Apache Ubuntu Redirect SSL

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: datastore.ro

My web server is (include version) Apache 2.4:

The operating system my web server runs on is (include version): Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


It seems that the redirection engine didn’t add a slash after the rewrite…
Could you share us the virtual host files?

Thank you

Hi @letsencryptdeb

as written in another thread ( SSL works for Chrome browser, but not for Safari or Firefox - #6 by JuergenAuer ):

In your port 80 - vHost something like

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

In your port 443 - vHost something like

RewriteEngine on
RewriteCond %{SERVER_NAME} =notpreferredVersion
ReWriteRule ^ https://preferredVersion%{REQUEST_URI}  [END,QSA,R=permanent]

But if you use additional settings or if the redirects come from a program, that may not work.

PS: You have some redirects. But the first row is wrong - missing /, so /.well-known/acme-challenge is redirected to a not existing domain -> Grade R.

Change one thing - then recheck your domain ( https://check-your-website.server-daten.de/?q=datastore.ro ) to see if that has an effect.

Happy to read that it works.

These are two nameservers of the ro zone:

sns-pb.isc.org / pb-ams-ns2.sns.isc.org

Only the management of the ro-zone can change that.

But you can add a CAA entry to limit, which CA can create certificates.

Yes Juergen.
I did not know how to set up the preferred vs non preferred version and my rewrite rule was somehow different than yours.

Is is better to have that CAA entry and limit which CA can create certificates, or just leave it as it is.
In case I wan to limit which CA create certificates, what should I add to my bind server?

Thank you

It's your decision.

Sslmate - CAA Record Generator - has a small editor to create the correct entries. But you can add additional things - then sslmate is limited.

If you check my main domain, then you see:

server-daten.de has a complicated CAA policy that this tool doesn't support: issue and issuewild parameters are not supported

It has two entries - letsencrypt.org; and the accounturi.

No. That's an informational thing, nothing else.

Thank you very much Juergen for all your support.
Have a great evening.

Hi Juergen,

Can you help me troubleshoot the problem below?

I did everything like in the previous domain (datastore.ro) but I got stuck with this one.

Have a great day.

Do you see the

show header:

box? Then you see the cookie that isn't marked as secure.

Yes . I see the show header box.

What should I do in this case?

This is a web application security issue, not a certificate or HTTPS issue.

It has to do with preventing attacks in which a malicious network generates HTTP links to your site in order to watch users’ browsers transmit the cookie unencrypted (or in which the user types in the HTTP version of your site and transmits the cookie unencrypted).

In this case, you should look at your web application or web application framework and see if there’s a way to set more security headers. If you don’t understand this, you might want to look for a tutorial on web application security or on security headers. I’m sure this topic has been widely discussed around the Internet. :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.