How to stop redirect of http to https

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: otpxs.ca

I ran this command: during installation I answered Yes to automatically redirect to https and it keeps doing it. I urgently need that to stop because the installation process was a disaster.

It produced this output:

My web server is (include version): httpd v2.2.15-60.el6.6vm

The operating system my web server runs on is (include version): CentOS 6.5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto 0.39.0

This domain isn't redirecting to HTTPS - it works okay for me.

Is this the domain you're having the issue with, or is it another one?

To remove the redirect, you will need to modify the Apache configuration file to remove the rewrite rule that looks something like:

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

It doesn’t seem that any certificates have been issued for that domain.

you’re right, it is otpxs.com

When I installed the certificate I was given a list of domains with the question, to which domain do you want to apply the certificate. Perhaps naive, and I am certainly no Linux buff, I assumed that the Let’s Encrypt certificate might be a multi-domain one, so I selected 3 domain names that have different roots. Unfortunately, they all were redirected to the website of the last one on the selected list. When restarting httpd I also got messages to the effect that port 443 had already been assigned and that the last one would be the default. That’s where the problems started. I commented out the line in the httpd.conf file that includes the LetsEncrypt conf which helped. But otpxs.com still defaults to https for some reason and I don’t know how to turn that off. All the Rewrite rules in the httpd.conf file were commented out and I don’t know where else to look.

It doesn't, for me.

It is possible that your browser has cached the 301 redirect rules. 301 is a "permanent" redirect, and browsers tend to interpret the "permanent" part literally.

Try in another browser, or clearing your redirect cache.

Thanks _az, clearing the cache did the trick, it loads properly now. I would still like to know what the port 443 error was all about. I read that it was possible to have multiple domains share the same port and the same IP address. Is this a LetsEncrypt limitation (?) because I need to get certificates for 3 more unrelated domains on the same IP address and, as I gather, the port is always 443. Thx

There isn’t limitation with Let’s Encrypt or even with Certbot, in general.

You weren’t supposed to experience any problems.

Certbot might have misunderstood the Apache configuration, or there might have been a bad interaction with duplicate virtual hosts or something.

Do you have a log of what the message from Apache was?

What does “sudo httpd -t -D DUMP_VHOSTS” output?

@mnordhoff - Given that everything has been commented out, there is no certificate active although one exists in the etc/letsencrypt directory but is not referenced in the .conf files
Unfortunately I do not have the exact message about the 443 error anymore and they will not repeat unless I reactivate everything again and I am somewhat leery of doing that.
The question I have is, when it asked me to include one or more domains (and I did), are they supposed to be domains pointing the the same root, because that was certainly not made clear. And how do I install other certs for other domains on the same IP and port? I am hesitant to do anything else now. If I reactivate the certificate for the domain it defaulted to and activate it in the httpd.conf and ssl.conf will that give me back at least the one certificate I do have? I have removed the other domains from the httpd-le-ssl.conf file so there is only one left. Thanks

If you use certbot --apache, that's not required. Certbot's Apache plugin is designed to solve that kind of thing automatically.

Apache does that by something called name-based virtual hosting. It selects the correct certificate based on which domain name the visitor is requesting. Certbot assumes that name-based virtual hosting is in use.

But this all really depends on how your virtual host setup is right now.

Answering the earlier question for the output of sudo httpd -t -D DUMP_VHOSTS would probably reveal what your issue is.

@_az - Yes, that is the strange thing. I watched a YouTube video on how to install a LetsEncrypt certificate but it was for CentOS 7 and my server runs CentOS 6.5 so some of the commands, like systemctl do not work. I tried to install certbot with yum and it said it could not find it, I tried with Webmin and got the same message there

$ yum install -y certbot
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile

• base: centos.mirror.rafal.ca
• epel: mirror.team-cymru.com
• extras: centos.mirror.rafal.ca
• updates: centos.mirror.rafal.ca
  No package certbot available.
  Error: Nothing to do

$ yum info certbot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile

• base: centos.mirror.rafal.ca
• epel: mirror.team-cymru.com
• extras: centos.mirror.rafal.ca
• updates: centos.mirror.rafal.ca
  Error: No matching Packages to list

I did however find a file called certbot-auto on my server and after visiting the certbot website I wound up doing what was suggested for CentOS 6.5 running Apache which is the following

$ wget https://dl.eff.org/certbot-auto

$ sudo mv certbot-auto /usr/local/bin/certbot-auto

$ sudo chown root /usr/local/bin/certbot-auto

$ sudo chmod 0755 /usr/local/bin/certbot-auto

That updated certbot-auto from 0.27.1 to 0.39.0

$ sudo /usr/local/bin/certbot-auto --apache
installed the certificate apparently without certbot

$ rpm -q certbot
package certbot is not installed

During the install of the certificate one of the questions was

Which names would you like to activate HTTPS for?

followed by a list of all the domains listed in the results of the DUMP request below.
That’s when I picked the 3 I wanted to secure, assuming it would be a multi-domain certificate, only to find that all three of them then pointed to the same website, the last one in the comma delimited list, instead of their own.

