Certbot does not turn on rewrite engine


#1

Not sure if this would be considered a bug or how to test or reproduce but thought to post here in case anyone else has had this issue and it helps.

Ran the command

sudo certbot --authenticator webroot --installer apache

Followed instructions to get certificate installed and enabled in Apache but after apache restart was still unable to access site through https. The problem turned out to be certbot never added the “RewriteEngine on” to the http vhost, once added all worked as expected.

Debian 9.4 Stretch
Apache 2.4.25
certbot 0.25.0


#2

Hi,

Thank you for reporting this… (Pinging let’s encrypt staff now…)(although I think I should ping a certbot staff…)

@bmw @erica

Thank you


#3

It should do that.

Perhaps you could open an issue on the certbot github site? And include your Apache configuration if you would.


#4

You could also post the Certbot log from /var/log/letsencrypt and the Apache configuration here on the forum first just so that we could have a look at it (but I agree that it sounds like a potential bug).


#5

Below is what I think is relevant section of letsencrypt log, what seems strange here is the sites available.conf does not seem to be updated and the “already enabled redirect for this vhost” lines.

2018-08-28 22:56:53,836:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/archive.
2018-08-28 22:56:53,836:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/live.
2018-08-28 22:56:53,837:DEBUG:certbot.storage:Archive directory /etc/letsencrypt/archive/mysite.com and live directory /etc/letsencrypt/live/mysite.com created.
2018-08-28 22:56:53,837:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/live/mysite.com/cert.pem.
2018-08-28 22:56:53,837:DEBUG:certbot.storage:Writing private key to /etc/letsencrypt/live/mysite.com/privkey.pem.
2018-08-28 22:56:53,837:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/live/mysite.com/chain.pem.
2018-08-28 22:56:53,838:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/live/mysite.com/fullchain.pem.
2018-08-28 22:56:53,838:DEBUG:certbot.storage:Writing README to /etc/letsencrypt/live/mysite.com/README.
2018-08-28 22:56:53,847:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer apache
2018-08-28 22:56:53,850:DEBUG:certbot.cli:Var authenticator=webroot (set by user).
2018-08-28 22:56:53,854:DEBUG:certbot.cli:Var installer=apache (set by user).
2018-08-28 22:56:53,869:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/mysite.com.conf.
2018-08-28 22:56:53,871:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mysite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mysite.com/privkey.pem
Your cert will expire on 2018-11-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
2018-08-28 22:56:53,884:INFO:certbot_apache.configurator:Created an SSL vhost at /etc/apache2/sites-available/mysite.com-le-ssl.conf
2018-08-28 22:56:53,896:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-available/mysite.com-le-ssl.conf
2018-08-28 22:56:53,974:INFO:certbot_apache.override_debian:Enabled Apache socache_shmcb module
2018-08-28 22:56:54,199:INFO:certbot_apache.override_debian:Enabled Apache ssl module
2018-08-28 22:56:54,516:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-available/mysite.com-le-ssl.conf
2018-08-28 22:56:54,517:INFO:certbot_apache.override_debian:Enabling available site: /etc/apache2/sites-available/mysite.com-le-ssl.conf
2018-08-28 22:56:54,759:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-available/mysite.com-le-ssl.conf
2018-08-28 22:58:11,062:WARNING:certbot_apache.configurator:Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.
2018-08-28 22:58:11,119:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/mysite.com.conf
2018-08-28 22:58:11,142:INFO:certbot_apache.configurator:Redirecting vhost in /etc/apache2/sites-enabled/mysite.com.conf to ssl vhost in /etc/apache2/sites-available/mysite.com-le-ssl.conf
2018-08-28 22:58:11,143:DEBUG:certbot_apache.configurator:Already enabled redirect for this vhost
2018-08-28 22:58:11,364:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

Here is my sites available .conf file, its the second RewriteEngine on directive that had to be added manually.

# Default virtual host config for mysite.com

    <VirtualHost *:80>
            ServerName www.mysite.com
            ServerAlias mysite.com
            DocumentRoot /srv/www/mysite.com

            <Directory /srv/www/mysite.com>
                    Options +FollowSymLinks
                    AllowOverride All
                    Require all granted
                    RewriteEngine on
                    RewriteBase /
                    RewriteCond %{REQUEST_FILENAME} !-f
                    RewriteCond %{REQUEST_FILENAME} !-d
                    RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
            </Directory>
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =mysite.com [OR]
    RewriteCond %{SERVER_NAME} =www.mysite.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    </VirtualHost>

#6

So you mean certbot did add the RewriteCond and RewriteRule, but only not the RewriteEngine on directive?

Or did it add nothing at all?


#7

Yes, that’s right, it was only the RewriteEngine on that was not added but without that going to http://mysite.com did not work.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.