Digital certificate renewals

Background on using digital certificates

Ever since Google announced that it would consider the use of https as a (weak) ranking signal, the number of sites using a digital certificate has risen rapidly.  Buying and installing certificates can be something of a trial for the average user, with a number of “gotchas” along the way.  However, many of those certificates are coming up for renewal now and there is one more gotcha to be aware of.

Certificate renewal problem

For those using domain level validation (i.e. prove you in control of the domain you want the certificate for) the Certificate Authority (CA) will typically check for the presence of a text file on your website.  The trap for the unwary is that it will only check using http not https.  This is fine for your first certificate but come renewal time most sites are redirecting all their traffic from non-secure to the secure protocol.  Consequently, the Certificate Authority never finds the validation file and manual intervention is required, leading to delays at best or the loss of https at worst.

Domain level validation renewal

Lets assume the CA has given you the file abc123.txt and you upload it to the server.  According to the Apache docs mod_rewrite is not the preferred way of redirecting http traffic to https.  Instead they recommend  using the Redirect directive provided by mod_alias.  Here’s how its done:

Using Redirect

<VirtualHost *:80>
ServerName www.example.com
Redirect “/” “https://www.example.com/”
</VirtualHost>

NB the absence of a DocumentRoot directive, its not needed in this situation.  As described above the CA will never find http://www.example.com/abc123.txt because the request is redirected to https://www.example.com/abc123.txt and the CA is not expecting the file to be found under https.
To fix this we can check for our validation file:

<VirtualHost *:80>
ServerName www.example.com
<If “%{REQUEST_URI} != ‘/abc123.txt'”>
Redirect “/” “https://www.example.com/”
</If>
DocumentRoot /home/path/to/htdocs
</VirtualHost>

Note:

  1. Trailing slash before the filename
  2. DocumentRoot is now required to avoid a 404.

Using Rewrite

Many people do use mod_rewrite to redirect traffic from http to https, like this:

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Whilst its not the recommended way it is easier to handle our validation file. Just make sure you have a rewrite before your HTTPS conditional, like this:

RewriteRule ^(abc123.txt)$ $1 [L]
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Your solution depends on how you’re redirecting traffic, either way you’ll need this for the CA to find your validation file.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *