403 on homepage after creating certificate

jenpaff · January 20, 2021, 4:58pm

Context: I inherited access to the server, first thing I created a certificate. I'm a bit confused about the apache webserver config - so that's where the error might be

Quick shout out to the community: It was super easy to create the certificate, so really thanks for that!

My domain is: www.systers.org

I ran this command: certbot --apache

It produced this output: Congratulations! Your certificate and chain have been saved at .... The certificate was successfully installed. Going to https://www.systers.org/mailman/listinfo/systers also shows that the certificate was successful. However www.systers.org returns a 403 and systers.org a privacy error. Can anyone help? I've posted the configs below

My web server is (include version): Apache version is 2.4.6

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

The config looked like this:

ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
<Directory /usr/lib/mailman/cgi-bin/>
    AllowOverride None
    Options ExecCGI
    Require all granted
</Directory>

<VirtualHost *:80>
    ServerName www.systers.org
    DocumentRoot /usr/lib/mailman/cgi-bin/
    ServerAlias systers.org
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =www.systers.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

and certbot also created another config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www.systers.org
    DocumentRoot /usr/lib/mailman/cgi-bin/
    ServerAlias systers.org


SSLCertificateFile CERT
SSLCertificateKeyFile KEY
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile CHAIN
</VirtualHost>
</IfModule>

Rip · January 20, 2021, 5:12pm

Welcome back @jenpaff

Your site loads for me with no issue at all.

Osiris · January 20, 2021, 5:14pm

The certificate you're currently using is only for www.systers.org and not for the apex domain systers.org.

However, I see you actually did get a certificate with both hostnames issued on the same day as the current certificate:

Can you run certbot certificates to see what certs are available in your certbot?

jenpaff · January 20, 2021, 5:18pm

Found the following certs:
Certificate Name: systers.org
Serial Number: 42822729e381e2cf0bfd182b3e9a3fb49f5
Key Type: RSA
Domains: systers.org www.systers.org
Expiry Date: 2021-04-18 17:49:13+00:00 (VALID: 88 days)
Certificate Path: /pathto/fullchain.pem
Private Key Path: /pathto/privkey.pem
Certificate Name: www.systers.org
Serial Number: 48dbb734dff4821749cc42408de0401225d
Key Type: RSA
Domains: www.systers.org
Expiry Date: 2021-04-18 18:49:35+00:00 (VALID: 88 days)
Certificate Path: /pathto/fullchain.pem
Private Key Path: /pathto/privkey.pem

jenpaff · January 20, 2021, 5:18pm

When i do inspect I get a 403 and it should forward to this welcome site but to https://www.systers.org/mailman/listinfo/systers

rg305 · January 20, 2021, 5:19pm

This works as expected:
http://www.systers.org/
redirects to:
https://www.systers.org/

These, however, don't:
http://systers.org/ [does not redirect to secure site]
https://systers.org/ [has no valid cert to cover this name]

I only bring that up because both names resolve to that same IP:

Name:    systers.org
Address: 52.8.142.181

Name:    www.systers.org
Address: 52.8.142.181

So I would recommend using both names on the cert.

Switch to the first cert and delete the second cert.

jenpaff · January 20, 2021, 5:21pm

do i just delete the 2nd certificate and that's done?

Rip · January 20, 2021, 5:23pm

Good catch. I apparently read to quickly and missed the issue.

rg305 · January 20, 2021, 5:23pm

First: Make sure you point to the first cert.
[then restart Aapche]

Once you get that working right, then.
Second: Delete the unused cert
certbot delete --cert-name www.systers.org

Osiris · January 20, 2021, 5:26pm

No, that would leave your Apache disabled, as it still points to the second cert, but can't find it.

You can manually change the paths in the directives as @rg305 suggests, but you could also run certbot --apache again, but now enter both hostnames again, just like you did the first time. It should ask you if you want to install or re-issue the certificate (as it recognises you already have a cert with both hostnames). The latter (re-issuing) is NOT necessary, choose the former option to install it again.

jenpaff · January 20, 2021, 6:01pm

Great, that solved the problem of the privacy issue , systers.org & www.systers.org are now also secured. THANK YOU.

