Redirect Loop | Certbot on Ubuntu 20.04 | Digital Ocean Droplet WordPress 1-Click

Cheers,

I've spun up a new Digital Ocean droplet using their 1-click-install WordPress + Ubuntu solution. It comes with Apache and Certbot pre-installed.

I first ran the installation both initially with, then without Certbot (many, many times), and I continue to come up with a redirection loop.

I'm not very familiar with VirtualHost files, but it sure seems to do with that, from my research.

Here's my full output, from the second I first SSHed into the terminal, ran the setup command included by Digital Ocean, and ran Certbot.

Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat May 28 06:13:35 UTC 2022

  System load:  0.62              Users logged in:       0
  Usage of /:   4.5% of 57.98GB   IPv4 address for eth0: MYIPADDRESS
  Memory usage: 31%               IPv4 address for eth0: MYIPADDRESS
  Swap usage:   0%                IPv4 address for eth1: MYIPADDRESS
  Processes:    142

0 updates can be applied immediately.


********************************************************************************

Welcome to DigitalOcean's One-Click WordPress Droplet.
To keep this Droplet secure, the UFW firewall is enabled.
All ports are BLOCKED except 22 (SSH), 80 (HTTP), and 443 (HTTPS).

In a web browser, you can view:
 * The WordPress One-Click Quickstart guide: https://do.co/34TfYn8#start
 * The new WordPress site: http://MYIPADDRESS

On the server:
 * The default web root is located at /var/www/html
 * If you're using the embedded database, the MySQL root password
   and MySQL wordpress user password are saved in /root/.digitalocean_password
   If you've opted in to using a DBaaS instance with DigitalOcean, you will
   find your credentials written to /root/.digitalocean_dbaas_credentials and
   you will have access to a DATABASE_URL environment variable holding your
   database connection string.
 * The must-use WordPress security plugin, fail2ban, is located at
   /var/www/html/wp-content/mu-plugins/fail2ban.php
 * Certbot is preinstalled. Run it to configure HTTPS. See
   https://do.co/34TfYn8#enable-https for more detail.
 * For security, xmlrpc calls are blocked by default.  This block can be
    disabled by running "a2disconf block-xmlrpc" in the terminal.

IMPORTANT:
   After connecting to the Droplet for the first time,
   immediately add the WordPress administrator at http://MYIPADDRESS.

For help and more information, visit https://do.co/34TfYn8

********************************************************************************
To delete this message of the day: rm -rf /etc/update-motd.d/99-one-click
This script will copy the WordPress installation into
Your web root and move the existing one to /var/www/html.old
--------------------------------------------------
This setup requires a domain name.  If you do not have one yet, you may
cancel this setup, press Ctrl+C.  This script will run again on your next login
--------------------------------------------------
Enter the domain name for your new WordPress site.
(ex. example.org or test.example.org) do not include www or http/s
--------------------------------------------------
Domain/Subdomain name: mywebsite.com
Enabling conf block-xmlrpc.
To activate the new configuration, you need to run:
  systemctl reload apache2
Now we will create your new admin user account for WordPress.
Your Email Address: webmaster@mywebsite.com

Username: webmaster@mywebsite.com

Password: 

Blog Title: web

Is the information correct? [Y/n] y



Next, you have the option of configuring LetsEncrypt to secure your new site.  Before doing this, be sure that you have pointed your domain or subdomain to this server's IP address.  You can also run LetsEncrypt certbot later with the command 'certbot --apache'



Would you like to use LetsEncrypt (certbot) to configure SSL(https) for your new site? (y/n): n
Skipping LetsEncrypt certificate generation
/opt/digitalocean/wp_setup.sh: line 134: break: only meaningful in a `for', `while', or `until' loop
Finalizing installation...
--2022-05-28 06:14:17--  https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6494444 (6.2M) [application/octet-stream]
Saving to: ‘/usr/bin/wp’MYIPADDRESS

/usr/bin/wp                         100%[=================================================================>]   6.19M  --.-KB/s    in 0.02s   

2022-05-28 06:14:17 (332 MB/s) - ‘/usr/bin/wp’ saved [6494444/6494444]

