Univention Bugzilla – Bug 56825
Let's encrypt challenge fails for Keycloak domain because of HTTPS redirect
Last modified: 2024-02-15 16:59:16 CET
Since version 21.1.2-ucs2 from Keycloak redirects from http to https. While preferable in most cases this breaks Let's encrypts DNS challenge. As a workaround the `<VirtualHost *:80>` directive can be removed from /etc/apache2/sites-available/univention-keycloak.conf and after reloading the apache config the app should be able to refresh the certificates, but this breaks the redirect of course while re-adding the redirect will break the next automatic refresh.
(In reply to Jan-Luca Kiok from comment #0) > Since version 21.1.2-ucs2 from Keycloak redirects from http to https. While > preferable in most cases this breaks Let's encrypts DNS challenge. Really *DNS* challenge? - [HTTP-01 challenge](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) required you to put the file on your web-server, where forced http->https-redirection would interfer; DNS is only required to make looking up your domain work for the Let's Encrypt robot. - [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) only asks you to add a TXT-DNS-RR; no http-Server is needed at all.
Oops, of course, you are right - The HTTP challenge is affected.
Hmm i can no reproduce this, asked on help for more info.
Feedback from help: problem seems to be gone. Please re-open if this happens again.