Cheers,
I've spun up a new Digital Ocean droplet using their 1-click-install WordPress + Ubuntu solution. It comes with Apache and Certbot pre-installed.
I first ran the installation both initially with, then without Certbot (many, many times), and I continue to come up with a redirection loop.
I'm not very familiar with VirtualHost files, but it sure seems to do with that, from my research.
Here's my full output, from the second I first SSHed into the terminal, ran the setup command included by Digital Ocean, and ran Certbot.
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat May 28 06:13:35 UTC 2022
System load: 0.62 Users logged in: 0
Usage of /: 4.5% of 57.98GB IPv4 address for eth0: MYIPADDRESS
Memory usage: 31% IPv4 address for eth0: MYIPADDRESS
Swap usage: 0% IPv4 address for eth1: MYIPADDRESS
Processes: 142
0 updates can be applied immediately.
********************************************************************************
Welcome to DigitalOcean's One-Click WordPress Droplet.
To keep this Droplet secure, the UFW firewall is enabled.
All ports are BLOCKED except 22 (SSH), 80 (HTTP), and 443 (HTTPS).
In a web browser, you can view:
* The WordPress One-Click Quickstart guide: https://do.co/34TfYn8#start
* The new WordPress site: http://MYIPADDRESS
On the server:
* The default web root is located at /var/www/html
* If you're using the embedded database, the MySQL root password
and MySQL wordpress user password are saved in /root/.digitalocean_password
If you've opted in to using a DBaaS instance with DigitalOcean, you will
find your credentials written to /root/.digitalocean_dbaas_credentials and
you will have access to a DATABASE_URL environment variable holding your
database connection string.
* The must-use WordPress security plugin, fail2ban, is located at
/var/www/html/wp-content/mu-plugins/fail2ban.php
* Certbot is preinstalled. Run it to configure HTTPS. See
https://do.co/34TfYn8#enable-https for more detail.
* For security, xmlrpc calls are blocked by default. This block can be
disabled by running "a2disconf block-xmlrpc" in the terminal.
IMPORTANT:
After connecting to the Droplet for the first time,
immediately add the WordPress administrator at http://MYIPADDRESS.
For help and more information, visit https://do.co/34TfYn8
********************************************************************************
To delete this message of the day: rm -rf /etc/update-motd.d/99-one-click
This script will copy the WordPress installation into
Your web root and move the existing one to /var/www/html.old
--------------------------------------------------
This setup requires a domain name. If you do not have one yet, you may
cancel this setup, press Ctrl+C. This script will run again on your next login
--------------------------------------------------
Enter the domain name for your new WordPress site.
(ex. example.org or test.example.org) do not include www or http/s
--------------------------------------------------
Domain/Subdomain name: mywebsite.com
Enabling conf block-xmlrpc.
To activate the new configuration, you need to run:
systemctl reload apache2
Now we will create your new admin user account for WordPress.
Your Email Address: webmaster@mywebsite.com
Username: webmaster@mywebsite.com
Password:
Blog Title: web
Is the information correct? [Y/n] y
Next, you have the option of configuring LetsEncrypt to secure your new site. Before doing this, be sure that you have pointed your domain or subdomain to this server's IP address. You can also run LetsEncrypt certbot later with the command 'certbot --apache'
Would you like to use LetsEncrypt (certbot) to configure SSL(https) for your new site? (y/n): n
Skipping LetsEncrypt certificate generation
/opt/digitalocean/wp_setup.sh: line 134: break: only meaningful in a `for', `while', or `until' loop
Finalizing installation...
--2022-05-28 06:14:17-- https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6494444 (6.2M) [application/octet-stream]
Saving to: ‘/usr/bin/wp’MYIPADDRESS
/usr/bin/wp 100%[=================================================================>] 6.19M --.-KB/s in 0.02s
2022-05-28 06:14:17 (332 MB/s) - ‘/usr/bin/wp’ saved [6494444/6494444]
Completing the configuration of WordPress.Success: WordPress installed successfully.
Installing WP fail2ban (4.4.0.4)
Downloading installation package from https://downloads.wordpress.org/plugin/wp-fail2ban.4.4.0.4.zip...
Unpacking the package...
Installing the plugin...
Plugin installed successfully.
Success: Installed 1 of 1 plugins.
Plugin 'wp-fail2ban' activated.
Success: Activated 1 of 1 plugins.
Installation complete. Access your new WordPress site in a browser to continue.
root@mywebsite:~# ls etc/
ls: cannot access 'etc/': No such file or directory
root@mywebsite:~# vim /etc/ap
apache2/ apparmor/ apparmor.d/ apport/ apt/
root@mywebsite:~# vim /etc/ap
apache2/ apparmor/ apparmor.d/ apport/ apt/
root@mywebsite:~# vim /etc/apache2/sites-
sites-available/ sites-enabled/
root@mywebsite:~# vim /etc/apache2/sites-available/
root@mywebsite:~# vim /etc/apache2/sites-available/
000-default.conf 000-default.conf.dpkg-dist default-ssl.conf
root@mywebsite:~# vim /etc/apache2/sites-available/000-default.conf
root@mywebsite:~# snapd
Command 'snapd' not found, did you mean:
command 'zsnapd' from deb zsnapd (0.8.11h-1ubuntu2)
command 'snap' from deb snapd (2.51.1+20.04ubuntu2)
command 'snmpd' from deb snmpd (5.8+dfsg-2ubuntu2.3)
command 'slapd' from deb slapd (2.4.49+dfsg-2ubuntu1.8)
Try: apt install <deb name>
root@mywebsite:~# whereis snapd
snapd: /usr/lib/snapd
root@mywebsite:~# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webmaster@mywebsite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mywebsite.com
2: www.mywebsite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mywebsite.com
http-01 challenge for www.mywebsite.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-enabled/000-default-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mywebsite.com and
https://www.mywebsite.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mywebsite.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.mywebsite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mywebsite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mywebsite.com/privkey.pem
Your cert will expire on 2022-08-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@mywebsite:~#
Here are my VHost files:
/etc/apache2/sites-enabled/000-default.conf
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName mywebsite.com
ServerAlias www.mywebsite.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mywebsite.com [OR]
RewriteCond %{SERVER_NAME} =www.mywebsite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
/etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName mywebsite.com
ServerAlias www.mywebsite.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mywebsite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.com/privkey.pem
</VirtualHost>
</IfModule>
/etc/apache2/sites-available/000-default.conf
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName $domain
ServerAlias www.$domain
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>```