I have a system with 2 domains, eg staging5.example.com. Both domains were using LE SSL on Apache just fine (until today). I needed to add a domain, so I blew away the cert and regenerated it with the new domain added, which has a ‘www’, eg www.test.com. The generation process went fine. So 1 domain with www subdomain, and 2 without. This went well and that newly added domain works just as one would expect with both http and https.

What’s strange is that the other 2 domains (that were working fine previously), now insist on redirecting to www.staging* – but only with https. http works fine. No errors with http, content loads normally. But since that www domain does not exists (and hasn’t), the connection consistently dies with a DNS error, but only if using https.

So thinking somewhere an .htaccess file sneaked in, I looked. Could not find. Removed those I did find to make sure. Triple checked main apache and vhost configs. Nothing. Grepped /etc for www references. Nothing useful. Turned on the apache rewrite logs and what’s odd, I can getting logging output with http, but with https there are no new log entries. Its like it never gets far enough for logging. Put debug code in the 2 applications, and its definitely not getting far enough for that.

Telnetting to port 443 and 80 works as expected. Apache runs fine otherwise. System is Ubuntu 16.04 LTS. Tested with curl and wget to eliminate browser caching.

Command line:> $certbot --agree-tos --email programming@me.com --apache -n -d www.test.com -d staging5.example.com -d staging10.example.com

While I doubt this is LE issue per se, I was hoping to pick a brain that’s wiser than mine on where else to look.

Can you post your hostnames, and the output of curl -iL on the relevant URLs? That will make it much easier to help debug. Also a link to your Apache configs would be very helpful.

Speaking generally, Certbot does have code to add redirects, but it should only be invoked when you specifically ask for it. And it wouldn’t redirect between domains, only from HTTP to HTTPS within a domain.

Sure enough!

$ curl -iL https://staging30.resultsbydesign.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 19 Aug 2016 20:42:14 GMT
Server: Apache
Location: http://www.staging30.resultsbydesign.com/
Cache-Control: max-age=3600
Expires: Fri, 19 Aug 2016 21:42:14 GMT
Content-Length: 249
Content-Type: text/html; charset=iso-8859-1

curl: (6) Could not resolve host: www.staging30.resultsbydesign.com

This is the vhost config:

 <VirtualHost *:80 >
         ServerName staging307.resultsbydesign.com
         ServerAdmin webmaster@staging307.resultsbydesign.com
         DocumentRoot /home/clients/staging/307/htdocs/public
         TransferLog /home/clients/staging/307/logs/access_log
         HostNameLookups off
 #       LogLevel alert rewrite:trace6
         ErrorLog /home/clients/staging/307/logs/error_log
         RewriteRule ^/robots.txt /etc/apache2/conf/robots/staging/robots.txt
 </VirtualHost>
  <VirtualHost *:443>
           ServerName staging307.resultsbydesign.com
           ServerAdmin webmaster@staging307.resultsbydesign.com
           DocumentRoot /home/clients/staging/307/htdocs/public
           SSLEngine on
           SSLCertificateFile     /etc/letsencrypt/live/dbs9.dx30.net/fullchain.pem
           SSLCertificateKeyFile  /etc/letsencrypt/live/dbs9.dx30.net/privkey.pem
  </VirtualHost>

Problem domains:

staging307.resultsbydesign.com

Thanks!

Do you have an A record / CNAME for www.staging30.resultsbydesign.com ? it looks as if you are redirecting to the “www” version which isn’t defined.

It looks like this is just the vhost config for staging307. Could you include all other vhost configs, plus apache2.conf?

It does look like you have a blanket redirect rule that adds www to everything, but it sounds like you've looked for the www string everywhere in /etc/, and turned up nothing. Do you have a Redirect permanent directive anywhere in your config?

No, there isn’t one, and don’t really want one. Thanks.

If you don't want a www. then you need to remove the redirect ( stating the obvious I know ) .

What redirects have you got in apache for www ? from what you say ( in that you have done a recureive grep in /etc/ and found nothing with www ? ) is there anything in your .htaccess for the domain ? or, as jsha asks

I can’t find any redirects. If there is one, its not in a very non-obvious place. I physically removed the .htaccess to make sure that wasn’t it. And have grepped -r /etc/apache2 for the word ‘Redirect’. Nothing interesting.

Here ya go. Thanks!

apache2.conf:

ServerRoot: The top of the directory tree under which the server’s

configuration, error, and log files are kept.

Do NOT add a slash at the end of the directory path.

ServerRoot “/etc/apache2”

The accept serialization lock file MUST BE STORED ON A LOCAL DISK.

Mutex file:${APACHE_LOCK_DIR} default

PidFile: The file in which the server should record its process

identification number when it starts.

This needs to be set in /etc/apache2/envvars

PidFile ${APACHE_PID_FILE}

Timeout: The number of seconds before receives and sends time out.

Timeout 45

KeepAlive: Whether or not to allow persistent connections (more than

one request per connection). Set to “Off” to deactivate.

KeepAlive On

MaxKeepAliveRequests: The maximum number of requests to allow

during a persistent connection. Set to 0 to allow an unlimited amount.

We recommend you leave this number high, for maximum performance.

MaxKeepAliveRequests 1500

KeepAliveTimeout: Number of seconds to wait for the next request from the

same client on the same connection.

KeepAliveTimeout 3

These need to be set in /etc/apache2/envvars

User apache

AccessFileName: The name of the file to look for in each directory

for additional configuration directives. See also the AllowOverride

directive.

AccessFileName .htaccess

The following lines prevent .htaccess and .htpasswd files from being

viewed by Web clients.

<Files ~ “^.ht”>
Order allow,deny
Deny from all

HostnameLookups Off

ErrorLog: The location of the error log file.

ErrorLog /var/log/apache2/error.log

LogLevel: Control the number of messages logged to the error_log.

LogLevel warn

Include module configuration:

Include /etc/apache2/mods-enabled/.load
Include /etc/apache2/mods-enabled/.conf

Include ports listing

Include /etc/apache2/ports.conf

The following directives define some format nicknames for use with

a CustomLog directive (see below).

If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i”” combined
LogFormat “%h %l %u %t “%r” %>s %b” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent

ServerTokens

ServerTokens Prod

ServerSignature Off
ServerName dbs9.dx30.net

Include generic snippets of statements

Include /etc/apache2/conf.d/

Include the virtual host configurations:

Include /etc/apache2/sites-enabled/

Virtual Hosts DBS

Include conf/vhosts/vhosts_ssl.conf
#############################################
Include conf/vhosts/vhosts_staging.conf
#######################################################################

vhosts_staging:

@file vhosts_staging.conf

###############################################################################

<VirtualHost *:80 >
ServerName staging30.resultsbydesign.com
ServerAdmin webmaster@staging30.resultsbydesign.com
DocumentRoot /home/clients/staging/30/htdocs/
TransferLog /home/clients/staging/30/logs/access_log
HostNameLookups off
ErrorLog /home/clients/staging/30/logs/error_log
LogLevel warn
ErrorDocument 404 http://staging30.resultsbydesign.com/
# Blocking Spiders
RewriteEngine On

LogLevel alert rewrite:trace6

    RewriteRule ^/robots.txt /etc/apache2/conf/robots/staging/robots.txt

ServerName staging30.resultsbydesign.com ServerAdmin webmaster@staging30.resultsbydesign.com DocumentRoot /home/clients/staging/30/htdocs/ SSLEngine on SSLCertificateFile /etc/letsencrypt/live/dbs9.dx30.net/fullchain.pem SSLCertificateChainFile /etc/letsencrypt/live/dbs9.dx30.net/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/dbs9.dx30.net/privkey.pem SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 # for testing see: https://www.ssllabs.com/ssltest/analyze.html SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:AES128-SHA TransferLog /home/clients/staging/30/logs/access_log HostNameLookups off ErrorLog /home/clients/staging/30/logs/error_log # LogLevel debug # # ErrorLog /var/log/apache2/ssl_engine.log # LogLevel debug #

staging307

<VirtualHost *:80 >
ServerName staging307.resultsbydesign.com
ServerAdmin webmaster@staging307.resultsbydesign.com
DocumentRoot /home/clients/staging/307/htdocs/public
TransferLog /home/clients/staging/307/logs/access_log
HostNameLookups off
ErrorLog /home/clients/staging/307/logs/error_log

LogLevel warn

    ErrorDocument 404 http://staging307.resultsbydesign.com/
    RewriteEngine On

LogLevel alert rewrite:trace6

    RewriteRule ^/robots.txt /etc/apache2/conf/robots/staging/robots.txt

ServerName staging307.resultsbydesign.com ServerAdmin webmaster@staging307.resultsbydesign.com DocumentRoot /home/clients/staging/307/htdocs/public SSLEngine on SSLCertificateFile /etc/letsencrypt/live/dbs9.dx30.net/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/dbs9.dx30.net/privkey.pem

vhosts_ssl:

@file vhosts_ssl.conf

###############################################################################

dbs9.dx30.net 2016-07-30

<VirtualHost *:80 >
ServerName dbs9.dx30.net
ServerAdmin webmaster@dbswebsite.com
DocumentRoot /etc/apache2/default-site/
HostNameLookups off
LogLevel warn
RewriteEngine on

<VirtualHost 23.253.213.249:443>

ServerName dbs9.dx30.net

RewriteEngine On

# use all three

# SSLEngine On

# SSLCertificateFile /etc/letsencrypt/live/www.oksanamastersusa.com/fullchain.pem

# SSLCertificateChainFile /etc/letsencrypt/live/www.oksanamastersusa.com/chain.pem

# SSLCertificateKeyFile /etc/letsencrypt/live/www.oksanamastersusa.com/privkey.pem

SetEnvIf User-Agent “.MSIE [1-5].” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

SetEnvIf User-Agent “.MSIE [6-9].” ssl-unclean-shutdown

# https://mozilla.github.io/server-side-tls/ssl-config-generator/ 2016-06-22

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder on

ServerAdmin webmaster@oksanamastersusa.com

DocumentRoot /etc/apache2/default-site/

HostNameLookups off

LogLevel warn

oksanamastersusa.com 2016-07-30

<VirtualHost *:80 >
ServerName www.oksanamastersusa.com
ServerAdmin webmaster@dbswebsite.com
ServerAlias www.oksanamastersusa.com oksanamastersusa.com
DocumentRoot /home/clients/oksanamastersusa.com/htdocs
TransferLog /home/clients/oksanamastersusa.com/logs/access_log
CustomLog /home/clients/oksanamastersusa.com/logs/access_log combined
HostNameLookups off
ErrorLog /home/clients/oksanamastersusa.com/logs/error_log
LogLevel warn
RewriteEngine on
ErrorDocument 404 http://www.oksanamastersusa.com/

ServerName www.oksanamastersusa.com
ServerAlias www.oksanamastersusa.com oksanamastersusa.com
RewriteEngine On
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/dbs9.dx30.net/fullchain.pem
SSLCertificateChainFile /etc/letsencrypt/live/dbs9.dx30.net/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dbs9.dx30.net/privkey.pem
SetEnvIf User-Agent ".*MSIE [1-5].*"  nokeepalive ssl-unclean-shutdown  downgrade-1.0 force-response-1.0
SetEnvIf User-Agent ".*MSIE [6-9].*"  ssl-unclean-shutdown
# https://mozilla.github.io/server-side-tls/ssl-config-generator/ 2016-06-22
SSLCipherSuite	   ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLProtocol    all -SSLv2 -SSLv3
SSLHonorCipherOrder     on

ServerAdmin webmaster@oksanamastersusa.com
DocumentRoot /home/clients/oksanamastersusa.com/htdocs/
TransferLog /home/clients/oksanamastersusa.com/logs/access_log
CustomLog /home/clients/oksanamastersusa.com/logs/access_log combined
HostNameLookups off
ErrorLog /home/clients/oksanamastersusa.com/logs/error_log
LogLevel warn
ErrorDocument 404 https://www.oksanamastersusa.com/

thecenteronline.org 2016-08-01

<VirtualHost *:80 >
ServerName www.thecenteronline.org
ServerAdmin webmaster@dbswebsite.com
ServerAlias www.thecenteronline.org thecenteronline.org
DocumentRoot /home/clients/thecenteronline.org/htdocs
TransferLog /home/clients/thecenteronline.org/logs/access_log
CustomLog /home/clients/thecenteronline.org/logs/access_log combined
HostNameLookups off
ErrorLog /home/clients/thecenteronline.org/logs/error_log
LogLevel warn
RewriteEngine on
ErrorDocument 404 http://www.thecenteronline.org/

<VirtualHost 23.253.213.249:443>
ServerName www.thecenteronline.org
ServerAlias www.thecenteronline.org thecenteronline.org
RewriteEngine On
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/dbs9.dx30.net/fullchain.pem
SSLCertificateChainFile /etc/letsencrypt/live/dbs9.dx30.net/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dbs9.dx30.net/privkey.pem
SetEnvIf User-Agent “.MSIE [1-5].” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SetEnvIf User-Agent “.MSIE [6-9].” ssl-unclean-shutdown
# https://mozilla.github.io/server-side-tls/ssl-config-generator/ 2016-06-22
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

ServerAdmin webmaster@thecenteronline.org
DocumentRoot /home/clients/thecenteronline.org/htdocs/
TransferLog /home/clients/thecenteronline.org/logs/access_log
CustomLog /home/clients/thecenteronline.org/logs/access_log combined
HostNameLookups off
ErrorLog /home/clients/thecenteronline.org/logs/error_log
LogLevel warn
ErrorDocument 404 https://www.thecenteronline.org/

sorry for bad formatting …

does

grep -r www /etc/apache2

return anything that could possibly be related to a redirect ? maybe a rewrite rule ?