The output of the $ sudo httpd -t -D DUMP_VHOST command was as follows

[Tue Oct 08 00:21:36 2019] [warn] module ssl_module is already loaded, skipping
VirtualHost configuration:
xx.xxx.xxx.xx:80 is a NameVirtualHost
default server www.aaaaaa.com (/etc/httpd/conf/httpd.conf:1028)
port 80 namevhost www.aaaaaa.com (/etc/httpd/conf/httpd.conf:1028)
alias aaaaaa.com
alias www.aaaaaa.ca
alias aaaaaa.ca
port 80 namevhost www.bbbbbb.com (/etc/httpd/conf/httpd.conf:1037)
alias bbbbbb.com
alias www.bbbbbb.ca
alias bbbbbb.ca
port 80 namevhost www.cccccc.info (/etc/httpd/conf/httpd.conf:1046)
alias cccccc.info
port 80 namevhost www.dddddd.info (/etc/httpd/conf/httpd.conf:1061)
alias dddddd.info
alias www.eeeeee.info
alias eeeeee.info
alias www.ffffff.info
alias ffffff.info
port 80 namevhost www.gggggg.ca (/etc/httpd/conf/httpd.conf:1073)
alias gggggg.ca
port 80 namevhost www.hhhhhh.ca (/etc/httpd/conf/httpd.conf:1084)
alias hhhhhh.ca
port 80 namevhost www.kkkkkk.com (/etc/httpd/conf/httpd.conf:1093)
alias kkkkkk.com
alias www.LLLLLL.ca
alias LLLLLL.ca
alias www.mmmmmm.eu
alias mmmmmmm.eu
port 80 namevhost www.nnnnnn.com (/etc/httpd/conf/httpd.conf:1102)
alias nnnnnn.com
port 80 namevhost www.oooooo.com (/etc/httpd/conf/httpd.conf:1111)
alias oooooo.com
port 80 namevhost www.ppppppp.ca (/etc/httpd/conf/httpd.conf:1120)
alias pppppp.ca
wildcard NameVirtualHosts and default servers:
default:443 xx.xxx.xxx.xx (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

Not sure what that information reveals. To me it is just a list of the domain names in the < VirtualHost > statements of httpd.conf and ssl.conf files. Perhaps it will mean more to you.

Rather confused about what is going on and where to go from here. And that is not even addressing possible problems running a cron job to automatically renew the certificates since all the samples I see use certbot for that.

Thanks for the help and patience with this from you both so far.

Assuming you redacted that output properly, it looks fine. Certbot should just work if you issue and install certificates according to your virtual host groupings, e.g.:

certbot --apache -d www.aaaaaa.com -d aaaaaa.com \
-d www.aaaaaa.ca -d aaaaaa.ca

rinse and repeat for each virtualhost.

Otherwise, I don’t know. It’s especially hard to diagnose redacted domains as it’s basically making blind stabs in the dark.

@_az Still working on this. It maybe my Linux beginner status but I am not quite sure why knowing the real domain names would be any different than having them replaced by redacted names.
Unfortunately however I have two other problems now.
I did a search for known certificates and came up with the following results

$ certbot-auto certificates
/opt/eff.org/certbot/venv/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163:
CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: domain1.info
Domains: domain1.info domain2.com domain3.ca
Expiry Date: 2020-01-05 20:28:36+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/domain1.info/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain1.info/privkey.pem

(Sorry for the redacted domain names again)

First of all it appears that the other domain names I mistakenly added during the installation process are still being referenced, see the line Domains:
As I indicated before, the domain2.com domain3.ca started pointing to the domain1.info website so I took their references out of the httpd-le-ssl.conf file which solved the problem
The question now is, how do I get the references to domain2.com domain3.ca out of the certificate?

Also, the warning about OpenSSL 1.0.1 is worrisome. I went into webmin to update but it tells me that the version I have (v1.0.1e-58.el6_10) is the latest version and no updates are available even though on the OpenSSL website there is a version 1.0.2 and the latest version is 1.1.1d
Is this a problem because I am running CentOS 6.5 and the newer versions will not run on it?
Unfortunately the only way I know to update packages is through Webmin. Am I stuck with version 1.0.1 now, because if that is the case, perhaps LetsEncrypt certs will, at some point, become problematic if they drop support for it.

Edit: Apparently the only way around the OpenSSL issue it to upgrade to the most recent version of CentOS so I am looking into that. For the time being however, any solution to removing the other domain names from the certificate would be a great help.

People here have a lot of experience looking at other people's live services and diagnosing problems that way. For example, @_az created https://letsdebug.net/, while @JuergenAuer created https://check-your-website.server-daten.de/, and many forum participants also know how to do various tests with dig and curl to explore exactly how DNS or HTTP services may be misconfigured.

