Does renewing change configuration again?


#1

Today I installed a cert for a domain (darkstar7.com) using the (excellent) Digital Ocean howto 1. It succeeded but the http to https redirection was not happening.

I was able to fix this easily - the Apache Virtual Host config file looked like this after running certbot and before my correction:

<VirtualHost *:80>
        # ...
        ServerName darkstar7.com
        ServerAdmin webmaster@darkstar7.com
        DocumentRoot /srv/www/darkstar7.com
        DirectorySlash Off

        # ...
        LogLevel info

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # ...

        RewriteEngine on
        RewriteCond "%{REQUEST_URI}" "!^(/index\.php|/robots\.txt|/favicon\.ico)$"
        RewriteCond "%{REQUEST_URI}" "!^/images/(.*)\.(jpg|png|jpeg|gif)$"
        RewriteCond "%{REQUEST_URI}" "!^/css/(.*)\.css$"
        RewriteCond "%{REQUEST_URI}" "!^/js/(.*)\.js$"
        RewriteRule ^(.*)$ /index.php/$1 [L]

RewriteCond %{SERVER_NAME} =www.darkstar7.com [OR]
RewriteCond %{SERVER_NAME} =darkstar7.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

I guessed that the request was fully answered before the new lines added by certbot. But my original rewrite rules were unnecessary when the request was going to be forwarded, so I just took out the first rewrite rule and now it forwards correctly:

VirtualHost *:80>
        # ...
        ServerName darkstar7.com
        ServerAdmin webmaster@darkstar7.com
        DocumentRoot /srv/www/darkstar7.com
        DirectorySlash Off

        # ...
        LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # ...

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =www.darkstar7.com [OR]
        RewriteCond %{SERVER_NAME} =darkstar7.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

The new conf file added by certbot has the original block of rewrite rules so after the request gets on the https, it is handled correctly.

Certbot actually warns about this situation, when installing cert the output includes this:

Added an HTTP->HTTPS rewrite in addition to other
RewriteRules; you may wish to check for overall consistency.

I don’t mind doing this correction once per domain to get them set up. My question is, will I have to make the same correction again every time each certificate is renewed?

EDIT Sorry, I just realized this is a dumb question because now that the original rewrite rule is out of the http conf, there will be nothing for certbot to change, even if it was going to.

Originally the question was going to make sense because I was going to move the new rule above the old one, but now that does not apply.

I might like to delete this but maybe should leave it in case someone needs to know how to redirect if they have rewrite rules that would prevent it


#2

No you will not.

If you’re performing renewal with the command certbot renew (which is recommended and is what is done in crontabs and systemd timers included in Certbot packages from OS package managers), Certbot doesn’t change the files in your Apache configuration at all. It just writes the new certificate to disk, fixes up some symlinks in /etc/letsencrypt, and has Apache reload its config so it begins using the new certificate.

Even if you obtain a new certificate through a command like certbot run (which is the same as running Certbot without a subcommand) and you ask for a redirect, Certbot will recognize the redirect it added and tell you it has already been set up.


#3

Thank you.

My edit above, but good to know about the behavior of the renew too.

I’m liking LE, this will be easy on remaining domain now that I know how.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.