Enhance redirect fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: reica.no-ip.org

I ran this command:https://reica.no-ip.org

It produced this output: no output

My web server is (include version): apache2 version 2.4.29

The operating system my web server runs on is (include version): armhf ubuntu 18.04

My hosting provider, if applicable, is: localhost (reica.no-ip.org)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): n/a

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0-1

Installation of certificate all Ok
How do I set virtual host to respond to https ? https://reica.no-ip.org does not work. I tried “certbot enhance --redirect” but it failed.
Can anyone help?
BTW http works fine. Apache2 is working Ok.

Hi @rein

you have created two identical certificates ( https://check-your-website.server-daten.de/?q=reica.no-ip.org#ct-logs ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
984654465 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-24 21:14:18 2019-09-22 21:14:18 reica.no-ip.org - 1 entries duplicate nr. 2
981181481 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-22 22:46:03 2019-09-20 22:46:03 reica.no-ip.org - 1 entries duplicate nr. 1

So the certificate creation part has worked.

But your domain is invisible:

Domainname Http-Status redirect Sec. G
• http://reica.no-ip.org/
120.154.158.177 -14 10.030 T
Timeout - The operation has timed out
• https://reica.no-ip.org/
120.154.158.177 -14 10.027 T
Timeout - The operation has timed out
• http://reica.no-ip.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
120.154.158.177 -14 10.030 T
Timeout - The operation has timed out
Visible Content:

Only timeouts. Which command had you used to create these certificates?

What says

certbot certificates

Hi Juergen. You may have tried reica.no-ip.org while it was off line while I was trying to solve the [problem. The cert with id 981181481 was lost and I started again on another SD card and a new certificate using certbot.
There must be a configuration problem somewhere that prevents the system to listen on port 443. I am not new to linux but not very savvy of ssl stuff. My site (family stuff, photos and family trees) has been running for years as an http site. I am trying to make it more secure with ssl encryption. Maybe you can give me a few pointers in the right direction to solve the problem.

1 Like

sorry, forgot to answer your query:
root@reica:/etc/apache2# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: reica.no-ip.org
Domains: reica.no-ip.org
Expiry Date: 2019-09-22 21:14:18+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/reica.no-ip.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/reica.no-ip.org/privkey.pem


root@reica:/etc/apache2#

1 Like

After certbot enhance --redirect (which now works!) I get the following after http://reica.no-ip.org :

Bad Request

Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.29 (Ubuntu) Server at reica.no-ip.org Port 443

https://reica.no-ip.org times out

1 Like

Yep, now you have done something wrong ( https://check-your-website.server-daten.de/?q=reica.no-ip.org ):

Domainname Http-Status redirect Sec. G
• http://reica.no-ip.org/
120.154.158.177 400 0.743 M
Bad Request
• https://reica.no-ip.org/
120.154.158.177 -14 10.023 T
Timeout - The operation has timed out
• https://reica.no-ip.org:80/
120.154.158.177 200 3.913 Q
• http://reica.no-ip.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
120.154.158.177 400 0.750 M
Bad Request
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.29 (Ubuntu) Server at reica.no-ip.org Port 443

https + port 80 has the standard Apache page:

Apache2 Ubuntu Default Page It works! This is the default welcome page used to test the correct operation of the Apache2 server after installation on Ubuntu systems.

Do you have a wrong port forwarding? Looks like you use

port 80 extern -> port 443 intern, because the error message shows the port 443, but port 80 is connected.

Port forwarding always:

Port 80 extern -> port 80 intern
Port 443 extern -> port 443 intern

No port 443 rule -> timeout.

Hi Juergen,

Yes, https://reica.no-ip.org:443 works fine. But of course it should not be necessary to include the port.

I checked my NBN modem: port 80 / 80 and port 443 / 443 are forwarded for http and https .

I think the problem lies somewhere in apache2.conf or in the virtual host config files.

If it is of any value I could sent you these files to have a look at them. I am keen to get this sorted before I put back the contents of my website.

Kind regards,

Rein Mann

1 Like

Now your https works (without the port):

Domainname Http-Status redirect Sec. G
• http://reica.no-ip.org/
120.154.158.177 400 0.733 M
Bad Request
• https://reica.no-ip.org/
120.154.158.177 200 3.666 B
• https://reica.no-ip.org:80/
120.154.158.177 200 3.140 Q

But your http is wrong, port 80 sends https content, not http content.

Maybe a problem creating the next certificate. What says

apachectl -S
1 Like

root@reica:~# apache2ctl -S
VirtualHost configuration:
*:443 reica.no-ip.org (/etc/apache2/sites-enabled/reica.no-ip.org-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server reica.no-ip.org (/etc/apache2/sites-enabled/reica.no-ip.org-le-ssl.conf:2)
port 80 namevhost reica.no-ip.org (/etc/apache2/sites-enabled/reica.no-ip.org-le-ssl.conf:2)
port 80 namevhost reica.no-ip.org (/etc/apache2/sites-enabled/reica.no-ip.org.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33
root@reica:~#

1 Like

There you see the problem.

You have two identical combinations port 80 and domain name, one is in your ssl-config file. Remove that entry.

Every combination of port and domain name should be unique.

1 Like

Hi Juergen, Many thanks for your help ! Seems to work perfectly now.

The fault was indeed in reica’s SSL vhost config.

Was <VirtualHost *:443 *:80>

Now <VirtualHost *:443>

Kind regards,

Rein

1 Like

Yep, that's bad. Then https is preferred, so the server sends https over port 80.

Juergen,

One more question: If I upgrade my OS, can I just lift out the ssl cert and key files and put them in the new system ? Or do I somehow have to renew the certificate ?

Rein.

1 Like

You can just copy over /etc/letsencrypt/ – taking care to use a way that preserves permissions and symlinks – and install Certbot.

But you should make sure everything is configured correctly and automatic renewal is working on the new server.

Starting over may be a good option, instead of copying everything and testing it. But it’s up to you.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.