It doesn't always help, but it probably leads to useful progress in about 80% of cases, especially because specific Apache or nginx error messages elicited in specific situations may be highly meaningful to someone who's used to investigating a specific kind of problem.

@shoen Thanks for the explanation, but the issue is not about misconfiguration of DNS or HTTP services. All my websites run fine, including the only one with the LetsEncrypt certificate. The problem stems from the certbot-auto question “Which names would you like to activate HTTPS for?”.

If you read the previous posts you would notice that most of my problems originate from the answer to that question. As you can see from the DUMP, I have many domain names and the question posed by certbot-auto did not state that the choices should be limited to those that involve domains that point to the same root directory. My logical assumption was that this was to allow for a multi-domain certificate or that it would generate certificates for each domain entered in the list.

This is clearly not the case and perhaps some clarification as to what certbot-auto means when it is asking for a list of domain names would be beneficial.

Looking at the certificate also highlighted the fact that the last two domains listed under Domains: will likely have to be removed from the certificate because there might be unwanted consequences if I get them their own certificates. Unfortunately you did not elaborate on a solution to this issue by suggesting a way in which this can be accomplished.

Hopefully you will be kind enough to do so.
Thanks

If you mean the Apache document root setting, Certbot has no problem getting a certificate for names in virtual hosts with different document roots.

To replace a certificate with a new one for a subset of the names in the previous certificate, run a similar command to the original command used to create the certificate, with the --cert-name option to specify its name, and -d option(s) specifying the new name(s).

For example, if you ran "sudo certbot-auto --apache -d example.com -d foo.example.com -d bar.example.com", producing a certificate named "example.com", to remove "foo.example.com", you could use "sudo certbot-auto --apache --cert-name example.com -d example.com -d bar.example.com".

@mnordhoff Thanks, I was able to remove the additional domains from the certificate but I am not sure I understand your first answer.
When I entered the three domains in the comma delimited list and created the certificate, all three domains, which all had different document roots, automatically redirected to the last domain I included, a completely different website, and no longer pointed to their own root directory. Perhaps I misunderstand, but that seems to contradict your statement,

unless you mean that it allows me to get an additional certificate for each of the other individual domains in the Virtual Hosts list.

After adding certificates for the domains referenced in the first certificate from which they were subsequently removed, the current certificates show as follows:

Found the following certs:
Certificate Name: mydomain1.info
Domains: mydomain1.info
Expiry Date: 2020-01-08 13:49:13+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mydomain1.info/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain1.info/privkey.pem
Certificate Name: www.mydomain2.com
Domains: www.mydomain2.com mydomain2.com
Expiry Date: 2020-01-08 15:12:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.mydomain2.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.mydomain2.com/privkey.pem
Certificate Name: www.mydomain3.ca
Domains: www.mydomain3.ca mydomain3.ca
Expiry Date: 2020-01-08 15:12:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.mydomain3.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.mydomain3.ca/privkey.pem

Unfortunately, when I test mydomain2.com or mydomain3.ca on www.ssllabs.com I get the following errors for both

Certificate name mismatch

Try these other domain names (extracted from the certificates):

mydomain1.info

The web site does not use SSL, but shares an IP address with some other site that does
[…]

Something seems to have a problem separating the certificates. Why do mydomain2 and mydomain3 not recognize their respective certificates?
It seems to indicate that LetsEncrypt cannot handle more than one certificate per IP address, which I find unlikely. From what I have researched, I understand that the issue of dealing with multiple domains on a single IP address and even the same port has long been resolved and applies to the versions of the packages installed on my server

httpd v2.2.15-60.el6.6vm
mod_ssl v2.2.15-60.el6.6vm
openssl v1.0.1e-58.el6_10
libcurl v7.19.7-53.el6_9

There are errors when I restart httpd as well. I get, no surprise, the following errors

[Thu Oct 10 13:54:50 2019] [warn] VirtualHost 98.158.129.35:443 overlaps with VirtualHost 98.158.129.35:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 10 13:54:50 2019] [warn] VirtualHost 98.158.129.35:443 overlaps with VirtualHost 98.158.129.35:443, the first has precedence, perhaps you need a NameVirtualHost directive

The httpd.conf file already contains the NameVirtualHost directive ahead of the < VirtualHost > statements

Any explanations/suggestions are most welcome.

Hello kosimek, you must be stopping the rule from your virtual host configuration or just host configuration in your web server, or if you use htaccess for your host (vhost-subdomain). Then you must remove all paths to your chain and cert keys. Then save the configuration, then reload your web server and voala. If you decide to not use anymore your ssl-tls certificate you can delete it. BR

The problem was solved by changing [ip]:80 and [ip]:443 in the NameVirtualHost and all the < VirtualHost > statements to *:80 and *.443 in httpd.conf and ssl.conf

NameVirtualHost *.80
NameVirtualHost *.443

Thanks for all the suggestions and advice