Let's Encrypt Community Support

Should this RewriteCond be in 000-default.conf?

ozstar December 22, 2022, 9:48pm 1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: celebritymc.com

I ran this command: nano default.conf

It produced this output: Shows Rewrite Engine data as below..

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): ubuntu 20.04 Zorin 16.2

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have still not resolved the problem of not being able to use 443 on celebritymc.com because the router is using it as https although, although may have an answer soon.

Looking through the files in the sites-available folder, I see this text at the end of the in the 000-default.conf file tnd was wondering whether it should be there as it is not the ssl conf version.

RewriteEngine off
RewriteCond %{SERVER_NAME} =celebritymc.com
REwriteRule ^ https//%{SERVER_NAME}%{REQUEST_URL} [END,NE,R=permenent]

In that same sites-available folder I have several other domains which I have still not applied for ssl certs yet.
000-default.conf
000-default-le-ssl.conf
celebritymc.conf
celebritymc-ssl.conf
default-ssl.conf
johnnyokeefe.conf
ozrockshop.conf
ozstar.conf

Thank you

rg305 December 22, 2022, 9:55pm 2

"Should this RewriteCond be in 000-default.conf?"

Well, that depends on a couple of things.

Is that file in use?
[you show files from the /site-available/ folder - but the ones in use are in the /sites-enabled/ folder]

Does that file serve the name "celebritymc.com"?
[ensure there no overlaps on that name in the config]

What about the "www" name?

If the router is using port 443, then redirecting anything to 443 is not going to work.
Until then, you need to stay on HTTP [port 80] OR redirect to HTTPS on some other port [not 443].

5 Likes

ozstar December 28, 2022, 7:53am 3

Well, still trying to get my ssl happening.

Added successfully 8443 to the port forward IP but now would like to know what .conf files do I have to change from 443 to 8443 for celebritymc which is the only certificate I have so far.

Thank you.

------Maybe some help..

apachectl -S
VirtualHost configuration:
*:8443                 is a NameVirtualHost
         default server celebritymc.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 8443 namevhost celebritymc.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 8443 namevhost localhost (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server localhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost localhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost celebritymc.com (/etc/apache2/sites-enabled/celebritymc-ssl.conf:1)
                 alias www.celebritymc.com
         port 80 namevhost celebritymc.com (/etc/apache2/sites-enabled/celebritymc.conf:1)
                 alias www.celebritymc.com
         port 80 namevhost johnnyokeefe.com (/etc/apache2/sites-enabled/johnnyokeefe.conf:1)
                 alias www.johnnyokeefe.com
         port 80 namevhost ozrockshop.com (/etc/apache2/sites-enabled/ozrockshop.conf:1)
                 alias www.ozrockshop.com
         port 80 namevhost ozstar.com (/etc/apache2/sites-enabled/ozstar.conf:1)
                 alias www.ozstar.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error-ozstar.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 December 28, 2022, 8:23am 4

Let's have a look at this file:

4 Likes

MikeMcQ December 28, 2022, 9:14am 5

ozstar:

port 80 namevhost celebritymc.com (/etc/apache2/sites-enabled/celebritymc-ssl.conf:1)
        alias www.celebritymc.com
port 80 namevhost celebritymc.com (/etc/apache2/sites-enabled/celebritymc.conf:1)
        alias www.celebritymc.com

we should look at these two config files as well

6 Likes

ozstar December 28, 2022, 9:26am 6

000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:8443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www

         # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName celebritymc.com
SSLCertificateFile /etc/letsencrypt/live/celebritymc.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/celebritymc.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

celebritymc-ssl.conf

<VirtualHost *:80>

ServerName celebritymc.com
ServerAlias www.celebritymc.com

ServerAdmin webmaster@sydneybiz.com
DocumentRoot /var/www/celebritymc

<Directory />
   Options FollowSymLinks
   AllowOverride None
   Require all denied
</Directory>

<Directory /usr/share>
   AllowOverride None
   Require all granted
</Directory>

<Directory /var/www/celebritymc>
     Options Indexes FollowSymLinks
     AllowOverride None
     Require all granted
</Directory>
</VirtualHost>

celebritymc.conf

<VirtualHost *:80>

ServerName celebritymc.com
ServerAlias www.celebritymc.com
ServerAdmin webmaster@sydneybiz.com
DocumentRoot /var/www/celebritymc

<Directory />
   Options FollowSymLinks
   AllowOverride None
   Require all denied
</Directory>

<Directory /usr/share>
   AllowOverride None
   Require all granted
</Directory>

<Directory /var/www/celebritymc>
     Options Indexes FollowSymLinks
     AllowOverride None
     Require all granted
</Directory>
</VirtualHost>

ErrorLog  ${APACHE_LOG_DIR}/error-celebritymc.log
CustomLog ${APACHE_LOG_DIR}/access-celebritymc.log combined

MikeMcQ December 28, 2022, 2:47pm 7

These look like duplicates of each other except celebritymc.conf has two lines configuring log files. Some info was lost due to formatting when you posted but you should remove the one you don't want. It is bad practice to have duplicate VirtualHosts for the same domain name and port.

