Problems with SSL wildcard automatically https forwarding subdomains

I’m currently having a problem getting a SSL wildcard certificate to correctly forward all of my website’s subdomains from http to https.

My domain is evelynferwalt.com, and I’ve got three subdomains. All four of these sites are using separate Wordpress Multisites on the same hosting server. I was intending for one of them to be a video portfolio, one a tutoring website, one a photography portfolio, and the last being my general landing page. The photo subdomain has been a real pain to certify.

Following this tutorial very closely, I manually generated and installed a certificate on evelynferwalt.com and *.evelynferwalt.com. Both of these seem to be working, as you can see from the automatic https forwarding on the base website, the video and the tutoring sites. Yes, all these links are http:// and they’re correclty forwarding to https:// domains automatically.

The reason the photography portfolio in particular has been difficult is because, for SOME reason, even though it’s the exact same setup as the other subdomains, it DOESN’T automatically forward. I’ve been driving myself mad over this, deleting certbot certificates and then trying again with something else and manually trying to handle all the configuration files.

Can anybody help out with how to manually forward one subdomain to its https:// version while all my other domains are working fine??

I’m running Apache 2.4.29 on an Ubuntu 18.04.4 Google Cloud f1.micro Compute Instance. My Certbot is 0.31.0.

http://photos.evelynferwalt.com

None of your photos, tutoring or videos subdomains redirect for me:

$ curl -X GET -I http://tutoring.evelynferwalt.com/
HTTP/1.1 200 OK
Date: Fri, 05 Jun 2020 00:34:09 GMT
Server: Apache/2.4.29 (Ubuntu)
Link: <http://tutoring.evelynferwalt.com/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

$ curl -X GET -I http://videos.evelynferwalt.com/
HTTP/1.1 200 OK
Date: Fri, 05 Jun 2020 00:37:25 GMT
Server: Apache/2.4.29 (Ubuntu)
Link: <http://videos.evelynferwalt.com/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

$ curl -X GET -I http://photos.evelynferwalt.com
HTTP/1.1 200 OK
Date: Fri, 05 Jun 2020 00:37:34 GMT
Server: Apache/2.4.29 (Ubuntu)
Link: <http://photos.evelynferwalt.com/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

You may be experiencing the effects of browser caching of a permanent (301) redirect which was setup previously. That can produce confusion if you rely on the browser to determine whether there’s a redirect or not.

Your base domain does redirect for me, but it’s the only one:

$ curl -X GET -I http://evelynferwalt.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 05 Jun 2020 00:38:20 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://evelynferwalt.com/
Content-Length: 317
Content-Type: text/html; charset=iso-8859-1

How do you have your virtual hosts setup? How you setup the redirect sort of depends how you are sharing the wildcard certificate between all of your subdomains, and whether you used Certbot’s Apache installer, or whether you set your config up manually:

apachectl -t -D DUMP_VHOSTS

When I ran the command

apachectl -t -D DUMP_VHOSTS

I was confronted with this error:

AH00526: Syntax error on line 38 of /etc/apache2/sites-enabled/evelynferwalt.com-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/evelynferwalt.com/fullchain.pem’ does not exist or
is empty
Action ‘-t -D DUMP_VHOSTS’ failed.
The Apache error log may have more information.

So I took a look into the fullchain.pem file listed there. It exists AND has two different certificates. So I guess it’s just having problems connecting the dots.

Would it help to paste my evelynferwalt.com-le-ssl.conf file? I’m unsure if it or the original .conf file contains anything incriminating. I always thought it was weird the SSL server conf was automatically put into another file.

Oops, you need to run that command as root.

VirtualHost configuration:
*:443 evelynferwalt.com (/etc/apache2/sites-enabled/evelynferwalt.com-le-ssl.conf:2)
*:80 evelynferwalt.com (/etc/apache2/sites-enabled/evelynferwalt.com.conf:6)

Are there any potential security risks from posting the contents of these .conf files?

Not unless you intentionally put sensitive information in them.

If that is the entire output of the command, then I’m puzzled. The redirect behavior should be identical for every domain.

In /etc/apache2/sites-enabled/evelynferwalt.com.conf, do you see the following?

RewriteEngine on
RewriteCond %{SERVER_NAME} =*.evelynferwalt.com [OR]
RewriteCond %{SERVER_NAME} =evelynferwalt.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Ah. I believe this is a bug in the way Certbot sets up redirects for wildcard domains.

Try this. Inside your virtual host in /etc/apache2/sites-enabled/evelynferwalt.com.conf, add this as the first line inside the <VirtualHost>:

UseCanonicalName on

and try restart Apache.

Edit: Looks like this is a known issue already: https://github.com/certbot/certbot/issues/3495

To answer your first question, yes, the “RewriteEngine on” conditional stuff is all there. I took your advice and tried out “UseCanonicalName on” in a couple different spots. When I added that to /etc/apache/apache2.conf, it made all subdomains simply forward to the main evelynferwalt.com domain. You’d try to go to videos.evelynferwalt.com, for example, and it’d forward to https://evelynferwalt.com.

When I added UseCanonicalName on to /etc/apache2/sites-enabled/evelynferwalt.com.conf, it did the same thing. When I tried to add UseCanonicalName to the evelynferwalt.com-le-ssl.conf, it didn’t do anything. You can see these options commented out below.

I’m still stuck with this problem! From what I can tell my config files are really weirdly set up anyway, so maybe it has to do with the way certbot automatic install + my manual fiddling might have jumbled the code.

Below is the current contents of /etc/apache2/sites-enabled/evelynferwalt.com.conf:

<Directory "/var/www/evelynferwalt.com">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
<VirtualHost *:80>
        #~~~Recommended fix: use canonical name
        #UseCanonicalName on

        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName evelynferwalt.com
        ServerAlias www.evelynferwalt.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/evelynferwalt.com
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.evelynferwalt.com [OR]
RewriteCond %{SERVER_NAME} =evelynferwalt.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Below is the current contents of /etc/apache2/sites-enabled/evelynferwalt.com-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        #~~~Suggested fix: use canonical name
        #UseCanonicalName on

        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName evelynferwalt.com
        ServerAlias www.evelynferwalt.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/evelynferwalt.com
        <Directory /var/www/www.example.com/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
        </Directory>
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        SSLCertificateFile /etc/letsencrypt/live/evelynferwalt.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/evelynferwalt.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Ah. Are you using something like a WordPress multi-site?

Instead of:

Try:

RewriteCond %{HTTP_HOST} evelynferwalt\.com$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=permanent]
1 Like

Yeah it’s on Wordpress multi-site for all the different subdomains. Thanks so much! You’re a real lifesaver. This solved the problem, and I confirmed it using the curl command you showed in the first reply message.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.