Ok let's go the other route:
Let's fix this line instead; as it would match all unmatched names:
Redirect 301 / "https://bearclawats.com"
needs to be:
Redirect 301 / "https://bearclawats.com/"
[standby thinking]
Ok, fixing the line, 1 sec.
Wait - that won't fix this.
It will just send all requests for all names to one single HTTPS name.
You need this (without condition - for all conditions):
I just did what you suggested and reloaded apache, the result is the same from when we removed the redirect line.
Please hold off on running certbot
until asked to do so.
You run the risk of hitting a rate limit.
I have been running it with --dry-run, just an FYI but I will hold off.
--dry-run
is the right thing to do!
You can do those as much as you like
OK, let's see the vhost config for prod
, please show this file:
I know, which is why I use it until the issue is resolved, but this is definitely puzzling.
Sure thing, here you go.
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
I really don't have anything in ssl.conf for that vhost.
That can't be right - part of the file is missing and it has no servername...
How can this be?:
*:80 bearclawats.com (/etc/httpd/conf/httpd.conf:354)
*:443 is a NameVirtualHost
default server prod.bearclaw.io (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost prod.bearclaw.io (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost bearclawats.com (/etc/httpd/conf/httpd.conf:366)
alias www.bearclawats.com
OK, maybe prod.bearclaw.io
is the servers defined name (elsewhere).
[this is bad practice and Apache
looks the other way all too often]
Hold on, let me copy that again 1 sec. Sorry about that.
Do you really even use https://prod.bearclaw.io/ ?
Or you just need the cert for other services?
I use https://prod.bearclaw.io for webmin, which is essentially like an admin portal. By the way here is line 56
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
I think I understand what is going on here.
This is really running on sheer luck.
We need to fix this from the ground up.
There is no real functional HTTP, nor HTTPS, site for prod
.
[it merely hangs on by the default settings in the default ssl.conf
file]
Do you know how to write a vhost config file?
Do you know all the things that you would need in it (or can we just go with the bare minimums)?
I think I understand what is going on here.
This is really running on sheer luck.
We need to fix this from the ground up.
There is no real functional HTTP, nor HTTPS, site forprod
.
[it merely hangs on by the default settings in the defaultssl.conf
file]
Correct there is a different service that runs on port 10000, but I configured it to use letsencrypt cert.
So do you...
Do you really even use https://prod.bearclaw.io/ ?
[on port 443]
I do understand that you need the cert - but that is easier to get than to write a whole site (that won't ever be used).