Redirect loop after installing certbot - new topic

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
am.arts-et-metiers.asso.fr

I ran this command:

snap install --classic certbot

It produced this output:

Website suffering from a redirect loop.
It says ::
La page n’est pas redirigée correctement

"Une erreur est survenue pendant une connexion à am.arts-et-metiers.asso.fr.
La cause de ce problème peut être la désactivation ou le refus des cookies."

My web server is (include version):

Apache

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I want to make sure you know that I have Cloudflare on my setup but it set to SSL/TLS is set Full

What do your vhost config files for that name show?

You might for other domain names but am.arts-et-metiers.asso.fr is not proxied in Cloudflare. The A record points directly to your origin server (it looks like). If proxied in Cloudflare these records point to Cloudflare's CDN Edge

nslookup am.arts-et-metiers.asso.fr
Address: 176.31.138.97

Is this what you're asking?
VirtualHost configuration:
127.0.0.1:80 127.0.0.1 (/etc/apache2/conf.d/status.conf:1)
*:443 is a NameVirtualHost
default server am.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/anakrys-le-ssl.conf:2)
port 443 namevhost am.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/anakrys-le-ssl.conf:2)
port 443 namevhost hesykhia2.gorgu.net (/etc/apache2/sites-enabled/default-ssl.conf:10)
port 443 namevhost emploi.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/ec-le-ssl.conf:1)
alias dev-ec.soce.fr
alias emploi.arts-et-metiers.fr
port 443 namevhost admin.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce-admin-le-ssl.conf:2)
alias admin.soce.fr
port 443 namevhost www.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce-le-ssl.conf:2)
alias www.soce.fr
alias soce.fr
alias arts-et-metiers.asso.fr
alias arts-et-metiers.fr
alias www.arts-et-metiers.fr
*:80 is a NameVirtualHost
default server hesykhia2.gorgu.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost hesykhia2.gorgu.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost am.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/anakrys.conf:2)
port 80 namevhost emploi.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/ec.conf:1)
alias dev-ec.soce.fr
alias emploi.arts-et-metiers.fr
port 80 namevhost admin.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce-admin.conf:1)
alias admin.soce.fr
port 80 namevhost www.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce.conf:1)
alias www.soce.fr
alias soce.fr
alias arts-et-metiers.asso.fr
alias arts-et-metiers.fr
alias www.arts-et-metiers.fr

So just so I'm sure :: do I need to proxify it to solve the issue?

On port 80::

# cat am.arts-et-metiers.asso.fr.conf

<VirtualHost *:80>
        ServerAdmin support@gadz.org
        ServerName am.arts-et-metiers.asso.fr
#       ServerAlias www.soce.fr soce.fr arts-et-metiers.asso.fr arts-et-metiers.fr www.arts-et-metiers.fr

        DocumentRoot /var/www/soce/web
        ErrorLog /var/log/apache2/error-anakrys.log
        LogLevel warn
        CustomLog /var/log/apache2/access-anakrys.log combined
        ServerSignature Off
        Alias /sf /var/www/soce/symfony_embarque/data/web/sf

        RewriteEngine on

    <Directory /var/www/soce/web/>
        AllowOverride All
    </Directory>

# PHP-FPM
<FilesMatch "\.php$">
        ProxyErrorOverride on
    SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost/"
</FilesMatch>
<Proxy "fcgi://localhost/">
        ProxySet timeout=3600
</Proxy>

RewriteCond %{SERVER_NAME} =am.arts-et-metiers.asso.fr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

On port 443::

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin support@gadz.org
        ServerName am.arts-et-metiers.asso.fr
#       ServerAlias www.soce.fr soce.fr arts-et-metiers.asso.fr arts-et-metiers.fr www.arts-et-metiers.fr

        DocumentRoot /var/www/soce/web
        ErrorLog /var/log/apache2/error-anakrys-le-ssl.log
        LogLevel warn
        CustomLog /var/log/apache2/access-anakrys-le-ssl.log combined
        ServerSignature Off
        Alias /sf /var/www/soce/symfony_embarque/data/web/sf

        RewriteEngine on

        RewriteRule /espaceMembre$ https://www.arts-et-metiers.asso.fr/me/show [L,R,NE]

