Drupal 7 and Lets’ encrypt redirection problems

ShimonD · January 20, 2020, 3:48am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Shimon Dekel

I ran this command:sudo certbot --apache -d new.domain2.com

It produced this output: (OK)

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:apache2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

ShimonD · January 20, 2020, 3:49am

Desperately seeking help,

I am hosting multiple Drupal 7 sites on one Ubuntu 16 on AWS using apache2.

I have domain1.com and new.domain2.com

In the DNS level, I am pointing to this computer IP for domain1.com and www.domain1.com

I am also pointing to this IP with “new.domain2.com” (while domain2.com and www.domain2.com points to another server (new.domain2.com is in development to replace the old one at domin2.com))

Domain1.com is naturally setup in a sub-directory called “site/domain1.com”, and no extra work is needed.

In the case of domin2, the directory is called “site/domain2.com” but using the redirection file in “sites/sites.php” I internally change “new.domain2.com” to “domain2.com” using the line: “$sites['new.domain2.com'] = 'domain2.com';”

So far everything works just fine the redirection from new.domain2.com to domain2.com is done by “sites/sites.php”.

Now I wanted to install let’s encrypt on both domains.

I used the instruction in: How To Secure Apache with Let's Encrypt on Ubuntu 16.04 | DigitalOcean

I used the following lines to create the SSL Certificates:

sudo certbot --apache -d domain1.com -d www.domain1.com

and

sudo certbot --apache -d new.domain2.com

The results are:

http://domain1.com is redirected to https://domain1.com and shows: “your connection is not private” NET::ERR_CERT_COMMON_NAME_INVALID

http://new.domain2.com: fine but says “Not Secure.”

https://new.domin2.com: fine and secure (as it should be)

In trying to assess the problem with my limited knowledge, I believe that the redirect used by Drupal and the redirect used by “certbot” are conflicting or simply not playing nice.

What I am seeking is help in debugging or solving this or someone pointing me to a similar problem solved by others or at least a good article explaining the redirecting system used by let’s encrypt and Drupal.

Thanks in advance

rg305 · January 20, 2020, 5:33am

This would be ten times easier if you would just answer all the questions.
Namely:

That is NOT a domain; that is a persons name.

And again with random "example" information.

So the best we can do, at this point, is to just guess...

Well, I guess that you are using Apache and it is a real mess.
It runs, but only because it is quite difficult to "configure" apache in a way that it will NOT run.
That doesn't make it "right" it just means it is trying its' best to understand what you want it to do.

But don't take my guess as fact.
Try something that might shed some light on the presumed "mess":
apachectl -S

Then I also guess that your cert has only one name.
So when you access the same vhost config (back to the messy configuration) via more than that one "correct" name the others return the insecure connection warning.

But I could be completely wrong.
I mean I am only guessing here...

ShimonD · January 20, 2020, 7:58am

Hi,

Sorry about not completing the list of questions, but here it is now:

My domain is:

Domain1.com is hobbygap.com

Domain2.com is new.perot.org.il

I ran this command: sudo certbot --apache -d new.perot.org.il

It produced this output: OK, all fine (but I did not record the exact answer)

My web server is (include version): Server version: Apache/2.4.18 (Ubuntu) Server built: 2019-09-16T13:13:53

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):NO ( I have sudo root access

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): “certbot 0.31.0”

Running: apachectl -S

“AH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:

SSLCertificateFile: file '/etc/letsencrypt/live/new.perot.org.il/fullchain.pem' does not exist or is empty

Action '-S' failed.

The Apache error log may have more information.”

Looking further: “etc/apache2/sites-enabled/000-default-le-ssl.conf” Is pointing to: “/sites-available/000-default.conf”

This file contain (the end of it)

following line enables the CGI configuration for this host only

after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf

ServerName hobbygap.com

Include /etc/letsencrypt/options-ssl-apache.conf

ServerAlias www.hobbygap.com

ServerAlias new.perot.org.il

SSLCertificateFile /etc/letsencrypt/live/new.perot.org.il/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/new.perot.org.il/privkey.pem

Line 48 is the 4th from the end: “SSLCertificateFile /etc/letsencrypt/live/new.perot.org.il/fullchain.pem”

I hope this info will help anyone direct me to the right place

Thanks

Shimon Dekel

JuergenAuer · January 20, 2020, 8:33am

Hi @ShimonD

checking your domains that can't work.

You have two certificates - https://check-your-website.server-daten.de/?q=hobbygap.com#ct-logs

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2020-01-18	2020-04-17	hobbygap.com, www.hobbygap.com - 2 entries	duplicate nr. 1

And https://check-your-website.server-daten.de/?q=new.perot.org.il#ct-logs

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2020-01-18	2020-04-17	new.perot.org.il - 1 entries	duplicate nr. 1

That's ok, different domain names, different certificates.

But one vHost can use one certificate. So your new.. is ok, your hobbygap not.

Split your existing vHost in two vHosts.

One with

ServerName hobbygap.com
ServerAlias www.hobbygap.com

the other with the ServerName new... Then check your certificates with

certbot certificates

to find your certificate and use that in your vHost with the hobbygap domain. Then apachectl -S again (after a restart).

ShimonD · January 21, 2020, 10:50am

Thanks for your help,

I was hoping to avoid getting into Apache, vHost and Name based server as I had everything working in Drupal using a single file called sites.php, but it looks like I will have to learn it all before I can continue with multiple sites on one server.

However, since “hobbygap.com” is a future project, my “perot.org.il” is my concern at the moment and since it’s almost working all I have to fix is: to direct HTTP to https.

I wonder if you have a simple suggestion on how to correct this? (before I get deep into Apache.)

Thanks in advance

Shimon Dekel

rg305 · January 21, 2020, 1:32pm

Try: https://www.drupal.org/https-information

JuergenAuer · January 21, 2020, 1:37pm

If your Apache / vHost configuration is buggy, you have to fix your config.

PS:

Then check that domain with the online tool to see, if the redirects are ok. You can't check redirects with a browser, too much caching.

ShimonD · January 21, 2020, 1:51pm

Looks good I will read this tonight.
Thanks

system · February 20, 2020, 1:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.