I have a different use case than what I’ve been able to find in the guides (Digital Ocean). I’m not really literate in Linux but I can follow directions. Getting Let’s Encrypt working on 1 computer works great, but my actual use case is not working. Here’s what I need to do:
Host various domains from my house.
I have one Linux computer with Apache set up to host 3 domains
My house can only have 1 IP address (one modem)
Are there any guides that let me use the Let’s Encrypt scripts to make certs for 2+ domains, on one machine, both at the same IP address?
Indeed. I just reviewed the Ubuntu install instructions and it’s come quite a long ways since I originally used it. Got multiple domains going just fine. The only remaining issue is that http --> https redirect isn’t working.
Here is one file… stellar7.ml.conf
The other domains have similar configuration files under /etc/apache2/sites-available.
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin admin@stellar7.ml
ServerName stellar7.ml
ServerAlias www.stellar7.ml
DocumentRoot /var/www/stellar7.ml/public_html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =stellar7.ml
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Although, Letsencrypt is strictly about SSL/Security, as such in my opinion using REWRITE rules should be discouraged if REDIRECT is an option. Take a look at those two pages (apache documents): https://cwiki.apache.org/confluence/display/HTTPD/RedirectSSL https://cwiki.apache.org/confluence/display/HTTPD/RewriteHTTPToHTTPS
The second page clearly states that “Using mod_rewrite to do this [redirect from HTTP to HTTPS] isn’t the recommended behavior.” Similar thing is hinted in the last paragraph of ‘Simple Redirection’ link you provided.
The reason we use mod_rewrite is because we want to be able to only add redirects for the specific domains that we enabled HTTPS for. If your HTTP vhost is being used for other domains and that aren’t in the certificate, redirecting them to HTTPS will cause an error.
In your first example, http://example2.com will redirect to https://example1.com. This will not cause an error and if you’re OK with the domain change, this works just fine.
In your 2nd example, http://example2.com will not be redirected to HTTPS which is also not an error.
The reason Certbot uses mod_rewrite is to avoid both changing the domain users visit and to avoid doing something like redirecting from http://example2.com to https://example2.com which would cause an error if example2.com doesn’t have HTTPS set up.
Thank you Brad. I have those both cases in my httpd.conf file, and also don’t see any problems. So, we are on the same page here.
However, I still don’t see what is the case that you are trying to describe. I guess, an example of pre-certbot vhosts and SSL requests would help me, as my knowledge is rather limited here.
As far as I can tell, if there are two TLDs involved, the two cases (sans Redirect statements) that I provided cover all possible vhost situations. Of course, on the top of that you need to lay the SSL request. However, from what you are describing, I gather that due to some potential issues with certbot code not having enough information or not having a proper logic, against apache recommendation certbot is pushing REWRITE statements for all possible cases. And one of manifestations of that is this exact thread, where UFONinja is confused (like a lot of others), and a convoluted solution is being pushed on him. Although, this is another issue (the first being certbot producing REWRITE, the second is still pushing REWRITE in this community),
Don’t get me wrong, I don’t have a bone in this discussion, as I need to do manual updates, and modified my httpd.conf/ssl.conf manually. I am also really greatful for what Letsencrypt provides.