Unable to set the redirect enhancement - wordpress multisite / apache 2.4.55 multiple virtual hosts / ubuntu 5.15.0-88-generic

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alive-drumming.org (main) and epatterns.com.au (subsidiary)

I ran this command: sudo certbot -v --apache -d alive-drumming.org

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/alive-drumming.org-0002.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/wordpress-le-ssl.conf
Successfully deployed certificate for alive-drumming.org to /etc/apache2/sites-enabled/wordpress-le-ssl.conf
Enabled Apache rewrite module
Failed redirect for alive-drumming.org
Unable to set the redirect enhancement for alive-drumming.org.

NEXT STEPS:

  • The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
    certbot install --cert-name alive-drumming.org-0002

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache 2.4.55 multiple virtual hosts

The operating system my web server runs on is (include version): ubuntu 5.15.0-88-generic

My hosting provider, if applicable, is: No hosting provider - I have full control over own hardware and OS.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot --version
certbot 2.1.0

BACKGROUND - I am in the process of completing the move of this WordPress multisite from Google Cloud Platform-hosted Linux installation to this ubuntu platform (2022-04). I have not got it working yet on the new platform. I have followed online tutorials, How To Secure Apache with Let's Encrypt on Ubuntu 22.04 | DigitalOcean. Have needed to upgrade ubuntu and PHP to be equal to or more recent than the legacy GCP installation. I have installed phpmyadmin and phpinfo.php to test webserver outside of wordpress, with some success. I believe these letsencrypt certs are the root of the wordpress problem which has the client timing out. I have set 'debug' level diags on apache and wordpress. Do, very much appreciate any help anyone can give. Very happy to share any and all config / diags. THX.

Output from : sslscan from another computer on the local network (remote does not give any output)
Version: 2.1.1
OpenSSL 3.1.3 19 Sep 2023

Connected to 192.168.0.205

Testing SSL server 192.168.0.205 on port 443 using SNI name 192.168.0.205

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253

Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.3 112 bits ffdhe2048
TLSv1.3 128 bits ffdhe3072
TLSv1.3 150 bits ffdhe4096
TLSv1.3 175 bits ffdhe6144
TLSv1.3 192 bits ffdhe8192
TLSv1.2 128 bits secp256r1 (NIST P-256)

SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
ECC Curve Name: prime256v1
ECC Key Strength: 128

Subject: alive-drumming.org
Altnames: DNS:alive-drumming.org
Issuer: R3

Not valid before: Nov 1 18:48:28 2023 GMT
Not valid after: Jan 30 18:48:27 2024 GMT

Hi @mattharg, and welcome to the LE community forum :slight_smile:

This is usually an indication that something has gone wrong:

What shows?:

certbot certificates

This is an indication to check that the web service hasn't allowed misconfigurations into the mix:

When making changes and when encountering trouble with Apache one should always verify that no name:port overlap exists.
The output of this command should make that apparent:

sudo apachectl -t -D DUMP_VHOSTS

2 Likes

Thanks.
I received

*:443 alive-drumming.org (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:2)
*:80  alive-drumming.org (/etc/apache2/sites-enabled/wordpress.conf:1)

Also,

cat /etc/apache2/sites-enabled/wordpress-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ServerName alive-drumming.org
ServerAlias www.alive-drumming.org
##  BANG ##  Redirect permanent / https://alive-drumming.org

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias epatterns.com.au

 <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php8.0-fpm.sock|fcgi://localhost"
 </FilesMatch>


ServerAlias www.epatterns.com.au
SSLCertificateFile /etc/letsencrypt/live/alive-drumming.org-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/alive-drumming.org-0002/privkey.pem
</VirtualHost>
</IfModule>

And

cat /etc/apache2/sites-enabled/wordpress.conf

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ServerName alive-drumming.org
ServerAlias www.alive-drumming.org
### BANG ##   Redirect permanent / https://alive-drumming.org

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined

 <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php8.0-fpm.sock|fcgi://localhost"
 </FilesMatch>

</VirtualHost>

That is a good start!

  • no name:port overlaps :heavy_check_mark:
3 Likes

Was that intentional?

3 Likes

I seem to remember that the reason for the

### BANG ##   Redirect permanent / https://alive-drumming.org

is that I had to take that line out to make things work on the legacy system.

Yes, I think so. The wordpress site for alive-drumming.org, is a multi-site that also serves epatterns.com.au.

1 Like

"legacy" as in:
Systems that are unable to connect via HTTPS?

2 Likes

No, I have just been migrating this from another Linux on Google Cloud Platform to this new system. I had it working on the old (legacy) one, but have been unable to get it going on the new one. I started with a lot of the config and changed only where needed.

You might be able to get them to connect by modify/replacing the settings in:

3 Likes

Sure, that would be great.

Current config is ...


/etc/letsencrypt/options-ssl-apache.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
1 Like

Just checked the legacy system and it has exactly the same /etc/letsencrypt/options-ssl-apache.conf
, so I'm not sure what I should be changing there.

I notice it has "SSLEngine on" and the results of the sslscan had SSL disabled and only some TLS enabled,


  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled

OK, So I tried changing /etc/letsencrypt/options-ssl-apache.conf so that

SSLEngine off
and
sudo apachectl restart

But that hasn't helped and when I try, sslscan, I then got,

SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

So, I've changed it back again ..... :blush:

That is going in the wrong direction.
Always keep that on.

The issue with slightly older clients [that can do TLSv1.2] is likely:

  • the ciphers used [all have GCM]
    you may need to add some "lower" ciphers

The issue with much older clients [that can't do TLSv1.2] is likely [both]:

  • the ciphers used [all have GCM]
    you may need to add some "lower" ciphers
  • TLSv1.0 may have to be enbled to get them to connect
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.