Lets Encrypt Nuances

For general information I thought I’d post this Lets Encrypt cert rollover ‘Gotcha.’

Scenario – I’ve been hosting a legacy domain, website and a bunch of email accounts under the same domain for a number of years. Website owner requests web forwarding is put in place from the old website to a swanky new rebranded site. This scenario all works brilliantly until LE requires a cert update.

Gotcha – LE won’t auto update certs when a domain has a redirect in place and subsequently disrupts email traffic on the original domain.

Quick Fix – Remove the re-direct, update the cert, then reapply the redirect.

Lesson – What used to work in the old days doesn’t work so well today. Don’t host email and websites under the same domain.

This is usually fine if you’re using rewrites rather than redirects - redirect rules send all the URLs to the new location, whereas rewrites parse the URL and send it off elsewhere, which is the same for the browser, but allows more control, and can be overridden at different levels, which is what Sympl has configured for the typical .well-known directory.

Rather than a basic redirect, like…

Redirect / https://target.example.com

You can use a rewrite more like:

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/\.well-known/
RewriteRule (.*) https://target.example.com$1 [R,L]

Which will redirect any URL where the path doesn’t start with /.well-known/ to the target, allowing LE certs to be renewed as normal.

Sympl includes some handlers to do some of this automatically so in some cases you may not need the RewriteCond, but the above should work in all cases.

2 Likes

What isuggest as an alternative is to make the old name a codomain.

Thank you both very much indeed. I was initially using a basic redirect so I’ve implemented Paul’s suggested rewrite solution albeit I won’t know whether it works until the next LE rollover of certificates.

Hairy Dog Sir, for my education, could you kindly expand on the co-domain setup?

You simply set the web server to serve both domains with the same pages.
All it takes is a softlink in the /srv directory. See Website Configuration Reference - Sympl Wiki.