Https always redirects to IDRAC server interface

glapalomento · December 5, 2018, 10:38pm

Any help would be much appreciated!

I ran this command: $ sudo letsencrypt --apache -d doyourdayright.com -d www.doyourdayright.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for doyourdayright.com
http-01 challenge for www.doyourdayright.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

Congratulations! You have successfully enabled https://doyourdayright.com and
https://www.doyourdayright.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=doyourdayright.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.doyourdayright.com

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/doyourdayright.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/doyourdayright.com/privkey.pem
Your cert will expire on 2019-03-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: n/a (my server)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin

Run test at:
https://www.ssllabs.com/ssltest/analyze.html?d=doyourdayright.com

Produces:
Alternate names not found in the certificate

What does this mean?

We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It’s possible that:

The web site does not use SSL, but shares an IP address with some other site that does.
The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
The web site uses a content delivery network (CDN) that does not support SSL.
The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake.

SSL Report v1.32.13

I chose to ignore the mismatch and, the results were…

Certificate #1: RSA 2048 bits (SHA256withRSA)

Server Key and Certificate #1
Subject idrac
Fingerprint SHA256: 7c866c69af8a960351b373852bbd3d3ee0bfe56ec8e18bfdcb8fc2785bd558fc
Pin SHA256: Vnq99NU/rRGAA3jDpC9BuGSWwpF1QATpEPlbDvjO/FM=
Common names idrac
Alternative names - INVALID
Serial Number 00e9277995fc977454
Valid from Sat, 14 Jul 2018 13:44:00 UTC
Valid until Fri, 14 Jul 2028 13:45:40 UTC (expires in 9 years and 7 months)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer idrac Self-signed
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
OCSP Must Staple No
Revocation information None
DNS CAA No (more info)
Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows

Additional Certificates (if supplied)
Certificates provided 1 (1029 bytes)
Chain issues None

$\ 14x14$ Certification Paths

MozillaAppleAndroidJavaWindows
Path #1: Not trusted (path does not chain to a trusted anchor)
1 Sent by server
Not in trust store idrac Self-signed
Fingerprint SHA256: 7c866c69af8a960351b373852bbd3d3ee0bfe56ec8e18bfdcb8fc2785bd558fc
Pin SHA256: Vnq99NU/rRGAA3jDpC9BuGSWwpF1QATpEPlbDvjO/FM=
RSA 2048 bits (e 65537) / SHA256withRSA

schoen · December 5, 2018, 10:42pm

You might have an existing self-signed certificate in a _default_ VirtualHost in /etc/apache2. If so, you should get rid of the default HTTPS VirtualHost that uses that certificate.

glapalomento · December 5, 2018, 11:04pm

Thanks for the reply!
In my /etc/apache2/sites-available :
I have a 000-default.conf that contains each of my vhosts, but all created by me and none are IDRAC or localhost or anything like that.
I also now have a 000-default-le-ssl.conf which contains the info for doyourdayright.com and www.doyourdayright.com only.

glapalomento · December 5, 2018, 11:44pm

I have since renamed 000-default.conf and 000-default-le-ssl.conf to my own names, disabled the old, and reloaded apache2 service. Same results.

rg305 · December 6, 2018, 2:06am

It seems like your Internet routing is not forwarding the HTTPS traffic to the IP of your server.
But instead forwarding it to the IP of the DRAC.

_az · December 6, 2018, 2:16am

I agree, it seems unlikely to me that it's possible for Apache misconfiguration to cause this.

iDRAC is on a different physical network port, right?

glapalomento · December 7, 2018, 1:55pm

Well, your suspicions were correct. Turns out my partner had the internal routing redirecting https traffic to IDRAC and I didn’t know about it. Thank you all for your help!

system · January 6, 2019, 1:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.