How to allow plain http also, after installing with setting 'https only' (via certbot)

I installed Let's Encrypt through Certbot, with the option 'https only' (redirect http). Works like a charm.
All is https.

But... I shouldn't have selected 'https only' (redirect http). Because I need plain http to still be available as well, as it turns out.

How can I make so that Let's Encrypt will allow plain http as well?
I need the site to be available through https (with Let's Encrypt) and through regular http.

Any tips/pointers?

Thanks!

(Running CentOS7)

There is an option called --no-redirect, but for some reason it only works when generating a NEW VirtualHost. I just tested it and it does not remove an already existing redirect.

Possible solutions:

  • Use the Certbot rollback subcommand to undo the installing of the Certificate, then re-do the installing of the certificate but without the --redirect option
  • Manually remove the three RewriteEngine directives (RewriteEngine, RewriteCond and RewriteRule) added to the HTTP VirtualHost.
2 Likes

Why?

It's usually not that reasonable.

2 Likes

Perhaps when used in conjunction with enhance ?
certbot enhance --no-redirect

1 Like

This server is an Icecast server, and most (if not all) hardware internet radio players do not do https, as it turns out.

Unfortunately, no:

Please specify one or more enhancement types to configure. To list the available enhancement types, run:

certbot --help enhance

No enhancements requested, exiting.

I think the only use for --no-redirect is to change the behaviour of defaulting to do enable redirecting with the install and run subcommands.

Is your Icecast server behind an Apache or nginx reverse proxy? Because those two webservers are the only ones that Certbot would be able to enable redirecting for.

2 Likes

@Osiris
I haven't tried it, but it doesn't look like you did either.
certbot enhance --no-redirect
[or you just didn't show us]

2 Likes

Well, that's a big assumption..

2 Likes

Thanks for the tip, but it does not like enhance --no-redirect.
Redirect is available, according to --help, but not no-redirect.

#certbot enhance --no-redirect
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please specify one or more enhancement types to configure. To list the available enhancement types, run:

certbot --help enhance

No enhancements requested, exiting.
1 Like

It is not. No reverse proxy here. It's a VPS with a direct IP to the outside world.

I thought, yes! Of course I can do that! I know that...
But because it being an Icecast server, and not a "regular" webserver, I cannot find it, so I cannot edit it.
And a search query only finds so much before eventually timing out...

Then you should be able to manually remove the redirection.
[preferably for only those folders that need HTTP]

Start with the output of:
apachectl -t -D DUMP_VHOSTS

2 Likes

Certbot cannot add a HTTP to HTTPS redirect on IceCast servers, so I have absolutely no clue on where that redirect might have came from.

Even better: Certbot can't even install the certificate on an IceCast server at all! So please could you explain to use a little bit better what the actual setup is? Just Icecast? Or also a nginx or Apache webserver?

1 Like

hmm...
What does the IceCast path (URL) look like?

I agree that your statements seem to conflict:

  • The added certbot redirection broke my HTTP IceCast access.
  • IceCast isn't behind a reverse proxy.
1 Like

It can. It did. With certbot certonly, I just now remembered while checking the history.
During running certbot I do remember having to tell it where the folder with html/php files for the outside world is located, I think.

And then I got the question (not verbatim) "Would you like to:"

  1. redirect all
  2. do not redirect all

I chose 1, and now wish I didn't :stuck_out_tongue:

That's impossible, certonly wouldn't modify any (web)servers configuration at all. It won't install the certificate, it won't add a redirect.

Please explain in detail the actual steps and commands you've ran.

2 Likes

AND

1 Like

The installation was months ago, and only now I realised I need to remove the forced redirect. I'm browsing through history, but that's a bit of a mess, as I was experimenting on how to get it to work, so not all commands in there would have actually done something.

At this point I'm not even sure if I ran sudo certbot certonly --webroot or sudo certbot certonly --standalone (which I both found in history).

So that doesn't really make it any clearer :frowning:

But at one point it did give me the question:

Would you like to:

  1. redirect all
  2. do not redirect all

Where I chose 1, and now wish I didn't.

I do really appreciate everyone's help here though! Many thanks! :+1:

1 Like
1 Like

That would only be possible for an Apache or nginx webserver.

Please share the URL of your IceCast server with us.

1 Like