You could also look at the mod_md feature in Apache. It supports all 3 challenge types and you use that instead of Certbot. These are the 2.5 docs for Apache but it has been part of Apache since 2.4.30. A skilled Apache admin would probably even find this easier to use than Certbot. There is also a helpful github (link here )
Apache mod_md docs:
https://httpd.apache.org/docs/trunk/mod/mod_md.html
hello MikeMcQ thanks 4 reply good info....so having found "found it....--no-redirect" i was all gong ho, but all my domian are timed out til next week....so got new domain, did all the hokus pokus and tested this
"certbot.exe certonly --standalone --no-redirect --config-dir" created perfect data to designated directories and certs looked good.......however i feel like i am in beta mode....this is what get when testing the new domain for non-ssl......................... "Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please............what happened to my "--no-redirect" does this not mean that all traffic ie:port80 to a non-ssl address will NOT be redirected to ssl port443......any thoughts.thks inadvance
Do your Apache VirtualHosts still look like your example in post #15?
Because if a client (like a browser) makes an HTTP request to your domain the port 80 VirtualHost will process it. The #15 example redirects all requests to HTTPS. That tells the browser to try again using HTTPS which is then received by your VirtualHost on port 443.
Your post #15 looks good so not sure. Sometimes people with home setups config their router wrong and route port 80 requests to port 443 thinking that does the redirect. It does not. That would just send an HTTP request to your HTTPS (port 443) VirtualHost and cause a message like you just described.
You can see your VirtualHosts with
sudo apachectl -t -D DUMP_VHOSTS
On some systems you need to use apache2ctl or httpd instead of apachectl
And, omit sudo if you don't need that
For each domain name there should be one for port 80 and one for port 443.
hello MikeMcQ....looked at "GitHub - icing/mod_md: Let's Encrypt (ACME) in Apache httpd and mod_md - Apache HTTP Server Version 2.5" noticed this "Status: Experimental" did you get a working config using md_module??
will have to check regarding your post#22
hello MikeMcQ .....setup has not changed .....from post #15....no external router redirects ...this is a onsite commercial install, multi domains, 10 years running, new app install, hence massive upgrade latest apache, perl , php, ssl ,etc......using another external ip/pc source to test in real time...no tor or dns clients......i am still hung up on "--no-redirect" maybe there are some limitations......or of course the thing is still in beta....thks
I think that is a misunderstanding and has nothing to do with this.
First, you used that option on a certbot certonly command. The --no-redirect is ignored when doing certonly. It only applies when using an install command.
Second, even when the --no-redirect applies it just changes how Certbot adjusts the Apache VirtualHost. Normally when Certbot "installs" your cert it adds a redirect from your HTTP VirtualHost to HTTPS. Using --no-direct tells Certbot not to add this redirect.
A Certbot "install" is really just changing your Apache config. There is no other software installed to handle HTTP(S) requests. It is all just Apache after Certbot command is complete.
Anything going wrong handling the HTTP request can be debugged using normal Apache methods (logs, dump_vhosts, ...).
If you want to share your actual Apache config I could say more but without that we are left to give general comments. In this case start with result of the DUMP_VHOSTS I described.
You need to do your testing on the testing environment - not production
hello @rg305...well advised...so i did...used..."certbot.exe certonly --standalone --test-cert --no-redirect --config-dir"...completed on 10 domains all separate transactions and email, accounts....account creation perfect......directory delegated perfectly...tested from external ip/pc......"Your browser sent a request that this server could not understand.Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please." tested on firefox/edge, i am assuming that the newly created accounts have overridden all previous creations, as 11:33 AM 5/19/2023....if not old data might be the issue .... will then not be able to confirm til next week.....thks 4 yur reply
correction: just saw " First, you used that option on a certbot certonly command. The --no-redirect is ignored when doing certonly. It only applies when using an install command"
Please show the secure vhost config file.
hello...i want to use "enhance to bypass the redirect, trouble with command
"certbot.exe enhance -d anydomain.com --standalone --test-cert --config-dir" enhance directive is not right.....please be kind to advice...thks inadvance
https://eff-certbot.readthedocs.io/en/stable/using.html
I'm not sure what all "enhance" can do.
You could just remove the redirect from your Apache config
The Certbot renew will not re-insert it. Certbot only sets that when initially configuring (installing) a certificate.
hello mike....thanks 4 feedback....i do not have a redirect in my config......the redirect comes from the ssl cert.....enhance says it does not use redirect having issues with proper usage form...tks
No, it doesn't. Can you explain in more detail why you think that?
When we say "redirect" it usually means a 301 or 302 (or even 307) HTTP code sent by a webserver with a "Location" header to tell the client (browser, ...) to try another URL.
The cert has nothing to do with that. Apache does that.
If you provide a real domain name and URL that is doing this "redirect" we can look at it and help explain further.
based on searching all of my config i cannot detect the redirect...so the ssl cert when directed to a non-ssl must be telling the server to be on a ssl hence the servers error mesage 301 or 302 or custom...i want to disable the redirect function in the ssl hence the enhance usage but cannott get the cmd directive right tried help examples to no avail...thks 4 yur reply
thought i share...more info here "What exactly does Let's Encrypt certbot's `enhance` command? - Server Fault" so the usage is "certbot.exe enhance" get options certbot.exe --help enhance.
This is used after you created your certs hence the term "enhance". Use it to change your current config, if you using a plugin ie apache this can add or remove it via --redirect or --no-redirect. Since I configured my apache config manually I have to look elsewhere for the redirect on my server from non-ssl to ssl. wish i had known this about 1k hours ago. i am still getting redirect errors on port 80 asking me to use ssl.
so it continues...thks 4 yur feedback
thought i give a shout of gratitude, to all that replied...after resolving all underlying issues for 10 domains certbot works flawlessly as advertised....hence cross your T and dot your i
FYI httpd-2.4.57-win64-VS17,strawberry-perl-5.32.1.1-64bit,php-8.2.6-Win32-vs16-x64
hope this will help someone else
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.