Unable to set enhancement redirect

johnvb · June 12, 2021, 11:26am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.erccis-warehouse.org.uk

I ran this command:
$ sudo certbot –apache

It produced this output:
Which names would you like to activate HTTPS for?

1: www.erccis-warehouse.org.uk

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for www.erccis-warehouse.org.uk

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/www.erccis-warehouse.org.uk/fullchain.pem

Key is saved at: /etc/letsencrypt/live/www.erccis-warehouse.org.uk/privkey.pem

This certificate expires on 2021-09-10.

These files will be updated when the certificate renews.

Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate

Successfully deployed certificate for www.erccis-warehouse.org.uk to /etc/apache2/sites-enabled/warehouse.conf

Failed redirect for www.erccis-warehouse.org.uk

Unable to set enhancement redirect for www.erccis-warehouse.org.uk

Could not set up redirect enhancement

NEXT STEPS:

The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:

certbot install --cert-name www.erccis-warehouse.org.uk

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04.2

My hosting provider, if applicable, is: Eco Web Hosting https://www.ecowebhosting.co.uk/

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.16.0

Now that I've done this,
$ apachectl -S
results in:
AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/warehouse.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.erccis-warehouse.org.uk/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

Osiris · June 12, 2021, 11:50am

Have you also tried running the apachectl -S command with sudo? I.e.:

sudo apachectl -S

Although I'm a little bit in doubt if root is the issue here, as the file fullchain.pem should be readable by world, it's privkey.pem which should be shielded from the outside world. Unless something has changed regarding the permissions certbot uses.

Also, the contents of /etc/apache2/sites-enabled/warehouse.conf are probably usefull.

johnvb · June 12, 2021, 2:17pm

Ah - sudo apachectl -S did return the following:

ubuntu@vps-e437efe9:/etc/apache2/sites-available$ sudo apachectl -S
VirtualHost configuration:
*:80                   www.erccis-warehouse.org.uk (/etc/apache2/sites-enabled/warehouse.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I'm not aware of having changed permissions Certbot would be using, it's a fairly fresh Ubuntu VPS.

Here's the contents of warehouse.conf:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName www.erccis-warehouse.org.uk
    DocumentRoot /var/www/warehouse
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.erccis-warehouse.org.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.erccis-warehouse.org.uk/privkey.pem
</VirtualHost>

I note that the 3 lines at the end were added by Certbot when I installed the certificate. Also, /var/www/warehouse is the correct folder which this domain should point to. Thanks for your help.

Osiris · June 12, 2021, 3:11pm

That doesn't look good at all. You've got SSLCertificateFile directives set up in your HTTP port 80 virtualhost! Your site is in effect not functional right now.

Why would certbot do such a thing?

Did you edit the configuration file by hand perhaps?

johnvb · June 13, 2021, 2:15pm

No, I'm fairly sure I didn't edit the warehouse.conf file to add the SSL certificate directives in anyway. I'm fairly new to this sort of thing so it's possible I made some other mistake though. Anyway - I've just tried removing the 3 ssl related lines from warehouse.conf and then run the install certificate command again and this time it has worked, so I'm all good now.

Thanks again for your support.

system · July 13, 2021, 2:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.