Failed Redirect for domain.com error

My domain is: a-gict.com

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: a-gict.com
2: www.a-gict.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/a-gict.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for a-gict.com and www.a-gict.com
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/a-gict-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/a-gict-le-ssl.conf
Failed redirect for a-gict.com
Unable to set enhancement redirect for a-gict.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:
 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/a-gict.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/a-gict.com/privkey.pem
   Your certificate will expire on 2022-01-24. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
angelo@a-gict2:/var/www/a-gict$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Tue 2021-10-26 05:55:31 UTC; 34min ago
    Trigger: Tue 2021-10-26 20:03:34 UTC; 13h left
   Triggers: ● certbot.service

My web server is (include version): Ubuntu 21.

The operating system my web server runs on is (include version): Ubuntu 21.

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes, I also have a user with sudo privilege.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Something odd happened cuz on my first pass of the sudo certbot --apachecert command, it only showed the www.a-gict.com option and I didn't notice this and went on with the certification anyway. After realizing this, I edited and updated the virtual domain file and ran the command again and saw both a-gict.com and www.a-gict.com I tried both Reinstalling the Certificate and Renew and Replacing the certificates but I still got the redirect error.

I'm not sure how to proceed here. I can see that www.a-gict.com has been secured, but a-gict.com still has a "not secure" tag beside the url when I visit.

I feel like I'm overlooking something simple but I can't find it. Any help is very much appreciated.

You should review, and correct, your Apache configuration.
I'd start with the output of:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes

I ran the command and it showed the following result:

VirtualHost configuration:
*:443                  a-gict (/etc/apache2/sites-enabled/a-gict-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server a-gict.com (/etc/apache2/sites-enabled/a-gict-le-ssl.conf:17)
         port 80 namevhost a-gict.com (/etc/apache2/sites-enabled/a-gict-le-ssl.conf:17)
                 alias www.a-gict.com
         port 80 namevhost a-gict.com (/etc/apache2/sites-enabled/a-gict.conf:1)
                 alias www.a-gict.com

How do I go from here?

That is a name:port overlap/conflict.
You need to review both of those files and delete one of those sections.

2 Likes

How should I know which one to remove? Should I cat both files and share them?

yes please post them

1 Like

Here's the a-gict-le-ssl.conf file:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName a-gict
    ServerAlias www.a-gict.com
    ServerAdmin angelo.villasanta@a-gict.com
    DocumentRoot /var/www/a-gict
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias a-gict.com
SSLCertificateFile /etc/letsencrypt/live/a-gict.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/a-gict.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerName a-gict.com
    ServerAlias www.a-gict.com
    ServerAdmin angelo.villasanta@a-gict.com
    DocumentRoot /var/www/a-gict
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =www.a-gict.com [OR]
# RewriteCond %{SERVER_NAME} =a-gict
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>
</IfModule>

Here's the a-gict.conf file

<VirtualHost *:80>
    ServerName a-gict.com
    ServerAlias www.a-gict.com
    ServerAdmin angelo.villasanta@a-gict.com
    DocumentRoot /var/www/a-gict
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.a-gict.com [OR]
RewriteCond %{SERVER_NAME} =a-gict
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

What do I do now?

The two sections are identical - except in the first one, the redirection lines were commented out.
So it can be fixed either way.
I would remove this section from the first file:

Then restart Apache.

2 Likes

I had removed (commented out) that section and kept the first block from the first file. I also noticed that I had the ServerName wrong as it's just a-gict and not a-gict.com. After making the corrections on those files, I restarted Apache and ran the sudo certbot --apache command to try and get a certificate for a-gict.com. I got the following output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: a-gict.com

2: www.a-gict.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for a-gict.com

Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/a-gict-le-ssl.conf

Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled https://a-gict.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If I go to https://a-gict.com, I can see that the certificate has been implemented already. However if I just go with a-gict.com, there is no redirect from http to https. Unlike if I go to www.a-gict.com where I get an auto-redirect to https. I know I'm going a bit out of scope here but how I do I get the http->https redirect going?

Please don't run certbot anymore.
That can only confuse the issue and waste certificates (LE resources):
You've already issued eight certificates in the last two days!:
crt.sh | a-gict.com

Please show the current outputs of:
certbot certificates
sudo apachectl -t -D DUMP_VHOSTS

2 Likes

certbot certificates outputs the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: a-gict.com-0001
    Serial Number: 4e3d25b261bced499bf6476779e8b425a80
    Key Type: RSA
    Domains: a-gict.com
    Expiry Date: 2022-01-25 04:33:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/a-gict.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/a-gict.com-0001/privkey.pem
  Certificate Name: a-gict.com
    Serial Number: 4bdcedf85b5a55df79ee499e9dcb602676b
    Key Type: RSA
    Domains: a-gict.com www.a-gict.com
    Expiry Date: 2022-01-25 04:35:07+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/a-gict.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/a-gict.com/privkey.pem
  Certificate Name: www.a-gict.com
    Serial Number: 3300a026c0ef9155f052744c4408b6448f0
    Key Type: RSA
    Domains: www.a-gict.com
    Expiry Date: 2022-01-24 04:59:37+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/www.a-gict.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.a-gict.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

sudo apachectl -t -D DUMP_VHOSTS outputs the following:

VirtualHost configuration:
*:443                  a-gict.com (/etc/apache2/sites-enabled/a-gict-le-ssl.conf:2)
*:80                   a-gict.com (/etc/apache2/sites-enabled/a-gict.conf:1)

Please show this file:

2 Likes

You only need the middle one:

2 Likes

Apologies, I was unable to copy the entire output of the DUMP_VHOSTS Command, I've edited my post above. As for the a-gict-le-ssl.conf file, it looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName a-gict.com
    ServerAlias www.a-gict.com
    ServerAdmin angelo.villasanta@a-gict.com
    DocumentRoot /var/www/a-gict
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias a-gict.com
SSLCertificateFile /etc/letsencrypt/live/a-gict.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/a-gict.com/privkey.pem
</VirtualHost>
</IfModule>

#<IfModule mod_ssl.c>
#<VirtualHost *:80>
#    ServerName a-gict.com
#    ServerAlias www.a-gict.com
#    ServerAdmin angelo.villasanta@a-gict.com
#    DocumentRoot /var/www/a-gict
#    ErrorLog ${APACHE_LOG_DIR}/error.log
#    CustomLog ${APACHE_LOG_DIR}/access.log combined
#RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =www.a-gict.com [OR]
# RewriteCond %{SERVER_NAME} =a-gict
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

#</VirtualHost>
#</IfModule>
1 Like

Perfect!
That is using the cert with both names on it.

Now get rid of the other two (single named) certs, with:

certbot delete --cert-name a-gict.com-0001
certbot delete --cert-name www.a-gict.com
2 Likes

Sorry, I had NOT noticed the TYPO:

That line is missing ".com"
That is why the redirection fails.

Edit file:
/etc/apache2/sites-enabled/a-gict.conf

2 Likes

Did the trick! Thank you!

1 Like

Glad to have helped (even if it took a while - LOL) :slight_smile:
Cheers from Miami :beers:

#FreeCUBA :cuba:

2 Likes

:beer: :beers: :beer: :beers: :beer: :beers: cheers

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.