SSL Renewals for Domains that Redirect to an Internal Page

4 min read

Intro

If you have a website where you’ve set up a redirect that looks like this via an Nginx configuration file:

old-domain.com —-> new-domain.com/something

This article is for you.

Regular redirect domains that are added via the Site customizer will not experience the same SSL renewal errors.

The Renewal Error

If you’ve received an SSL renewal error, the first thing you need to do is head to the SSL log for that website. This will give a clear reason for why Let’s Encrypt has been unable to renew the SSL.

In this case, it will look similar to this:


					1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: old-website.com
Type: unauthorized
Detail: Invalid response from
https://new-website.com/something//.well-known/acme-challenge/199nbYyxhysPwgs8_bXLPsdf9WERfsdfETz0B1F68r
[199.199.199.199]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: www.old-website.com
Type: unauthorized
Detail: Invalid response from
https://new-domain.com/something//.well-known/acme-challenge/WYg8VQnFCPHSY9liTvew8fWslA_ErsvqElEWoK3xM
[199.199.199.199]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
				

Here we can see that the redirect is confusing Let’s Encrypt, taking them to a different URL.

How to Fix it

You have two options to fix this. We recommend the first if possible as it’s the easiest method and will prevent this from happening again in the future.

Option 1: Switch to a DNS API Integration

Use a DNS Integration and provision an SSL via either the regular DNS API method or the Challenge method. This method doesn’t rely on Let’s Encrypt checking your live site, and so the redirect won’t affect the renewal. 

The following articles detail provisioning an SSL certificates via the DNS API methods:

Option 2: Manually Renew

Manually renew the SSL every 3 months by connecting to the server and running a few copy and paste commands.

The regular webroot domain verification method requires that your DNS records be in place so that Let’s Encrypt can check your website against your IP address. However, as you can see above, when this manual redirect is in place it can’t verify the domain.

Manually Renewing Your SSL Certificate

If you’re sticking with the webroot method for your SSL’s, below is the step-by-step procedure for running the renewal.

Step 1. SSH into your Server

This process requires that you connect to your server in order to manually run the commands in the following steps.

Step 2. Rename your redirect configuration file

Run the following command to navigate to your websites Nginx folder, replacing “site.url” with your domain name:

cd /var/www/site.url/nginx

For example:

cd /var/www/website.com/nginx

Next run:

ls -l

This will display the contents of the folder, and here you will see the redirect main-{site.url}-context configuration file you’ve created. If you’ve followed our guides, it probably looks like this: redirect-main-site.url-context.conf .

Rename the file, adding an underscore at the end to “deactivate” it (if named incorrectly, Nginx will not include it):

mv redirect-main-site.url-context.conf redirect-main-site.url-context.conf_

Step 3. Check and Restart Nginx

Make sure that the Nginx conf files are ok and then reload Nginx. Check the syntax with:

nginx -t

If no errors are present, reload with:

gp ngx reload

Step 4. Renew your SSL

Run this command to renew your SSL certificate:

certbot-auto renew

Now that the redirect is no longer in place, the SSL renewal will go through.

Step 5. Put your redirect back in place

Now we want to rename the file again back to its original name so it works again. This step is the opposite of step 2. Run the following, replacing with your file name:

mv redirect-main-site.url-context.conf_ redirect-main-site.url-context.conf

Step 6. Check and Restart Nginx Again

Make sure that the Nginx conf files are ok and then reload Nginx. Check the syntax with:

nginx -t

If no errors are present, reload with:

gp ngx reload

Done!

You’re all set! Check your redirect is all good and have a great day!