Le apache secure option doesnt work for debian8


#1

hello,

i just installed the lets encrypt certificate via client on my debian8 server:

./letsencrypt-auto --apache

then the client is asking for serveral configuration details like name and https only(secure)

after finishing all configurations the client says that the certificate has been successfully installed. its true for the https part but when i use just mydomain.com then it still uses http instead of https although i choose the lets encrpyt secure installation :frowning:

any ideas where i can configure le/apache to get http request redirected to https without destroying the le installation?

best regards
Bob


#2

Hi Bob,

so you have both http and https working correctly ? and you want to force people to use https ? correct ?

You can add the lines;

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

into the end of the http part of the apache config for the domain, or you could add similar into a .htaccess file ( assuming you have .htaccess directives enabled)

You can also add

Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”

into the top of the https part of the config if you always want people to use https into the future. Unless you are comfortable with exactly what this does though I would not add it.


#3

People should be still able to use http, but if they use port 80 my apache should force them to use https, so that my webpages are only accessable via https


#4

Adding the lines above in your apache config should force the redirect to https then.


#5

ok the virtual host for port 80 currently contains:

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]

i replace it with yours


#6

Should you really “blindly” add includeSubdomains to the HSTS header?

I’ve got the feeling 90 % of the “server admins” on this community don’t know what they are doing, let alone know what HSTS stands for. It would be prudent to not include includeSubdomains without proper advice.

(And yes, you’ve added a small disclaimer, I know ;))


#7

i removed that part :wink:


#8

No … hence, as you say - I added the disclaimer. Difficult to get the balance right about how much you should say to people in the advice, and how much you should miss off completely ( as I agree, the bulk of the “server admins” don’t really know what they are doing :wink: )


#9

made a mistake, now it works smoothly with le client, thanks for your help guys :stuck_out_tongue: