Let’s Encrypt can't renew on my Wordpress site on Laravel Forge. It seems to be due to the server redirecting everything to https.
The Let’s Encrypt renewal process appears to need to get to
http://domain.tld/.well-known/acme-challenge/foo (note: http, not https).
This works fine the first time around if SSL is not enabled on the site.
But after a certificate is installed, when it tries to renew the certificate. Or If I try to manually install a new one (seeing as automatic renewal failed) then it gets into a redirect loop.
I tested it using cURL. There is a redirect loop:
$ curl -I http://domain.tld/.well-known/acme-challenge/foo HTTP/1.1 301 Moved Permanently Server: nginx/1.13.3 Location: https://domain.tld/.well-known/acme-challenge/REDACTED $ curl -I https://domain.tld/.well-known/acme-challenge/foo HTTP/1.1 301 Moved Permanently Server: nginx/1.13.3 Location: http://domain.tld/.well-known/acme-challenge/REDACTED
So http redirects to https and vice versa.
I have eliminated Wordpress / application causes, by editing index.php so it just outputs
It seems to be the case that the way Forge updates the nginx config after installing a Let's Encrypt certificate, it then only listens on port 443, and always redirects everything to https.
The only solution I have found is to turn off SSL, delete the existing certificate, wait for everything to update.. (so the site is no longer on https) and then install one from scratch.
Other info: CloudFlare is in use but for debugging I set "disable cloudflare for this site" so proxying was off.
Where is this 301 redirect coming from and how can it be rectified?