Completing the configuration of WordPress.Success: WordPress installed successfully.
Installing WP fail2ban (4.4.0.4)
Downloading installation package from https://downloads.wordpress.org/plugin/wp-fail2ban.4.4.0.4.zip...
Unpacking the package...
Installing the plugin...
Plugin installed successfully.
Success: Installed 1 of 1 plugins.
Plugin 'wp-fail2ban' activated.
Success: Activated 1 of 1 plugins.
Installation complete. Access your new WordPress site in a browser to continue.
root@mywebsite:~# ls etc/
ls: cannot access 'etc/': No such file or directory
root@mywebsite:~# vim /etc/ap
apache2/    apparmor/   apparmor.d/ apport/     apt/        
root@mywebsite:~# vim /etc/ap
apache2/    apparmor/   apparmor.d/ apport/     apt/        
root@mywebsite:~# vim /etc/apache2/sites-
sites-available/ sites-enabled/   
root@mywebsite:~# vim /etc/apache2/sites-available/
root@mywebsite:~# vim /etc/apache2/sites-available/
000-default.conf            000-default.conf.dpkg-dist  default-ssl.conf            
root@mywebsite:~# vim /etc/apache2/sites-available/000-default.conf
root@mywebsite:~# snapd

Command 'snapd' not found, did you mean:

  command 'zsnapd' from deb zsnapd (0.8.11h-1ubuntu2)
  command 'snap' from deb snapd (2.51.1+20.04ubuntu2)
  command 'snmpd' from deb snmpd (5.8+dfsg-2ubuntu2.3)
  command 'slapd' from deb slapd (2.4.49+dfsg-2ubuntu1.8)

Try: apt install <deb name>

root@mywebsite:~# whereis snapd
snapd: /usr/lib/snapd
root@mywebsite:~# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webmaster@mywebsite.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mywebsite.com
2: www.mywebsite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mywebsite.com
http-01 challenge for www.mywebsite.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-enabled/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mywebsite.com and
https://www.mywebsite.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mywebsite.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.mywebsite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mywebsite.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mywebsite.com/privkey.pem
   Your cert will expire on 2022-08-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@mywebsite:~# 

Here are my VHost files:

/etc/apache2/sites-enabled/000-default.conf

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        ServerName mywebsite.com
        ServerAlias www.mywebsite.com

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mywebsite.com [OR]
RewriteCond %{SERVER_NAME} =www.mywebsite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

/etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost

        ServerName mywebsite.com
        ServerAlias www.mywebsite.com

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mywebsite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.com/privkey.pem
</VirtualHost>
</IfModule>

/etc/apache2/sites-available/000-default.conf

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        ServerName $domain
        ServerAlias www.$domain

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>```

Thanks for the quite elaborate opening post of your thread, that saves a lot of time asking for outputs and configuration files :smiley:

I don't see anything weird in your virtualhosts. However, sometimes WordPress also messes around with redirects due to the URL setting in WordPresses own configuration. Sometimes this can be tested using the command line program curl (to see the headers), but you haven't mentioned your hostname, so I can't test that. Note that mentioning your actual hostname is mandatory to get help, as specified in the questionnaire instructions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

3 Likes

Since certbot is already redirecting, ensure that WP is not.
Likely scenario:

  • certbot redirecting HTTP to HTTPS
  • WP redirecting HTTPS to HTTP

Also, check any .htaccess files.

2 Likes

Ah, silly me. Now I know!

The domain name is actually currently pointing to the live version of the website. The IP address of the Droplet with the site-in-question is: https://143.244.177.63 , and the website is https://cavetta.marketing.

And here, you folks have led me to see the issue: when I navigate to the IP address, it's redirecting me to cavetta.marketing. Which means, it's continually performing that loop when the A record is pointed to that IP address. Huh.

I'm not sure how to prevent WordPress from performing that redirect, though. There's only two .htaccess files, and neither contain any redirection rules. Thoughts?

Thank you for your response. I discovered the issue. I had improperly configured my Cloudflare SSL and HTTPS redirect settings. These are the settings I now use that work well:

  • DNS A Record pointing to Droplet IPv4

  • SSL/TLS > Overview > Flexible

  • SSL/TLS > Edge Certificates > Always Use HTTPS Enabled

  • Rules > Page Rules > *url.com* SSL: Flexible

Also, I was experiencing a redirection loop, due to using Certbot to set up HTTPS redirection and an SSL on the Droplet, without realizing that Cloudflare was taking care of that for me.

2 Likes