HTTPS not working fully (CertBot)


#1

I have set up SSL on my site using CertBot.
However, there seems to be a problem.
HTTPS isn’t forced.

Let me explain.
https://mysite.com - https works
www.mysite.com - https doesn’t work
mysite.com - https doesn’t work.

What do I need to fix?

Any help will be appreciated :slight_smile:


#2

You probably need to include the www in the single cert.
Or if they are in two separate vhost configs, then get a second cert for the www site.

If A, then just change your certbot request to include www:
certbot --apache -d mysite.com -d www.mysite.com
[or --nginx or --standalone or whichever way you got the first cert - just add the www fqdn to it]

If B, then repeat the same certbot request but this time add “www.” to the fqdn used.


#3

A doesn’t seem to work.

I did this request (when setting up):
‘certbot --apache’
and I selected 3 and 4, which were
3. mysite.com
4. www.mysite.com

After reading your reply, I tried doing 4 again (by it self) and it still redirects to http.

Here’s my .conf for the site if that’s the problem:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /var/www/html/phpbb
ErrorLog {APACHE_LOG_DIR}/error-mr.log CustomLog {APACHE_LOG_DIR}/access-mr.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mysite.com [OR]
RewriteCond %{SERVER_NAME} =www.mysite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


#4

What is your site?

What error messages are you getting?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#5

I want to keep my website name confidential.
I’m not getting error messages. It’s just leading to http instead of https (as I explained in the original post).


#6

add vhost with 301 redirect to https version on port 80 of your server
for nginx(because I use it)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location ^~ /.well-known/acme-challenge/ {
default_type “text/plain”;
root /var/www/challenge;
}
location / {
return 301 https://$host$request_uri;
}
}


#7

If you use --apache or --nginx, Certbot will prompt you to add the kind of redirection that @orangepizza mentioned; otherwise, you’ll need to edit your web server configuration file to add an appropriate redirection directive.


#8

What does the vhost config for port 443 look like?


#9

how would I do this with Apache2?


#10

I don’t believe I have a vhost config for port 443.


#11

So you are redirecting all port 80 traffic to port 443…
But you don’t have anything listening on port 443?

That would explain certbot failing to authenticate; as certbot will follow the redirection and find nothing or wrong site.


#12

I don’t have it doing anything for port 443.
All of my things on the server are port 80.


#13

But you are trying to get an LE cert.
LE tries to validate your site via port 80.
Your port 80 vhost redirects everything to port 443.
So then LE follows that redirection to port 443
and the LE validation request to port 443 goes unanswered.
[failed validation = no new cert]


#14

I’m confused now.
I haven’t even touched any other ports.
Was there another step I was supposed to do?
How do I fix this?


#15

This step is premature:
[it sends all http requests to https]

You can temporarily remove those lines or include an exception to the redirection specifically only for the validation requests:
[as suggested by @orangepizza]

[but that code is for nginx - not sure what you are running - it may also work in Apache…]


#16

I am currently running on apache2.
But I don’t get /well-known/acme-challenge/ & /var/www/challenge parts.

Am I supposed to make a challenge directory or are these just example words?
But then what do I replace /.well-known/acme-challenge with?


#17

Or try using this redirection instead:
RewriteEngine On
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]


#18

certbot will handle the creation/deletion of the directories.
No; Those are the actual folder names used in authentication requests.

I don’t understand the question.

I asked you to delete four lines of code OR insert a location block.
and then also suggested to replace your redirection section with a more appropriate redirection section.


#19

so they’re not directories on the drive?
Also, I tried the code you put up and it still doesn’t work for me.
Here is what my conf looks like now:
<VirtualHost :80>
ServerAdmin webmaster@localhost
ServerName site.com
ServerAlias www.site.com
DocumentRoot /var/www/html/phpbb
ErrorLog {APACHE_LOG_DIR}/error-mr.log CustomLog {APACHE_LOG_DIR}/access-mr.log combined
RewriteEngine On
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.
) https://%{SERVER_NAME}/$1 [R,L]


#20

Again: Cerbot will handle creating (and deleting) any directories needed to fulfill the challenge request.