Redirect to HTTPS Not Working for All Sites

My domain is:
studiowrenn.com, crow.cx, bhumsiva.com, crow.black

My web server is (include version):
Apache/2.4.62

The operating system my web server runs on is (include version):
Ubuntu 22.04.4

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.21.0

When I access my sites by typing in http vs https, only the domain under the certificate name crow.cx redirects to https. The others will load the http site. I need them all to redirect to https

I have the boilerplate htaccess
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.studiowrenn.com [OR]
RewriteCond %{SERVER_NAME} =studiowrenn.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

I can only test this on Safari mobile or desktop, seems Chromium based browsers do some automatic redirection that Safari doesn't.

When I run

certbot certificates

it shows my certificate name as crow.cx

When I check the certificate in the browser it says the certificate name is bhumsiva.com

Only the crow.cx site redirects properly to https, none of the other sites redirect properly, I'm not sure why there is a name mismatch but I wonder if that might be the problem.

Hello @kinglet, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here details on Apache can be found in documentation and forums:

2 Likes

Thank you for the reply, however I've never had this issue before I installed certbot. You can imply it's Apache, but it's also certbot that writes those lines to my conf files

1 Like

It can depending on how you ran Certbot. I'll assume you used the --apache plugin without certonly.

I don't see any of your domains redirecting. All HTTP requests are handled directly. You cannot easily test this in browsers. Some of them try both HTTP and HTTPS and use HTTPS if it works. Curl is probably the easiest way to test this. It is a useful tool to learn.

Let us start by having you show us output of this

sudo apache2ctl -t -D DUMP_VHOSTS

Here is what I see with curl for this domain. Note no redirect just a "200"

curl -I http://crow.cx
HTTP/1.1 200 OK
Server: Apache/2.4.62 (Ubuntu)

I'll add that your HTTPS requests seem fine on several domains I checked so probably all are fine. A tool like below, or openssl, or SSL Labs is a better way to check certs than using a browser. Browsers try hard to present a working page to its user even for servers that are not configured optimally. They also often cache previous results. See: SSL Checker

4 Likes

Thanks for those tools.

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server bhumsiva.com (/etc/apache2/sites-enabled/bhumsiva.com-le-ssl.conf:2)
         port 443 namevhost bhumsiva.com (/etc/apache2/sites-enabled/bhumsiva.com-le-ssl.conf:2)
                 alias www.bhumsiva.com
         port 443 namevhost castironkismet.com (/etc/apache2/sites-enabled/castironkismet.com-le-ssl.conf:2)
                 alias www.castironkismet.com
         port 443 namevhost crow.black (/etc/apache2/sites-enabled/crow.black-le-ssl.conf:2)
                 alias www.crow.black
         port 443 namevhost crow.cx (/etc/apache2/sites-enabled/crow.cx-le-ssl.conf:2)
                 alias www.crow.cx
         port 443 namevhost finch.red (/etc/apache2/sites-enabled/finch.red-le-ssl.conf:2)
                 alias www.finch.red
         port 443 namevhost medina.photo (/etc/apache2/sites-enabled/medina.photo-le-ssl.conf:2)
                 alias www.medina.photo
         port 443 namevhost nannypawpinz.com (/etc/apache2/sites-enabled/nannypawpinz.com-le-ssl.conf:2)
                 alias www.nannypawpinz.com
         port 443 namevhost organicdreampillows.com (/etc/apache2/sites-enabled/organicdreampillows.com-le-ssl.conf:2)
                 alias www.organicdreampillows.com
         port 443 namevhost pdxvr.com (/etc/apache2/sites-enabled/pdxvr.com-le-ssl.conf:2)
                 alias www.pdxvr.com
         port 443 namevhost studiowrenn.com (/etc/apache2/sites-enabled/studiowrenn.com-le-ssl.conf:2)
                 alias www.studiowrenn.com
*:80                   is a NameVirtualHost
         default server bhumsiva.com (/etc/apache2/sites-enabled/bhumsiva.com-le-ssl.conf:16)
         port 80 namevhost bhumsiva.com (/etc/apache2/sites-enabled/bhumsiva.com-le-ssl.conf:16)
                 alias www.bhumsiva.com
         port 80 namevhost bhumsiva.com (/etc/apache2/sites-enabled/bhumsiva.com.conf:1)
                 alias www.bhumsiva.com
         port 80 namevhost castironkismet.com (/etc/apache2/sites-enabled/castironkismet.com-le-ssl.conf:16)
                 alias www.castironkismet.com
         port 80 namevhost castironkismet.com (/etc/apache2/sites-enabled/castironkismet.com.conf:1)
                 alias www.castironkismet.com
         port 80 namevhost crow.black (/etc/apache2/sites-enabled/crow.black-le-ssl.conf:22)
                 alias www.crow.black
         port 80 namevhost crow.black (/etc/apache2/sites-enabled/crow.black.conf:1)
                 alias www.crow.black
         port 80 namevhost crow.cx (/etc/apache2/sites-enabled/crow.cx-le-ssl.conf:28)
                 alias www.crow.cx
         port 80 namevhost crow.cx (/etc/apache2/sites-enabled/crow.cx.conf:1)
                 alias www.crow.cx
         port 80 namevhost finch.red (/etc/apache2/sites-enabled/finch.red-le-ssl.conf:16)
                 alias www.finch.red
         port 80 namevhost finch.red (/etc/apache2/sites-enabled/finch.red.conf:1)
                 alias www.finch.red
         port 80 namevhost lalunaloca.com (/etc/apache2/sites-enabled/lalunaloca.com.conf:1)
                 alias www.lalunaloca.com
         port 80 namevhost medina.photo (/etc/apache2/sites-enabled/medina.photo-le-ssl.conf:16)
                 alias www.medina.photo
         port 80 namevhost medina.photo (/etc/apache2/sites-enabled/medina.photo.conf:1)
                 alias www.medina.photo
         port 80 namevhost nannypawpinz.com (/etc/apache2/sites-enabled/nannypawpinz.com-le-ssl.conf:23)
                 alias www.nannypawpinz.com
         port 80 namevhost nannypawpinz.com (/etc/apache2/sites-enabled/nannypawpinz.com.conf:1)
                 alias www.nannypawpinz.com
         port 80 namevhost organicdreampillows.com (/etc/apache2/sites-enabled/organicdreampillows.com-le-ssl.conf:16)
                 alias www.organicdreampillows.com
         port 80 namevhost organicdreampillows.com (/etc/apache2/sites-enabled/organicdreampillows.com.conf:1)
                 alias www.organicdreampillows.com
         port 80 namevhost pdxvr.com (/etc/apache2/sites-enabled/pdxvr.com-le-ssl.conf:22)
                 alias www.pdxvr.com
         port 80 namevhost pdxvr.com (/etc/apache2/sites-enabled/pdxvr.com.conf:1)
                 alias www.pdxvr.com
         port 80 namevhost studiowrenn.com (/etc/apache2/sites-enabled/studiowrenn.com-le-ssl.conf:16)
                 alias www.studiowrenn.com
         port 80 namevhost studiowrenn.com (/etc/apache2/sites-enabled/studiowrenn.com.conf:1)
                 alias www.studiowrenn.com

