored certificate validation after being redirected. Hope that helps clarify! |
Beta Was this translation helpful? Give feedback.
-
Ok, so I can expect certbot to be redirected to https when using the standard config and then attempt to validate a file in |
Beta Was this translation helpful? Give feedback.
-
@cpu > I remembered you said it ignored cert validation, went to your comment to verify, and manage to read a "don't" that isn't there. derp. @ismay > I'm not so sure of that. The redirection to https only happens if a certificate and key corresponding to the domain exists when docker-gen create the default.conf and reloads nginx. The old certificates / keys, if they exist, should be deleted and nginx reloaded through docker-gen just before certificate creation or renewal, so all challenge validations should happen over http. |
Beta Was this translation helpful? Give feedback.
-
Ok cool, thanks for clarifying, that helps a lot! I'll update my config accordingly. Thanks for the help! |
Beta Was this translation helpful? Give feedback.
-
My bad, I completely misread the linked code yesterday, what is deleted are certificates of a given type (test or non test) if you ask for a certificate of the other type. So challenge validation should happen over http:
Challenge validation should happen over https on renewal of a certificate by a certificate of the same type. Sorry for yesterday misinformation. |
Beta Was this translation helpful? Give feedback.
-
No problem, thanks for the update! |
Beta Was this translation helpful? Give feedback.
-
Ok, so just got this reply from cloudflare about this issue:
So this means that in the end all requests would end up going over https, regardless of if they're attempted over http at first. (This issue was originally about a redirect loop, which is what the cloudflare engineer is referring to. That's been solved by removing the redirect on cloudflare). Maybe it might be good to remove the automatic redirect for the .well-known folder so a request over http is possible? |
Beta Was this translation helpful? Give feedback.
-
@ismay I'm currently having this issue, how did you manage to remove the redirect at cloudflare? I've turned off SSL + rewrite http to https at CF but i am still encountering the problem |
Beta Was this translation helpful? Give feedback.
-
What I did for cloudflare:
Add a page rule:
For my docker config see my cloud config above. |
Beta Was this translation helpful? Give feedback.
-
Hmm, I cant find "Opportunistic encryption" as an option anywhere. neither can i find always use https. still getting stuck in a 301 loop |
Beta Was this translation helpful? Give feedback.
-
Weird. It's in the cloudflare settings for me. Under encryption I believe
|
Beta Was this translation helpful? Give feedback.
-
@ismay not on my site! |
Beta Was this translation helpful? Give feedback.
-
Ah! the option appears after enabling cloudflare's SSL |
Beta Was this translation helpful? Give feedback.
-
That's done it! thanks. |
Beta Was this translation helpful? Give feedback.
-
Sorry for the necro but I'm having some issues with Cloudflare atm. My site works fine - even in HTTPS - with the Cloudflare CDN turned off (grey cloud), but when the CDN is enabled (orange cloud) I get I have Cloudflare SSL as well as all the HTTPS redirect settings mentioned in previous comments turned off. It would be wonderful if anyone could tell me what I'm doing wrong. |
Beta Was this translation helpful? Give feedback.
-
Having the same issue, @pcjmfranken did you manage to solve this? |
Beta Was this translation helpful? Give feedback.
-
I'm using this service in my coreos cloud config. Currently it works just fine, but I've been having some issues with docker-letsencrypt-nginx-proxy-companion trying to verify certificates in the .well-known directory over http. Is that correct?
Also, nginx-proxy (or this container) seems to then redirect the request to https. Is that correct as well? I'm asking since it wasn't clear to me from the documentation, and it would be helpful for me to know what the intended behaviour is, so that I can set up my cloudflare page rules correctly.
Beta Was this translation helpful? Give feedback.
All reactions