Le apache secure option doesnt work for debian8

Bobb · December 30, 2015, 11:49am

hello,

i just installed the lets encrypt certificate via client on my debian8 server:

./letsencrypt-auto --apache

then the client is asking for serveral configuration details like name and https only(secure)

after finishing all configurations the client says that the certificate has been successfully installed. its true for the https part but when i use just mydomain.com then it still uses http instead of https although i choose the lets encrpyt secure installation

any ideas where i can configure le/apache to get http request redirected to https without destroying the le installation?

best regards
Bob

serverco · December 30, 2015, 12:03pm

Hi Bob,

so you have both http and https working correctly ? and you want to force people to use https ? correct ?

You can add the lines;

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

into the end of the http part of the apache config for the domain, or you could add similar into a .htaccess file ( assuming you have .htaccess directives enabled)

You can also add

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

into the top of the https part of the config if you always want people to use https into the future. Unless you are comfortable with exactly what this does though I would not add it.

Bobb · December 30, 2015, 12:37pm

People should be still able to use http, but if they use port 80 my apache should force them to use https, so that my webpages are only accessable via https

serverco · December 30, 2015, 12:39pm

Adding the lines above in your apache config should force the redirect to https then.

Bobb · December 30, 2015, 12:45pm

ok the virtual host for port 80 currently contains:

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]

i replace it with yours

Osiris · December 30, 2015, 12:49pm

Should you really “blindly” add includeSubdomains to the HSTS header?

I’ve got the feeling 90 % of the “server admins” on this community don’t know what they are doing, let alone know what HSTS stands for. It would be prudent to not include includeSubdomains without proper advice.

(And yes, you’ve added a small disclaimer, I know ;))

Bobb · December 30, 2015, 12:50pm

i removed that part

serverco · December 30, 2015, 12:52pm

No ... hence, as you say - I added the disclaimer. Difficult to get the balance right about how much you should say to people in the advice, and how much you should miss off completely ( as I agree, the bulk of the "server admins" don't really know what they are doing )

Bobb · December 30, 2015, 1:21pm

made a mistake, now it works smoothly with le client, thanks for your help guys