There's still a 403 error and it's returning the wrong page so if anyone has some advice or idea that would be great

Osiris · January 20, 2021, 6:43pm

~~Try clearing your cache.~~ Nevermind, I have it now too. Both the apex domain as the www subdomain on HTTPS. Unfortunately, I have no experience what so ever with cgi-bin nor mailman. Try looking into your Apache error logs to debug this issue.

Also: http://systers.org/ isn't redirecting to HTTPS. That's probably because your certbot added the redirect previously only for the www subdomain. I guess you manually edited the configuration files to point to the correct certificate files? If that's the case, you should also edit the redirect in the HTTP VirtualHost section to include the apex domain.

jenpaff · January 20, 2021, 7:25pm

Yes thanks for the tip, it does give a hint, but I'm still debugging through it:

Cannot serve directory /usr/lib/mailman/cgi-bin/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive

It was definitely not an issue before i added the Virtualhost for certbot --apache to work.

I guess you manually edited the configuration files to point to the correct certificate files? If that's the case, you should also edit the redirect in the HTTP VirtualHost section to include the apex domain.

Omg i didn't even notice ! THANK YOU ! I think it works now !

Osiris · January 20, 2021, 7:58pm

Now your www subdomain isn't redirecting any longer.. I'm guessing you didn't actually correct the redirect, but changed it from the one domain to the other

You mean you didn't have any virtualhost before?

Perhaps you need to move the ScriptAlias directive and <Directory></Directory> section into the HTTPS VirtualHost? (Just guessing here though..)

jenpaff · January 20, 2021, 8:12pm

oops yes correct

Yeah I can try that

jenpaff · January 20, 2021, 8:47pm

So what fixed my final issue was to put the rewrite rules into the ssl-config created by certbot. it was only in my mailman.conf before !

THANK YOU SO MUCH FOR YOUR PATIENCE WITH ME!

So I'm not overseeing anything, I've tested:

http://systers.org
http://www.systers.org
www.systers.org
systers.org

which should all lead to https://systers.org/mailman/listinfo/systers

P.S.: this is really an awesome community ! thanks so much for your help

griffin · January 20, 2021, 9:41pm

Thanks! We greatly appreciate the wonderful feedback!

The last two will default to the first two in most browsers. I use https://redirect-checker.org to test these things. You appear to be using 302 (temporary) redirects instead of 301 (permanent) redirects.

This:

http://systers.org
200 OK

should be this:

http://systers.org
301 Moved Permanently
https://systers.org
301 Moved Permanently
https://systers.org/mailman/listinfo/systers
200 OK

or this:

http://systers.org
301 Moved Permanently
https://systers.org/mailman/listinfo/systers
200 OK

This:

https://systers.org
302 Found
https://systers.org/mailman/listinfo/systers
200 OK

should be this:

https://systers.org
301 Moved Permanently
https://systers.org/mailman/listinfo/systers
200 OK

This:

http://www.systers.org
301 Moved Permanently
https://www.systers.org/
302 Found
https://systers.org/mailman/listinfo/systers
200 OK

should be this:

http://www.systers.org
301 Moved Permanently
https://www.systers.org/
301 Moved Permanently
https://systers.org
301 Moved Permanently
https://systers.org/mailman/listinfo/systers
200 OK

or this:

http://www.systers.org
301 Moved Permanently
https://www.systers.org/
301 Found
https://systers.org/mailman/listinfo/systers
200 OK

or this:

http://www.systers.org
301 Moved Permanently
https://systers.org/mailman/listinfo/systers
200 OK

This:

https://www.systers.org/
302 Found
https://systers.org/mailman/listinfo/systers
200 OK

should be this:

https://www.systers.org/
301 Moved Permanently
https://systers.org
301 Moved Permanently
https://systers.org/mailman/listinfo/systers
200 OK

or this:

https://www.systers.org/
301 Moved Permanently
https://systers.org/mailman/listinfo/systers
200 OK

Also, don't use rewrite rules if you can use Redirect.

jenpaff · January 20, 2021, 9:31pm

Great, thanks for the advice ! I'll read up on it

system · February 19, 2021, 9:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.