I've found sometimes the http sites seem to load slowly and the https are much faster, so that's my main concern, I don't really mind serving insecure content when I know the https content is still there, however, I would prefer to have the redirects work. They look like they are correct for all the searching I can find, I'm not sure why I'm having this problem now

Looks like you have the same pattern of problem for all of them.

Note you have two VirtualHosts for port 80 for the same domain names. One in a "conf" file and another in the "-le-ssl.conf" file.

Apache allows this but it will not behave as you expect. You should only have a domain name in one place for the same port.

Please show the contents of these two files

/etc/apache2/sites-enabled/bhumsiva.com.conf
/etc/apache2/sites-enabled/bhumsiva.com-le-ssl.conf

It is hard to guess which solution is best without seeing those

4 Likes

As it turns out, I had to leave town for a few days. I'll have to come back to this later this week.

1 Like

Gone longer than expected and also got sick. Ok here's what I have in thos fiels

.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName bhumsiva.com
    ServerAlias www.bhumsiva.com
    DocumentRoot /var/www/bhumsiva
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.bhumsiva.com [OR]
RewriteCond %{SERVER_NAME} =bhumsiva.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName bhumsiva.com
    ServerAlias www.bhumsiva.com
    DocumentRoot /var/www/bhumsiva
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/crow.cx/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/crow.cx/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName bhumsiva.com
    ServerAlias www.bhumsiva.com
    DocumentRoot /var/www/bhumsiva
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =www.bhumsiva.com [OR]
# RewriteCond %{SERVER_NAME} =bhumsiva.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>
</IfModule>
1 Like

Well welcome back. But don't you see the problem? Try removing the virtual host for port 80 from your SSL config file. It is duplicated with the other virtual host. One has the redirect statements commented out and the other has them active. So Apache has chosen the one you don't want

3 Likes

Well I see the problem now that I know what it is and it has been pointed out :smile:

As to why the problem exists, I'm not sure because I've been running this server without issues like this since 2018 and I've never edited these conf files. This issue seems recent and unless updating/upgrading Ubuntu is writing to them, certbot is the likely culprit as it created half of these conf files. Or probably something I did during recent certbot renewals or creations.

I'll fix and post back to mark solved

Thanks again

2 Likes

Is it possible it has been wrong for a long time and you just noticed it recently?

3 Likes

It is but that also doesn't change anything. I've never edited those files manually

I don't have a good explanation for how this came about. But, once you remove the faulty VirtualHosts your system should behave correctly and be stable.

Usually Certbot changes are marked as such with comments. Your faulty VirtualHost just says

# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

Maybe an ancient Certbot version did that. Maybe some subtle config change in your web server caused Certbot to create the second VirtualHost. Or maybe some other program modified those redirects. idk. The funny thing is those redirects are fine and would not cause a loop. If they instead had redirected to HTTP rather than HTTPS then yes a loop would result and they would have needed to be commented out. But, who or what did that is a mystery for some other volunteer :slight_smile:

Modern Certbot versions would not make such a change. Even a version as old as your 1.21 would not. V1.21 is about 3 years old. You might want to look at using the snap install to stay current. It should work well on Ubuntu.

3 Likes

Just to be clear I can remove everything in the virtual hosts tag including the tag itself from the ssl version conf file?

Yes, remove all of these lines from the ssl config file. While Apache will startup anyway, you should never have two VirtualHost with the same domain name(s) for the same port. That has been true always. Apache really should issue warnings. We see problems caused by this often.

3 Likes

Fixed, thanks again!

4 Likes