Can't get HTTPS via cerbot ssl to work on my Website


#1

Hi Folks i succesfully installed Cerbot certificate on my Website, but still if i try to open the website in a browser it shows a warning, which reads :“the website you’re trying to reach isn’t safe…reason: uknown certificate.” ? I installed cerbot via ssh and the automated installation process, has anybody an idea where i made a mistake?

My domain is:
www.tobiaswichmann.com
I ran this command:
sudo certbot --apache
It produced this output:
“the website you’re trying to reach isn’t safe…reason: uknown certificate.”

My web server is (include version):

The operating system my web server runs on is (include version):
windows

My hosting provider, if applicable, is:
ovh

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Putty


#2

Hi @Lamalord3000

checking your site via https://check-your-website.server-daten.de/?q=tobiaswichmann.com , there are two problems:

Your certificate:

CN=www.tobiaswichmann.com 10.12.2018 10.03.2019 www.tobiaswichmann.com - 1 entry

is valide, but has only one name, the www-version. Perhaps you should create one certificate with two domain names:

certbot [your other flags] -d www.tobiaswichmann.com -d tobiaswichmann.com

Then you can use one certificate with both domain names.

But your configuration:


Domainname Http-Status redirect Sec. G
http://tobiaswichmann.com/
51.75.68.68 302 https://tobiaswichmann.com/ 0.040 A
http://www.tobiaswichmann.com/
51.75.68.68 301 https://www.tobiaswichmann.com/ 0.036 A
https://tobiaswichmann.com/
51.75.68.68 302 https://tobiaswichmann.com/ 1.553 L
Certificate error: RemoteCertificateNameMismatch
https://www.tobiaswichmann.com/
51.75.68.68 302 https://tobiaswichmann.com/ 1.304 B

Your www redirects to non-www, your non-www+https - redirects to non-www+https, so you have a direct loop (Grade L).

So first remove this loop-creating redirect.


#3

Thanks that’s a big help! Iam super new to all of this, so this may be a dumb question, but how do i fix this redirect-loop? :slight_smile:


#4

Check or share your Apache vHost - configuration.

There must be a Rewrite rule with a redirect.

Or you use a .htaccess file with such a rule.


#5

Hello Juergen, unfortunetly i can’t find the vHosts configuration file, what i have in my apache 2 folder are the following: apache2.conf conf-enabled magic mods-enabled sites-available ssl
conf-available envvars mods-available ports.conf sites-enabled ssl.conf

is it located in one of those ? thanks again for the help


#6

Check

and your main config file apache2.conf.

PS: Your loop is a https - loop, so check your ssl-configs.


#7

Hi Jürgen sorry for the late answer i think i finally found the vhost config file under sites enabled:

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    Redirect "/" "https://tobiaswichmann.com/"

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

ServerName www.tobiaswichmann.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.tobiaswichmann.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.tobiaswichmann.com/privkey.pem


so what lines did i mess up ? :smiley:


#8

There is your redirect. This is ok in a port 80 block. But if this is in a port 443 block, then it’s a loop.


#9

ok thanks, so i should change the address to “https://www.tobiaswichmann.com” and the loop should be fixed ?


#10

What happens if you redirect an address to the same address? That is a loop.


#11

ok so i just erase it completly ?


#12

From the <VirtualHost *:443> block, yes, just erase it completely. If you have a similar redirect in a <VirtualHost *:80> block you can leave that there.


#13

Thanks for the help so far, unfortunetly removing the lines didnt fix the loop, im open to any suggestions on what to do now :slight_smile:


#14

Looks like you have yet another redirect somewhere. The one that’s kicking in now has an additional error, it’s removing the slash from the end of the domain name (e.g. try requesting https://www.tobiaswichmann.com/test and you get redirected to https://www.tobiaswichmann.comtest - that didn’t happen before, I think). So look through the rest of your Apache configuration including any .htaccess files for another redirect or rewrite rule that might be causing this.


#15

Looks like you have created such a redirect instead of removing it.

The missing slash produces additional problems.

https + www + Non-slash redirects to the same.