/etc/apache2/sites-enabled/celebritymc-ssl.conf
/etc/apache2/sites-enabled/celebritymc.conf

When posting Apache config files it is best to add 3 backticks before and after the data like:
```
config file contents
```

As for your 8443 VirtualHost, I don't see anything wrong with the Apache VirtualHost except I cannot reach it from my own test server. You probably still have something wrong in your NAT or port assignment somewhere.

6 Likes

rg305 December 28, 2022, 9:02pm 8

corrected

curl -Ii https://www.celebritymc.com:8443/
curl: (7) Failed to connect to www.celebritymc.com port 8443: No route to host

6 Likes

ozstar December 28, 2022, 9:12pm 9

Many thanks for the help and sorry for the lack of ...'s
Live and learn they say
Does it matter which one of those I delete ?
If I delete the non ssl one, can I still access that site through http not https?
Will check on that router again too.
Thank you again.

1 Like

rg305 December 28, 2022, 9:21pm 10

Both are HTTP.
They overlap each other - same names - same port [80].
You only need one of those two last files shown.

6 Likes

ozstar December 28, 2022, 10:44pm 11

Thank you

2 Likes

ozstar December 29, 2022, 12:44am 12

Looking at the port forwarding of the router does this look correct please?

Webserver: 80 inside + outside 192.168.20.83
Webserver ssl: 8443 inside + outside 192.168.20.83

and Access Control which they say overrides Pt Fwding.

HTTP: LAN 80 Enabled - WAN 8888 Not Enabled
HTTPS LAN 443 Enabled - WAN 443 Not Enabled

rg305 December 29, 2022, 1:37am 14

That seems to be working as intended.

curl -Ii celebritymc.com
HTTP/1.1 200 OK
Date: Thu, 29 Dec 2022 01:27:02 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 15 Dec 2022 05:22:09 GMT
ETag: "e0-5efd708e29d0e"
Accept-Ranges: bytes
Content-Length: 224
Vary: Accept-Encoding
Content-Type: text/html

That seems to fail

curl -Ii celebritymc.com:8443
curl: (7) Failed to connect to celebritymc.com port 8443: Connection timed out

Only outbound requests... no replies form port 8443:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
01:33:05.535191 IP (tos 0x0, ttl 64, id 59433, offset 0, flags [DF], proto TCP (6), length 60)
    [internal.IP].42980 > 202.153.210.129.8443: Flags [S], cksum 0xa915 (incorrect -> 0xca19), seq 1191941238, win 64240, options [mss 1460,sackOK,TS val 76165411 ecr 0,nop,wscale 7], length 0
01:33:06.550562 IP (tos 0x0, ttl 64, id 59434, offset 0, flags [DF], proto TCP (6), length 60)
    [internal.IP].42980 > 202.153.210.129.8443: Flags [S], cksum 0xa915 (incorrect -> 0xc621), seq 1191941238, win 64240, options [mss 1460,sackOK,TS val 76166427 ecr 0,nop,wscale 7], length 0
01:33:08.566573 IP (tos 0x0, ttl 64, id 59435, offset 0, flags [DF], proto TCP (6), length 60)
    [internal.IP].42980 > 202.153.210.129.8443: Flags [S], cksum 0xa915 (incorrect -> 0xbe41), seq 1191941238, win 64240, options [mss 1460,sackOK,TS val 76168443 ecr 0,nop,wscale 7], length 0
01:33:12.790630 IP (tos 0x0, ttl 64, id 59436, offset 0, flags [DF], proto TCP (6), length 60)
    [internal.IP].42980 > 202.153.210.129.8443: Flags [S], cksum 0xa915 (incorrect -> 0xadc1), seq 1191941238, win 64240, options [mss 1460,sackOK,TS val 76172667 ecr 0,nop,wscale 7], length 0
01:33:20.982552 IP (tos 0x0, ttl 64, id 59437, offset 0, flags [DF], proto TCP (6), length 60)
    [internal.IP].42980 > 202.153.210.129.8443: Flags [S], cksum 0xa915 (incorrect -> 0x8dc1), seq 1191941238, win 64240, options [mss 1460,sackOK,TS val 76180859 ecr 0,nop,wscale 7], length 0

4 Likes

system Closed January 28, 2023, 1:37am 15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.