Page MenuHomeMiraheze

Unbreak miraheze.com ACME challenges
Closed, ResolvedPublic

Description

It is not possible currently to renew miraheze.com's certificate due to how that domain redirects to meta.miraheze.org

miraheze.com serves a 301 directing clients to meta.miraheze.org/, which then serves a redirect to meta.miraheze.org/wiki/.

Let's Encrypt, when renewing miraheze.com's certificate, finds itself in more or less this redirect chain:

Redirect nºFromLocation
1miraheze.com/.well-known/acme-challenge/<random string>meta.miraheze.org/.well-known/acme-challenge/<random string>
2meta.miraheze.org/.well-known/acme-challenge/<random string>meta.miraheze.org/wiki/.well-known/acme-challenge/<random string>

meta.miraheze.org/wiki/.well-known/acme-challenge/<random string> then returns a 404 because our system expects requests to .well-known to come to the domain root (https://github.com/miraheze/puppet/blob/4a8c9573b8f1ecadb61ff426628f5f68a2cf9764/modules/ssl/files/nginx.conf#L15), and the renew fails.

miraheze.com's cert will expire Fri 14 Jun 2024

Event Timeline

OrangeStar triaged this task as Normal priority.Sun, Jun 9, 17:25
OrangeStar created this task.

https://github.com/miraheze/ssl/pull/781 temporarily removes the redirect to allow for the renews to go through. That's just meant for use right now, if we had to do this everytime the expiration date is approaching it would kind of defeat the point of automating the whole cert renew process.

In the past this hasn’t been an issue. There is a similar issue with miraheze.wiki

In T12203#244273, @Void wrote:

Should be prevented now with https://github.com/miraheze/puppet/commit/f68026b18e128ed09258ef2743f86dce5115936d which should work for all redirected domains.

still failing with the same output

MacFan4000 reassigned this task from OrangeStar to Void.