I really don’t see anything at all. The redirects / rewriterules was my first thought … I’ve looked high and low. If its there, its really sneaky

This is a real stumper, as you said. Looking through the configs you posted, I agree there's nothing in there that should produce the redirect. Though there are some Include directives without their corresponding files, like mods-enabled, ports.conf, and conf.d. Assuming those are the default values, no big, but those are possible places where config could hide.

Looking back over your posts, I noticed your comment that the HTTPS requests don't actually shows up in the logs. Which made me think: Are you positive that Apache is the service listening on 443? You can check with:

sudo fuser -vn tcp 443

Seems like a long shot, since the curl command does yield a Server: Apache line, but always good to rule out all possibilities.

Sounds like there were some results, but not interesting ones- want to share? Often when I'm debugging things, the things that I dismissed as "not interesting" turn out to be the problem.

Also, to check the obvious: I assume you've restarted Apache after each config change, so there's not chance of stale config data?

My next step to debug in this situation would be to copy all the relevant files to a test server, get a simple repro command (like curl -siL https://staging307.resultsbydesign.com | grep 301), then systematically blow away folders and config files while repeating the repro command, until the problem no longer repros. Then you'll know that the problem was in the last thing you deleted.

Thanks. re: 443, yea that works. Way back I mentioned, there are 4 sites on this system, all using LE. The other 2 have canonical domains of www.* and work fine, eg https://www.oksanamastersusa.com.

Well, most were from LetsEncrypt (I have that installed in /etc/apache2). The others are:

/etc/apache2/apache2-bt15.conf:Group www-data
/etc/apache2/apache2-bt15.conf:#ErrorDocument 402 http://www.example.com/subscription_info.html
/etc/apache2/apache2-bt15.conf:RewriteCond %{HTTP_USER_AGENT} ^.*(Harvest|LinkWalker|lwp-trivial|psbot/|RMA|Webster.Pro|Java/1|libwww-perl).*$ [NC]
/etc/apache2/apache2-org.conf:Group www-data
/etc/apache2/apache2-org.conf:#ErrorDocument 402 http://www.example.com/subscription_info.html
/etc/apache2/apache2-org.conf:RewriteCond %{HTTP_USER_AGENT} ^.*(Harvest|LinkWalker|lwp-trivial|psbot/|RMA|Webster.Pro|Java/1|libwww-perl).*$ [NC]
/etc/apache2/apache2.conf:#ErrorDocument 402 http://www.example.com/subscription_info.html
/etc/apache2/apache2.conf.dpkg-dist:<Directory /var/www/>
/etc/apache2/apache2.conf~:#ErrorDocument 402 http://www.example.com/subscription_info.html
/etc/apache2/conf-available/localized-error-pages.conf:#ErrorDocument 402 http://www.example.com/subscription_info.html
/etc/apache2/envvars:## Some packages providing 'www-browser' need '--dump' instead of '-dump'.
/etc/apache2/envvars:#export APACHE_LYNX='www-browser -dump'
/etc/apache2/envvars.dpkg-old:#export APACHE_RUN_USER=www-data
/etc/apache2/envvars.dpkg-old:#export APACHE_RUN_GROUP=www-data
/etc/apache2/envvars.dpkg-old:## Some packages providing 'www-browser' need '--dump' instead of '-dump'.
/etc/apache2/envvars.dpkg-old:#export APACHE_LYNX='www-browser -dump'
/etc/apache2/mods-available/hhvm_proxy_fcgi.conf:ProxyPassMatch ^/(.+\.(hh|php)(/.*)?)$ fcgi://127.0.0.1:9000/var/www/$1
/etc/apache2/mods-available/mime.conf:  # See http://www.iana.org/assignments/character-sets for the
/etc/apache2/sites-available/default-ssl.conf:          DocumentRoot /var/www/html
/etc/apache2/sites-available/default-tls.conf:  DocumentRoot /var/www/html
/etc/apache2/sites-available/default-tls.conf:  <Directory /var/www/html>
/etc/apache2/sites-available/default-tls.conf:  #   See http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities
/etc/apache2/sites-available/default.dpkg-dist: DocumentRoot /var/www
/etc/apache2/sites-available/default.dpkg-dist: <Directory /var/www/>

Good thoughts on debugging. I had tried removing .htaccess but not the other stuff. I’ll put that on the TODO list. Thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.