<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName orin.app
ServerAlias www.orin.app *.orin.app
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/orin.app/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/orin.app/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.orin.app [OR]
RewriteCond %{SERVER_NAME} =orin.app
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Oop there it is. That's the culprit.
There may be more to that “culpriticity”…
Like where does it turn SSL on?
Globally?
Any idea how can I fix it?
Start by removing those 3 lines from the HTTP (*:80) section.
Not particularly important, but the rewrite statement only covers two names (www.orin.app & orin.app).
While the block also include the wildcard alias ("*.orin.app").
So, if you try to connect to this site via any other name, it will not redirect to HTTPS; it will actually connect such requests to the DocumentRoot ("/var/www/html/") folder.
To cover all possible names that have reached that site, don’t try to list them at all.
Just rewrite anything that isn’t HTTPS to HTTPS.
For that, you can change/replace:
RewriteCond %{SERVER_NAME} =www.orin.app [OR]
RewriteCond %{SERVER_NAME} =orin.app
to/with:
RewriteCond %{HTTPS} !=on
After those (or any) changes, restart Apache.
Then we can have another look at the output of:
apachectl -S
I did the changes but now I got another error which is;
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. orin.app (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://orin.app/.well-known/acme-challenge/mu4H_90OhA8E-52G5-9vjsqr3H2y1WTzYdfNx8a9daU [209.97.178.67]: "<html class=\"no-js\" lang=\"EN\" class=\"entering\">\n <head>\n <meta charset=\"utf-8\">\n <meta http-equiv=\"x-ua-compati"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: orin.app
Type: unauthorized
Detail: Invalid response from
https://orin.app/.well-known/acme-challenge/mu4H_90OhA8E-52G5-9vjsqr3H2y1WTzYdfNx8a9daU
[209.97.178.67]: "<html class=\"no-js\" lang=\"EN\"
class=\"entering\">\n <head>\n <meta charset=\"utf-8\">\n
<meta http-equiv=\"x-ua-compati"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Also, this is how apachectl -S looks like now,
VirtualHost configuration:
*:443 orin.app (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 orin.app (/etc/apache2/sites-enabled/000-default.conf:4)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
This:
Does NOT match this:
sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf
sudo cat /etc/apache2/sites-enabled/000-default.conf
sudo vim /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName orin.app
ServerAlias www.orin.app
ServerAlias *.orin.app
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/orin.app/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/orin.app/privkey.pem
</VirtualHost>
</IfModule>
sudo vim /etc/apache2/sites-enabled/000-default.conf
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName orin.app
ServerAlias www.orin.app *.orin.app
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
~
Something doesn’t add up.
The aliases are not being shown in the apcahectl -S
output.
[I’ve never seen that happen before]
I would hope not. The first is from apachectl -S
while the second is from /etc/apache2/sites-enabled/000-default.conf
.
The first shows:
*:80 orin.app (/etc/apache2/sites-enabled/000-default.conf:4)
The second
from
/etc/apache2/sites-enabled/000-default.conf
.
shows:
ServerName orin.app ServerAlias www.orin.app *.orin.app
That looks like the same file to me - but NOT the same/expected output.
I'm not understanding the mismatch you're seeing.
apachectl -S
->
*:80 orin.app (/etc/apache2/sites-enabled/000-default.conf:4)
/etc/apache2/sites-enabled/000-default.conf
->
ServerName orin.app
Are you thinking that the aliases should appear too?
the aliases should appear too
Don't they always?
Honestly, I’m not sure. I’ll check into it.
I almost want to duplicate the sections
leaving them identical except one as:
ServerName orin.app
the other as:
ServerName www.orin.app
and a third if needed as:
ServerName *.orin.app
[but implementing that third one requires proper ordering as the wilcdard will match the other two so it can not come before them or they will never be used]
And then see what says?:
apachectl -S
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.