Letsencrypt successfully install in ubuntu but not redirection to https

ashok64554 · August 13, 2020, 2:00pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
3mad.in
I ran this command:
sudo lsof -iTCP -sTCP:LISTEN -P
It produced this output:

My web server is (include version):
Apache2
The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version : certbot 0.31.0
certbot-auto --version : certbot 1.7.0

rg305 · August 13, 2020, 9:02pm

The title says “not working” but the content doesn’t say what is not working.

ashok64554 · August 14, 2020, 6:50am

sorry.
Cant get redirection to https working after setup with Certbot

rg305 · August 14, 2020, 6:55am

Let’s start with:
apachectl -S
Which should show us all the domain names, and corresponding files, being served.
Then please also show the HTTP vhost config that covers the domain name that isn’t redirecting (file name will be shown by that command).

ashok64554 · August 14, 2020, 7:06am

VirtualHost configuration:
*:80 is a NameVirtualHost
default server 3mad.in (/etc/apache2/sites-enabled/000-default-le-ssl.conf:44)
port 80 namevhost 3mad.in (/etc/apache2/sites-enabled/000-default-le-ssl.conf:44)
port 80 namevhost 3mad.in (/etc/apache2/sites-enabled/000-default.conf:1)
alias www.3mad.in
*:443 is a NameVirtualHost
default server 3mad.in (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost 3mad.in (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias demo.3mad.in
port 443 namevhost ip-172-31-42-11.ap-south-1.compute.internal (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · August 14, 2020, 7:08am

This is s problem:

The same domain name is being served by two vhost config files.

ashok64554 · August 14, 2020, 7:10am

so can we run this for disable default site
sudo a2dissite 000-default

rg305 · August 14, 2020, 7:11am

Yes, that will disable the default site.
But I would review what both the files are doing before making a final decision.

Please show both files.

ashok64554 · August 14, 2020, 7:15am

/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName 3mad.in
ServerAlias www.3mad.in

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

<Directory /var/www/html>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Require all granted
</Directory>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

#SSLEngine on
#SSLCertificateFile /etc/letsencrypt/live/3mad.in/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/3mad.in/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/3mad.in/chain.pem

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

/etc/apache2/sites-enabled/000-default-le-ssl.conf

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName 3mad.in
#ServerAlias www.3mad.in

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
<Directory /var/www/html>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias demo.3mad.in
SSLCertificateFile /etc/letsencrypt/live/3mad.in/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/3mad.in/privkey.pem

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName 3mad.in
#ServerAlias www.3mad.in

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

<Directory /var/www/html>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Require all granted
</Directory>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

rg305 · August 14, 2020, 7:22am

The two blocks are essentially the same.
With only one minor difference:

/etc/apache2/sites-enabled/000-default.conf
ServerAlias www.3mad.in

/etc/apache2/sites-enabled/000-default-le-ssl.conf
#ServerAlias www.3mad.in

I would go ahead and disable the default file first and then we can work on the redirection.

ashok64554 · August 14, 2020, 7:24am

done

rg305 · August 14, 2020, 7:25am

Please show the current:
apachectl -S

ashok64554 · August 14, 2020, 7:26am

rg305 · August 14, 2020, 7:29am

Much better
Now insert this code right after “DocumentRoot” line in 000-default-le-ssl.conf

  #set the default action for all other requests
  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>

and restart Apache

to be clear: There are two documentroot lines, insert within the HTTP block

ashok64554 · August 14, 2020, 7:32am

done

rg305 · August 14, 2020, 7:33am

Didn’t type fast enough.
It actually goes lower in the other block - that is the HTTPS block
[there is no need to redirect to HTTPS from within the HTTPS block - LOL]

ashok64554 · August 14, 2020, 7:38am

done

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName 3mad.in
#ServerAlias www.3mad.in

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
<Directory /var/www/html>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias demo.3mad.in
SSLCertificateFile /etc/letsencrypt/live/3mad.in/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/3mad.in/privkey.pem

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName 3mad.in
#ServerAlias www.3mad.in

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
 #set the default action for all other requests

<LocationMatch “^/(?!.well-known)”>
#send all other requests to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1

<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

rg305 · August 14, 2020, 7:39am

OK let’s thy the HTTP site now.

Seems a bit busy right now:

curl -Iki 3mad.in
HTTP/1.1 503 Service Unavailable: Back-end server is at capacity
Connection: keep-alive

ashok64554 · August 14, 2020, 7:42am

still show the same error

Hmmm… can’t reach this page

3mad.in refused to connect.

Try:

Checking the connection
Checking the proxy and the firewall

ERR_CONNECTION_REFUSED

rg305 · August 14, 2020, 7:43am

I originally got this:

curl -Iki 3mad.in
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 7969
Content-Type: text/html
Date: Fri, 14 Aug 2020 06:52:31 GMT
ETag: "1f21-5acbea5eba1c0"
Last-Modified: Thu, 13 Aug 2020 09:08:31 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Connection: keep-alive

but now only this:

curl -Iki 3mad.in
HTTP/1.1 503 Service Unavailable: Back-end server is at capacity
Connection: keep-alive