Apache 2.4.41 + FreeBSD 12.1 + certbot 1.2.0 + LetsEncrypt (Redirect not working)

Root Access: Yes
Domain: sharpenyoursword.org
CDN: No
DNS Self Hosted: Yes

http://sharpenyoursword.org error

# Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache redirect lines added by certbot to sharpenyoursword.org.conf:

RewriteEngine on
RewriteCond %{SERVER_NAME} =sharpenyoursword.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
##
# @package    Joomla
# @copyright  Copyright (C) 2005 - 2019 Open Source Matters. All rights reserved.
# @license    GNU General Public License version 2 or later; see LICENSE.txt
##

##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line 'Options +FollowSymLinks' may cause problems with some server configurations.
# It is required for the use of Apache mod_rewrite, but it may have already been set by
# your server administrator in a way that disallows changing it in this .htaccess file.
# If using it causes your site to produce an error, comment it out (add # to the
# beginning of the line), reload your site in your browser and test your sef urls. If
# they work, then it has been set by your server administrator and you do not need to
# set it here.
##

## No directory listings
<IfModule autoindex>
  IndexIgnore *
</IfModule>

## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

## Can be commented out if causes errors, see notes above.
## DISABLED for SOLVE from old CentOS File
#Options +FollowSymlinks
Options -Indexes

## Mod_rewrite in use.

RewriteEngine On

## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site then comment out the operations listed
# below by adding a # to the beginning of the line.
# This attempts to block the most common type of exploit `attempts` on Joomla!
#
# Block any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root home page
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.
## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects

##
# Uncomment the following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##

# RewriteBase /

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.

Thanks for everything!

Best Regards and God bless,

Brandon Kastning

Hi @BrandonKastning

your port 80 is a https port, not a http port.

Is your router configuration correct?

Extern port 80 -> intern port 80?

Yep - Grad Q - https://check-your-website.server-daten.de/?q=sharpenyoursword.org

https://www.sharpenyoursword.org:80/

works.

There is an Apache. What says

apachectl -S

JuergenAuer,

Thank you for your time and free Certs!

Here is an output to the following:

apachectl - S

VirtualHost configuration:
104.36.16.72:80        sharpenyoursword.org (/usr/local/etc/apache24/Vhosts-Enabled/001_www.sharpenyoursword.org.conf:4)
104.36.16.72:443       sharpenyoursword.org (/usr/local/etc/apache24/Vhosts-Enabled/001_www.sharpenyoursword.org.conf:71)

Best Regards,

Brandon Kastning

I know that’s what Certbot added, and that sort of code can also be found in other online guides, but I never liked that sort of thing. It’s ugly, unclear, and hard to read.

I have the same setup as you (Apache 2.4.41, FreeBSD 12.1), but I manually added the following to my vhosts:

<VirtualHost *:80>
    ServerName darksteve.tk
    Redirect permanent / https://darksteve.tk/
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /usr/local/www/mainsite
    ServerName darksteve.tk
    SSLEngine on
    SSLCertificateFile "/usr/local/etc/letsencrypt/live/darksteve.tk/fullchain.pem"
    SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/darksteve.tk/privkey.pem"
</VirtualHost>

That makes it nice and clear what’s happening. If anybody connects to my domain via HTTP, they are simply redirected to the HTTPS version of the site. I’ve been using this setup now for years without issue. ACME’s http-01 authentication works fine. (Just add whatever HSTS or other settings you need in the 443 section, I took them out of my example.)

You should take JuergenAuer’s advice and check your setup as he suggests, but there’s possibly a conflict between some of your existing config settings and what Certbot added. I’d backup your current vhost.conf files (just in case!) and try cleaning up the port 80 site redirects/rewrites.

I hope that helps and doesn’t make things more confusing or contradictory! There are often multiple ways of doing things, and the above works perfectly with Apache on FreeBSD 12.1. It’s clear and easy to understand, which is great when you go back into it in a years time to make updates, and you need to figure out what’s happening :wink:

DarkSteve,

Thank you for the information you provided and the example of your vhosts. I commented out my lines and cloned your example; restarted apache and I am still receiving the same error.

As far as JuergenAuer advised… regarding routing… I haven’t even deployed a firewall at this time yet. I am working on getting all my configurations working properly before fortifying the server (reasoning: To ensure proper configuration). Routing shouldn’t be an issue at all. I am guessing it’s my apache settings somehow… I also am using a .htaccess for rewrite… however the error I am receiving looks apache.

Thanks again!

Brandon Kastning

Works http internal?

curl http://www.sharpenyoursword.org/

Error or content?

If error:

curl https://www.sharpenyoursword.org:80/

The content of that file?

JuergenAuer,

Error sir.

Contents of 001_www.sharpenyoursword.org.conf:

# TLD - SHARPENYOURSWORD.ORG
# HTTP - PORT: 80

<VirtualHost 104.36.16.72:80>
ServerAdmin admin@sharpenyoursword.org

ServerName sharpenyoursword.org:80

DocumentRoot "/usr/local/www/apache24/CONTENT_PATH/"

<Directory "/usr/local/www/apache24/CONTENT_PATH/">

    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "/usr/local/www/apache24/logs/error/001_apache24_port80-sharpenyoursword.org-main-error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/www/apache24/logs/access/001_apache24_port80-sharpenyoursword.org-access_log common

LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
    <IfModule logio_module>
    </IfModule>

</IfModule>

## SHARPENYOURSWORD.ORG

#<FilesMatch "\.php$">
#    <If "-f %{REQUEST_FILENAME}">
#      SetHandler "proxy:unix:/var/run/sharpenyoursword.org-php-fpm.sock|fcgi://localhost/"
#    </If>
#</FilesMatch>

<FilesMatch "\.(php|phtml|inc)$">
    SetHandler "proxy:fcgi://127.0.0.1:9001"
</FilesMatch>



ServerAlias sharpenyoursword.org
Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.sharpenyoursword.org
SSLCertificateFile /usr/local/etc/letsencrypt/live/sharpenyoursword.org/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/sharpenyoursword.org/privkey.pem

RewriteEngine on
RewriteCond %{SERVER_NAME} =sharpenyoursword.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

# TLD - SHARPENYOURSWORD.ORG
# HTTPS - PORT: 443

<VirtualHost 104.36.16.72:443>
ServerAdmin admin@sharpenyoursword.org

ServerName sharpenyoursword.org:443

DocumentRoot "/usr/local/www/apache24/CONTENT_PATH/"

<Directory "/usr/local/www/apache24/CONTENT_PATH/">

    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "/usr/local/www/apache24/logs/error/001_apache24_port443-sharpenyoursword.org-main-error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/www/apache24/logs/access/001_apache24_port443-sharpenyoursword.org-access_log common

LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
    </IfModule>

</IfModule>

## SHARPENYOURSWORD.ORG
#<FilesMatch "\.php$">
#    <If "-f %{REQUEST_FILENAME}">
#      SetHandler "proxy:unix:/var/run/sharpenyoursword.org-php-fpm.sock|fcgi://localhost/"
#    </If>
#</FilesMatch>

<FilesMatch "\.(php|phtml|inc)$">
    SetHandler "proxy:fcgi://127.0.0.1:9001"
</FilesMatch>



ServerAlias sharpenyoursword.org
Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.sharpenyoursword.org
SSLCertificateFile /usr/local/etc/letsencrypt/live/sharpenyoursword.org/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/sharpenyoursword.org/privkey.pem

</VirtualHost>

Thanks again!

~ Brandon Kastning

Your port 80 vHost is a SSL host. Then the result is expected.

Create a standard port 80 vHost without SSL. Check your documentation.

