Support

Admin Tools

#29120 The validation required 1 HTTP redirect, but the AutoSSL provider β€œcPanel (powered by Comodo)” does not permit HTTP redirects.

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 10 March 2018 17:17 CST

Tuesday, 06 February 2018 23:53 CST

paurray
Hello Akeeba

This is the message I go from my hoster this morning:

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://finalbug.net/.well-known/pki-validation/010C52613A0D00BE5E109589192C153B.txt” URL, it redirected to the “https://finalbug.net/.well-known/pki-validation/010C52613A0D00BE5E109589192C153B.txt” URL.


If I am not mistaken this is because I have a setting in Admin tools that redirects all http addresses to https addresses.

Is this correct?
Is this normal that i get a message like this from my hoster?
Do I have to turn this setting of?
Or is there another solution?

thanks

Paul

Helping you learn beyond your finalBUG

Wednesday, 07 February 2018 00:39 CST

paurray
ps maybe I just need to think the other way around and get the hoster just to validate https but frankly I am a little lost!?!

Helping you learn beyond your finalBUG

Wednesday, 07 February 2018 00:58 CST

nicholas
Correct. Using this feature rewrites all HTTP access to HTTPS.

Since you are using automatic validation to issue an HTTPS certificate you should disable that feature in Admin Tools' .htaccess Maker while the automatic validation is in progress.

If you expect the automatic validation to run on a schedule (e.g. every 3 months) it might be better if you disabled the redirect HTTP to HTTPS feature altogether. Instead, enable the HSTS feature which instructs browsers to stick to HTTPS at all times but allows automated tools to access HTTP. Moreover, go to your Joomla Global Configuration and set "Use SSL (HTTPS)" to "Entire site". This has a similar effect to the .htaccess Maker feature, it's just slightly slower for the very first non-HTTPS request made by a browser.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 07 February 2018 01:22 CST

paurray
Hi Nicholas

Thank you for your fast reply...

If you expect the automatic validation to run on a schedule (e.g. every 3 months) it might be better


Not sure but I expect that they have some clever system set up that does something like this.

Ok going here:

HSTS Header (for HTTP-only sites)



Assuming that you have a site which is only supposed to be accessed over HTTPS, your visitor's web browser has no idea that the site should not be ever accessed over HTTP. Joomla! offers a Global Configuration setting to force SSL throughout the entire site, but this is merely a workaround: if it sees a request coming through HTTP it will forward it to HTTPS.


I am setting this to no!

And clicking "Save and create .htaccess"

Question on the side this will only save the change that I have just made right.
eg other changes/modifications from my hoster remain intact right?
Sorry about being paranoid ;-)

Moreover, go to your Joomla Global Configuration and set "Use SSL (HTTPS)" to "Entire site". This has a similar effect to the .htaccess Maker feature, it's just slightly slower for the very first non-HTTPS request made by a browser.


That is this item here

Global Config>Server>"Force HTTPS" which was set to "Entire Site" and I have left it so.

Again being paranoid could this doubling up of HTTP/HTTPS redirects potentially caused any issues.

Last but by no means least I guess i need to contact my hoster and get them to ru the test again to double check that all is well!

thanks

Paul

Helping you learn beyond your finalBUG

Wednesday, 07 February 2018 05:48 CST

nicholas
After installing the SSL certificate you should set HSTS to Yes. As I said, this does not have any effect on your server, i.e. your server can serve plain HTTP requests if required, therefore not getting in the way of your validation. It has an effect on the browsers of your visitors. It tells their browsers to never attempt to contact your your site over plain HTTP which is desirable for a lot of reasons including but not limited to protection against site spoofing and cookie stealing. Please read https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security for a good introduction to the topic.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 08 February 2018 00:17 CST

paurray
Hi Nicholas

As always thank you for your detailed and clear replies.
I got this mail from my hoster today so all appears to be well after following your instructions:





Good news, AutoSSL has successfully renewed the Domain Validated (DV) certificate for “finalbug.net”. This does not require any further action by you.


thanks again

Paul

Helping you learn beyond your finalBUG

Edited by paurray on 2018-02-08 00:18 CST

Thursday, 08 February 2018 01:03 CST

nicholas
You're welcome, Paul!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 10 March 2018 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2018-03-10 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!