    <Directory /var/www/soce/web/>
        AllowOverride All
    </Directory>

# PHP-FPM
<FilesMatch "\.php$">
        ProxyErrorOverride on
    SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost/"
</FilesMatch>
<Proxy "fcgi://localhost/">
        ProxySet timeout=3600
</Proxy>

Include /etc/letsencrypt/options-ssl-apache.conf
#SSLCertificateFile /etc/letsencrypt/live/am.arts-et-metiers.asso.fr/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/am.arts-et-metiers.asso.fr/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/emploi.arts-et-metiers.asso.fr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/emploi.arts-et-metiers.asso.fr-0001/privkey.pem
</VirtualHost>
</IfModule>

Did you change something?
[maybe in CloudFlare]

The site is working now!

Hi!
I proxified the DNS record in cloudflare.
Please help me understand.

I didn' install certbot on my server. I didn't install any lets encrypt certificates. But y websites are secured using SSL certifications from Cloudflare.

So I don't want to touch it anymore but I'd like to understand and make sure no erros will arise at some point. We used to use lets encrypt. I didn't understand how proxified the A record solved the issue.

You should visit the Cloudflare docs and community forums for the Cloudflare instruction.

One important thing to know is when you proxy your DNS in Cloudflare you are now using its CDN. With any CDN there are two connections between the client (for example a browser) and your Origin Server.

There is an HTTPS connection between the browser and the CDN Edge. The CDN gets and uses a cert for this. Cloudflare uses Let's Encrypt as one of its cert providers. You are not involved in getting or renewing this cert, Cloudflare does this.

There is also a connection between the CDN Edge and your Origin Server. This should also be HTTPS and needs a cert in your Origin Server for this. Cloudflare even offers something called an Origin CA Cert for this purpose. It has some limitations but for simple cases works very well.

Again, though, the Cloudflare docs and community are best place to learn about it.

I would like to install certbot on my origin server but I'm afraid to break my websites again.
Can you please help? I'm not familiar with CDN, nor certifications apparently...

Why do you think you need Certbot on your Origin Server?

Here is good Cloudflare starting point. Their Origin CA Cert may be helpful to you when you get to that section.

Because my webiste were accessible but the payments made on them were not going through, because I had to proxified my cloudflare dns record to use the cloudflare ssl certificates.

What I did for now is, download certbot and generate my SSL certificates. Uninstall certbot and remove the proxy on cloudflare. My website are now my Let's encrypt SSL from the origin server and the payments are working.

But I'd like not to have to remove certbot.

Can you please help? I'm wondering if it's not due to the fact that I upgraded my OS from Debian 9 to Debian 11, and that it wasn't a native Debian 11. Maybe there's a glitch there with certbot.

Please help.

You should not remove certbot after getting certs. It can auto-renew your certs usually every 60 days.

You should reinstall certbot and check your certs with

sudo certbot certificates

If I leave certbot on my server, my website is in an infinite loop. And not accessible. I tried removing all rules to redirect HTTP to HTTPS from my vhost conf files and from cloudflare but it still doesn't work.

I'd like to be able to install and leave certbot installed. So if you have any idea I'd take it.

Certbot is just a program. It can't affect how your server behaves. It gets a cert and can renew certs. That's all.

But, if I guess what you really mean is that if you have a cert in your Apache Origin Server you get a redirect loop when you re-proxy your domain in Cloudflare. In that case you need to review your Cloudflare SSL Settings. Or, just never proxy your domain.

Off-hand I don't remember which setting often causes trouble. But, you could find out pretty quick on the Cloudlfare community forum. Someone else here may remember but than I can right now.

When cloudflare is set to proxy to your server via HTTP and your server redirects HTTP to HTTPS.

I know it's crazy, and I don't understand either. But I can assure you that the install of certbot itself makes the website crash. Whatever and however the rest is configured.
I have worked with an experienced admin this morning who lost it too, because of that.
Simply put, as soon as I install certbot, my websites crash.

I tried that. Didn't work. I deleted every redirection on both cloudflare and the server. Still, if certbot is on the server the websites won't work.

What do the Apache logs look like when this happens?

Installing Certbot does not affect your Apache config files. Certbot will change your Apache config when you use the --apache plug-in to acquire a cert but not during install of Certbot itself.