Debian(jessie) and Apache2: Installed let's encrypt certificate, but the domain won't change to port 443


#1

This is the error message from the web browser when I put the IP address and the port 443:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.10 (Raspbian) Server at Port 443

Port 443 is open on server.
SSL Certificate was installed with tls-sni
Is there something I should add to the 000-default.conf file?


#2

With what in front of it exactly? Because the following error:

…suggests you’re using http:// in front of your IP address, while you should use https:// (just one letter extra! Subtle difference!) when you want to talk HTTPS.

Also, normally it shouldn’t be necessary to specify port 443 if you use https://, as that port number is the default.


#3

I did. It still didn’t work. Is it normal to have snake oil in default ssl file?


#4

What command did you use to install the cert? (If you run certbot certonly, it doesn’t attempt to install it at all.)


#5

I used certbot-auto certonly --standalone \


#6

So, that obtained a cert for you which will be somewhere in /etc/letsencrypt/live, but it didn’t try to install it. You’ll need to edit your web server configuration files in order to install the cert yourself.


#7

Using --standalone also means that you’ll need to shut down your web server briefly every time you renew the certificate.


#8

What do I edit the web server configuration file to?


#9

You should have a file in /etc/apache2/sites-available defining a virtual host for your existing site.

In the same directory, you should make a copy of that file with a new name—when Certbot does this for you it would use the existing filename with -le-ssl added before the .conf extension—and edit the copy so it refers to :443 instead of :80 and contains (for Apache 2.2)

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

or (for Apache 2.4)

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Then run sudo a2ensite and tell it the name of the new virtual host file.

If you want to redirect HTTP requests to HTTPS, you can also add lines like

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

in the original non-HTTPS virtual host configuration file.

Here, I used example.com, but you’ll need to substitute the name of your own site as found in /etc/letsencrypt/live.


#10

If you obtain the certificate without certonly and using --apache, Certbot will try to do this for you (although a different set of problems could potentially arise).

It’s also possible to run Certbot with -a standalone -i apache to attempt to obtain the certificate with the standalone plugin and then install it using the apache plugin.


#11

Ok I removed the old certificates from the server and instead used certobot --apache. It works.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.