SSL Redirection nor Working

Help
1

I installed Letsencrypt for my domain using the command sudo certbot --apache and everything appears to be ok. But I later noticed that if I enter the domain name in a browser web address without preceding it with https, it opens the default website (Apache Works default webpage) which is already disabled instead of the enabled virtual host website. But if the web address is entered in the browser using https, the correct website is loaded. What is wrong and what am I missing?

Below is the content of the sites-enabled conf file

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName hiskingdommanna.com
    ServerAlias www.hiskingdommanna.com
    ServerAdmin admin@hiskingdommanna.com
    DocumentRoot "/var/www/hiskingdommanna.com"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory "/var/www/hiskingdommanna.com">
        AllowOverride All
</Directory>

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/hiskingdommanna.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hiskingdommanna.com/privkey.pem
</VirtualHost>
</IfModule>

And below is the content of /etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY13>
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_>
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

My domain is: hiskingdommanna.com

I ran this command:

It produced this output:

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

2

The redirection you are missing would be in the VirtualHost for port 80 (http). Can you show that one?

5 Likes
3

Yes, it is in the sites-available and here's the content

<VirtualHost *:80>
ServerName hiskingdommanna.com
ServerAlias www.hiskingdommanna.com
ServerSignature Off

RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

ErrorLog /var/log/apache2/redirect.error.log
LogLevel warn

<Directory "/var/www/hiskingdommanna.com">
        AllowOverride All
</Directory>


Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/hiskingdommanna.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hiskingdommanna.com/privkey.pem

</VirtualHost>

Am I supposed to enable that one instead of the one for SSL or both? If I enabled both, I get the following error in the browser.

# Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
1 Like
4

No, only the *:443 VirtualHost should have TLS enabled. Also, the Include, SSLCertificateFile and SSLCertificateKeyFile directives should NOT be present in the *:80 VirtualHost.

To debug this further, please show the output of the following command:

apachectl -t -D DUMP_VHOSTS
3 Likes
5

I understand your point but what I can't understand is why should *:80 VirtualHost matters in this situation? The *:80 VirtualHost file is not the enabled and active VirtualHost so why should it matter here? The following is the output from running apachectl -t -D DUMP_VHOSTS

AH00526: Syntax error on line 16 of /etc/apache2/sites-enabled/hiskingdommanna-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/hiskingdommanna.com/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.
6

It should be enabled for HTTP to HTTPS redirects as that's its function.

Sorry, I forgot, but did you run it as root or with sudo? If not, please try again as root or with sudo.

3 Likes
7

No I didn't run it with sudo. This is what I get after running the command with sudo

VirtualHost configuration:
*:443                  hiskingdommanna.com (/etc/apache2/sites-enabled/hiskingdommanna-le-ssl.conf:2)

Are you saying I have to enable the configuration file for the *:80 VirtualHost too? That will make two conf files in the sites-enabled directory.

8

Yes. Without a functioning HTTP VirtualHost no HTTP redirect to HTTPS.

Correct. I'm missing it from the apachectl output above.

4 Likes
9

After enabling the *:80 redirect VirtualHost and run the apachectl command again, I got the output belowt. It should also be noted that I have made the changes you recommended above to the *:80 virtual host file.

VirtualHost configuration:
*:443                  hiskingdommanna.com (/etc/apache2/sites-enabled/hiskingdommanna-le-ssl.conf:2)
*:80                   hiskingdommanna.com (/etc/apache2/sites-enabled/le-redirect-hiskingdommanna.com.conf:1)
10

I can see there's a HTTP to HTTPS redirect now :slight_smile:

1 Like
11

Yes. The redirection is working now after also enabling the redirect virtual host and removing the lines Include , SSLCertificateFile and SSLCertificateKeyFile directives from the *:80 redirect virtual host. Thank you for your time and support.

5 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.