Redirect to https:// partially working -- bug report


#1

This post regards apache 2.4 under ubuntu 16.04. And I think there is a bug in the apache2 configuration files as modified by the certbot installation process. (I’ll explain precisely what I did below.)

What I ended up with is the following contents in my sites-enabled/leftout.conf:

<VirtualHost *:80>                                                                                                                                                                                          
        ServerAdmin sleator@cs.cmu.edu                                                                                                                                                                      
        ServerName leftout.info                                                                                                                                                                             
        ServerAlias *.leftout.info                                                                                                                                                                          
                                                                                                                                                                                                            
        DocumentRoot /var/www/leftout                                                                                                                                                                       
        # the above cannot use the full path to the afs directory, because                                                                                                                                  
        # it gets hung up on an .htaccess file at /afs/cs.cmu.edu                                                                                                                                           
        # so instead this sym-link is set in /var/www  --DS                                                                                                                                                 
        <Directory />                                                                                                                                                                                       
                Options FollowSymLinks                                                                                                                                                                      
                AllowOverride FileInfo                                                                                                                                                                      
        </Directory>                                                                                                                                                                                        
        <Directory /var/www/leftout>                                                                                                                                                                        
                Options Indexes FollowSymLinks MultiViews                                                                                                                                                   
                AllowOverride FileInfo                                                                                                                                                                      
                Order allow,deny                                                                                                                                                                            
                allow from all                                                                                                                                                                              
        </Directory>                                                                                                                                                                                        
                                                                                                                                                                                                            
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/                                                                                                                                                             
        <Directory "/usr/lib/cgi-bin">                                                                                                                                                                      
                AllowOverride None                                                                                                                                                                          
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch                                                                                                                                          
                Order allow,deny                                                                                                                                                                            
                Allow from all                                                                                                                                                                              
        </Directory>                                                                                                                                                                                        
                                                                                                                                                                                                            
        AddHandler markdown .mark                                                                                                                                                                           
        Action markdown /cgi-bin/leftout-markdown-wrapper.pl                                                                                                                                                
                                                                                                                                                                                                            
        ErrorLog ${APACHE_LOG_DIR}/error.log                                                                                                                                                                
                                                                                                                                                                                                            
        # Possible values include: debug, info, notice, warn, error, crit,                                                                                                                                  
        # alert, emerg.                                                                                                                                                                                     
        LogLevel warn                                                                                                                                                                                       
                                                                                                                                                                                                            
        CustomLog ${APACHE_LOG_DIR}/access.log combined                                                                                                                                                     
                                                                                                                                                                                                            
    Alias /doc/ "/usr/share/doc/"                                                                                                                                                                           
    <Directory "/usr/share/doc/">                                                                                                                                                                           
        Options Indexes MultiViews FollowSymLinks                                                                                                                                                           
        AllowOverride None                                                                                                                                                                                  
        Order deny,allow                                                                                                                                                                                    
        Deny from all                                                                                                                                                                                       
        Allow from 127.0.0.0/255.0.0.0 ::1/128                                                                                                                                                              
    </Directory>                                                                                                                                                                                            
                                                                                                                                                                                                            
RewriteEngine on                                                                                                                                                                                            
RewriteCond %{SERVER_NAME} =leftout.info [OR]                                                                                                                                                               
RewriteCond %{SERVER_NAME} =*.leftout.info                                                                                                                                                                
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]                                                                                                                                     
</VirtualHost>                                                                                                                                                                                              

The only thing the certbot installation process did to this file was to add the four lines about the rewrite rules. With this configuration running I get these results:

$ curl -I leftout.info
HTTP/1.1 301 Moved Permanently
Date: Mon, 30 Jul 2018 11:52:42 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://leftout.info/
Content-Type: text/html; charset=iso-8859-1

$ curl -I www.leftout.info
HTTP/1.1 200 OK
Date: Mon, 30 Jul 2018 11:52:26 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html

Which is not what I want. I want http://www.leftout.info to be redirected to https://www.leftout.info

I fixed this by replacing the “*” in the RewriteCond with “www”. As in:

RewriteEngine on                                                                                                                                                                  
RewriteCond %{SERVER_NAME} =leftout.info [OR]                                                                                                                                     
RewriteCond %{SERVER_NAME} =www.leftout.info                                                                                                                                      
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]   

Now I get this result, which is what I wanted:

$ curl -I www.leftout.info
HTTP/1.1 301 Moved Permanently
Date: Mon, 30 Jul 2018 11:53:35 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://www.leftout.info/
Content-Type: text/html; charset=iso-8859-1

My installation was done with these commands (from certbot.eff.org)

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

Then later:

$ certbot certonly --cert-name leftout.info -d leftout.info,www.leftout.info,rangevoting.org,www.rangevoting.org

Anyway, I resolved this issue, but I thought I’d alert others of it. Thanks.


#2

This bug has at least been known since https://github.com/certbot/certbot/issues/3495 when @bmw opened the GitHub issue in 2016.

Looking at the lack of replies, there isn’t much pressure in getting it fixed (it’s also lacking a milestone). Perhaps it’s a rather uncommon method of using the ServerAlias directive in Apache?

Since Let’s Encrypt supports wild card certificates, I would assume the support for the correct wild card redirect is also “nice to have”.

But thanks for letting us know on the forum the problem persists at the moment :slight_smile:


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.