Can't get redirection to https working after setup with Certbot


#1

Hey all,

I’m having a few headaches trying to enforce strict SSL across my website. I used this straightforward tutorial from DO to install and set up Let’s Encrypt on my Ubuntu 16.10 droplet: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04. While running the setup, I specifically enabled the option to enforce all requests to redirect to https, which never worked as expected.

This is the production site: https://misterioterror.com

Both non-www and www have working certificates. I simply want to redirect http://, http://www and https://www to https://. However, Let’s Encrypt seems to have modified a configuration file somewhere that escapes me. If I use any mod_rewrite rule or even a simple redirect / https://misterioterror.com, the entire site will stop working and Chrome will complain about infinite redirections.

These are my virtual hosts:

/etc/apache2/sites-enabled/misterioterror.com.conf

<VirtualHost *:80>
        ServerName misterioterror.com
        ServerAlias www.misterioterror.com
        ServerAdmin admin@misterioterror.com
        DocumentRoot /var/www/misterioterror.com/public_html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

/etc/apache2/sites-enabled/misterioterror.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName misterioterror.com
        ServerAlias www.misterioterror.com
        ServerAdmin admin@misterioterror.com
        DocumentRoot /var/www/misterioterror.com/public_html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLCertificateFile /etc/letsencrypt/live/misterioterror.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/misterioterror.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I ran out of ideas, so I will greatly appreciate any help you can provide. Is it perhaps some issue with 16.10?

Thanks a lot in advance!


#2

I haven’t worked with apache in several years (I greatly prefer nginx), but: the vhosts you gave us don’t have any redirection logic in them, and I atleast will need to seemore config files (someone who works with aache mayalreadknow what’s going on).


#3

Precisely, any redirection logic, even the simplest one will completely break the site. Sure, I can share any config file needed to diagnose the problem.


#4

Hello @agustincordes,

No, the problem is not in Let’s Encrypt side, is in the way you are trying to perform the redirect.

This is because you are using a redirect inside the <VirtualHost *:443> redirecting to https://misterioterror.com and you have defined misterioterror.com and www.misteriorterror.com inside the same block. If you try to reach https://www.misterioterror.com apache will reach this virtualhost block and it will see a redirect to https://misterioterror.com and will follow it but it will reach again the same virtualhost block and again will try to follow the redirect, and so on… ;).

You need to create a new virtualhost block for www.misterioterror.com and create there the redirect, something like this:

/etc/apache2/sites-enabled/misterioterror.com.conf

<VirtualHost *:80>
        ServerName misterioterror.com
        ServerAlias www.misterioterror.com
        ServerAdmin admin@misterioterror.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        Redirect / https://misterioterror.com/
</VirtualHost>

/etc/apache2/sites-enabled/misterioterror.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName www.misterioterror.com
        ServerAdmin admin@misterioterror.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLCertificateFile /etc/letsencrypt/live/misterioterror.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/misterioterror.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        Redirect / https://misterioterror.com/
</VirtualHost>

<VirtualHost *:443>
        ServerName misterioterror.com
        ServerAdmin admin@misterioterror.com
        DocumentRoot /var/www/misterioterror.com/public_html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLCertificateFile /etc/letsencrypt/live/misterioterror.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/misterioterror.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I hope this helps.

Cheers,
sahsanu


#5

Thanks for the detailed response. At least in my case, that’s not the solution. I pasted your examples as-is and double-checked everything. Still get an infinite redirection complain even if I attempt browsing https://misterioterror.com

I don’t get it. Those are the two only virtual hosts I have in sites-enabled.


#6

I suspect it’s probably related to you using Cloudflare ? are you using cloudflare ? if so what settings have you got there ? If you’re using Flexible SSL and configure your web server to redirect all requests to HTTPS, you’ll see an infinite redirect loop.


#7

Interesting, I didn’t realize about that. I do have Cloudflare and SSL is currently set to Flexible, but HTTPS redirects are not enabled.

However, I defined those A/CNAME records as DNS-only and now it works. So Cloudflare is causing the issue… Wonder what that is.


#8

Update: setting SSL to Full (strict) seems to have resolved the issue. I’ll check again tomorrow after these DNS changes have fully propagated.

I’m not sure Cloudflare is worth all this trouble…


#9

No more issues, so it was indeed Cloudflare fooling around with my site. Leaving SSL to Full (strict) solved the problem, but I suspect it was an odd behavior related to DNS caching.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.