Remove your port 80 virtualhost and replace it with:

<VirtualHost 104.36.16.72:80> 
# Do you need the ip? You only need it if the machine has several.
# Otherwise, use <VirtualHost *:80> 

ServerName sharpenyoursword.org
ServerAlias www.sharpenyoursword.org

</VirtualHost>

Then run certbot enhance --redirect

and add

RewriteCond %{SERVER_NAME} =www.sharpenyoursword.org
RewriteRule ^ https://sharpenyoursword.org%{REQUEST_URI} [END,NE,R=permanent]

OR

RewriteCond %{SERVER_NAME} =sharpenyoursword.org
RewriteRule ^ https://www.sharpenyoursword.org%{REQUEST_URI} [END,NE,R=permanent]

to the https (port 443) virtualhost. (depends if you want your website to be known with or without www. The one you prefer is on the second line “RewriteRule”)

9peppe,

I went ahead with that and it did not work. I don’t want to use www. ; a redirect from www. to https://sharpenyoursword.org would be fine.

Still getting the 400 Bad Request.

Thanks!

The you should use the first snippet (port 443):

RewriteCond %{SERVER_NAME} =www.sharpenyoursword.org
RewriteRule ^ https://sharpenyoursword.org%{REQUEST_URI} [END,NE,R=permanent]

Show me your current port 80 configuration, please

9peppe,

Here it is:

# TLD - SHARPENYOURSWORD.ORG
# HTTP - PORT: 80

<VirtualHost 104.36.16.72:80>
ServerAdmin admin@sharpenyoursword.org

#ServerName sharpenyoursword.org:80
ServerName sharpenyoursword.org
ServerAlias www.sharpenyoursword.org

DocumentRoot "/usr/local/www/apache24/DATA_PATH/"

<Directory "/usr/local/www/apache24/DATA_PATH/">

    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "/usr/local/www/apache24/logs/error/001_apache24_port80-sharpenyoursword.org-main-error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/www/apache24/logs/access/001_apache24_port80-sharpenyoursword.org-access_log common

LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
    </IfModule>

</IfModule>

## SHARPENYOURSWORD.ORG

#<FilesMatch "\.php$">
#    <If "-f %{REQUEST_FILENAME}">
#      SetHandler "proxy:unix:/var/run/sharpenyoursword.org-php-fpm.sock|fcgi://localhost/"
#    </If>
#</FilesMatch>

<FilesMatch "\.(php|phtml|inc)$">
    SetHandler "proxy:fcgi://127.0.0.1:9001"
</FilesMatch>



ServerAlias sharpenyoursword.org
Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.sharpenyoursword.org
SSLCertificateFile /usr/local/etc/letsencrypt/live/sharpenyoursword.org/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/sharpenyoursword.org/privkey.pem

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.sharpenyoursword.org
#RewriteCond %{SERVER_NAME} =sharpenyoursword.org
RewriteRule ^ https://sharpenyoursword.org%{REQUEST_URI} [END,NE,R=permanent]
#RewriteCond %{SERVER_NAME} =sharpenyoursword.org
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

This server has tons of IP’s and is required for the deployment of mass sub-domains.

Thanks!

You should remove most of it. The only thing your port 80 virtualhost should do is redirect to https on port 443 and not get in the way of certificate validation. You can replace the port 80 virtualhost with

<VirtualHost 104.36.16.72:80> 
ServerName sharpenyoursword.org
ServerAlias www.sharpenyoursword.org

DocumentRoot "/usr/local/www/apache24/DATA_PATH/"
</VirtualHost>

and then run certbot enhance --redirect

if you encounter errors, post them here.


the directory can be different, but certbot might get confused.

9peppe,

100% Solved! Thank you good sir!

God bless you and your family!

  • Brandon Kastning
1 Like

Run certbot renew --dry-run and see if it works.

9peppe,

I received lots of errors on other domains and sub-domains (since they were all using the same old config that wasn’t working).

This is the output for the domain listed:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/sharpenyoursword.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sharpenyoursword.org
http-01 challenge for www.sharpenyoursword.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/usr/local/etc/letsencrypt/live/sharpenyoursword.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Is there a way to specify a domain for certbot renew --dry-run ?

Thanks again! Looking good!

For a single domain I don’t think so, but you should be able to specify --cert-name sharpenyoursword.org to select a single certificate.

1 Like

9peppe,

Thank you for your help! And thank you to everyone else on this thread!

~ Best,

Brandon Kastning

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.