3 months ago

Let’s Encrypt renewal fails due to 301 redirect, on Forge Wordpress site

Posted 3 months ago by ader79

Let’s Encrypt can't renew on my Wordpress site on Laravel Forge. It seems to be due to the server redirecting everything to https.

The Let’s Encrypt renewal process appears to need to get to http://domain.tld/.well-known/acme-challenge/foo (note: http, not https).

This works fine the first time around if SSL is not enabled on the site.

But after a certificate is installed, when it tries to renew the certificate. Or If I try to manually install a new one (seeing as automatic renewal failed) then it gets into a redirect loop.

I tested it using cURL. There is a redirect loop:

$ curl -I http://domain.tld/.well-known/acme-challenge/foo

HTTP/1.1 301 Moved Permanently
Server: nginx/1.13.3
Location: https://domain.tld/.well-known/acme-challenge/REDACTED

$ curl -I https://domain.tld/.well-known/acme-challenge/foo

HTTP/1.1 301 Moved Permanently
Server: nginx/1.13.3
Location: http://domain.tld/.well-known/acme-challenge/REDACTED

So http redirects to https and vice versa.

I have eliminated Wordpress / application causes, by editing index.php so it just outputs exit("hello world");

It seems to be the case that the way Forge updates the nginx config after installing a Let's Encrypt certificate, it then only listens on port 443, and always redirects everything to https.

The only solution I have found is to turn off SSL, delete the existing certificate, wait for everything to update.. (so the site is no longer on https) and then install one from scratch.

Other info: CloudFlare is in use but for debugging I set "disable cloudflare for this site" so proxying was off.

Where is this 301 redirect coming from and how can it be rectified?

Please sign in or create an account to participate in this conversation.