Right, but I don't see where this "force-all-HTTP-traffic-to-HTTPS part gets disabled/commented when certificate renewal occurs.
When I configure certificate on a "force HTTPS" Nginx configuration, I have the following in HTTP server block:
location ^~ /.well-known/acme-challenge/ {
# No HTTP authentication
allow all;
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
# Current specification requires "text/plain" or no content header at all.
# It seems that "text/plain" is a safe option.
default_type "text/plain";
}
location = /.well-known/acme-challenge/ {
return 404;
}
# Redirect the rest of HTTP traffic to HTTPS:
location / {
return 301 https://$host$request_uri;
access_log off;
}
Thus ACME challenge gets served over HTTP, and the other requests are redirected to HTTPS.
Oh, interesting. I didn't know this was a potential issue. Thankfully, I've got quite a while before my certs need renewing. Thank you for bringing this to my attention!
Right, but I don't see where this "force-all-HTTP-traffic-to-HTTPS part gets disabled/commented when certificate renewal occurs.
When I configure certificate on a "force HTTPS" Nginx configuration, I have the following in HTTP
serverblock:Thus ACME challenge gets served over HTTP, and the other requests are redirected to HTTPS.
Oh, interesting. I didn't know this was a potential issue. Thankfully, I've got quite a while before my certs need renewing. Thank you for bringing this to my attention!
You're welcome :)
Updated! Thank you again. :)