Unable to prevent redirect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vdap.org

I ran this command: certbot --apache

It produced this output:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

My web server is (include version): CentOS 7

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

I was able to get certificate installed easily and my website on port 80 works great without all the security warnings. However, I have other web servers running on different ports and now all http redirects to https so those other sites on other ports do not work. I removed non-ssl.conf and restarted httpd but everything still redirects to https, even for ports that are not 80. How can I stop all the redirection? (Or at least redirection of those not on port 80.)

It appears this is being caused by HSTS. Once a site is accessed via https any subsequent attempts to access a site via http, even if not on port 80, the browser redirects to https. I was able to disable this on the server side by commenting out this line in ssl.conf:
#Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”

But once it’s set in browser I think it’s too late, and it either has to be deleted manually or let expire (after a long while).

Send a header with max-age=0; includeSubdomains and it will get turned off in clients that visit your HTTPS page again.


Ah, just what I needed to know. Thanks!

Hi @dnorgaard

do you have a sample-port?

If that happens, one reason: Duplicated vHosts. But with different ports, it's a little bit curious.

And now you are sending the max-age=0 - header. But there is a redirect http + non-www -> https + non-www.

And there is a difficult configuration:

A Info: Different Server-Headers found

Your non-www has a

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.30

your www only a

Server: Apache

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.