I found this morning that AutoSSL failed to update a certificate automatically on the following situation:
When the domain is covered by a HTTPAuth password protection and/or when the domain has a custom HSTS header:
.htaccess:
RewriteCond %{HTTPS} !on
RewriteCond %{THE_REQUEST} ^(GET|HEAD)\ ([^\ ]+)
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%2 [L,R=301]
AuthName "privateCRM"
AuthUserFile "/home/account/.htpasswds/public_html/passwd"
AuthType Basic
require valid-user
Header set Strict-Transport-Security "max-age=31536000;" env=HTTPS
I have disabled HTTPAuth and HSTS header and reloading the page works correctly (autoSSL also updates correctly); I don't know which of the two rules applies (due to the nature of HSTS) but disabling both seemed to work.
NOTE: I do realise that HTTPAuth is no longer good practise but until we have a more complete security solution on this domain (it's a big domain) then it's in place for the time being.
If this issue is caused directly by the HSTS command this is a serious concern as many sites use HSTS in the .htaccess file in this way. I hope it's just the HTTPAuth .
When the domain is covered by a HTTPAuth password protection and/or when the domain has a custom HSTS header:
.htaccess:
RewriteCond %{HTTPS} !on
RewriteCond %{THE_REQUEST} ^(GET|HEAD)\ ([^\ ]+)
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%2 [L,R=301]
AuthName "privateCRM"
AuthUserFile "/home/account/.htpasswds/public_html/passwd"
AuthType Basic
require valid-user
Header set Strict-Transport-Security "max-age=31536000;" env=HTTPS
I have disabled HTTPAuth and HSTS header and reloading the page works correctly (autoSSL also updates correctly); I don't know which of the two rules applies (due to the nature of HSTS) but disabling both seemed to work.
NOTE: I do realise that HTTPAuth is no longer good practise but until we have a more complete security solution on this domain (it's a big domain) then it's in place for the time being.
If this issue is caused directly by the HSTS command this is a serious concern as many sites use HSTS in the .htaccess file in this way. I hope it's just the HTTPAuth .