Works for one domain, not the other

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: compata.com

I ran this command: # certbot --apache

It produced this output:

certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: compata.com
2: www.compata.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for compata.com
http-01 challenge for www.compata.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration
Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf
Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf


Congratulations! You have successfully enabled https://compata.com and
https://www.compata.com


Subscribe to the EFF mailing list (email: dave@compata.com).

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/compata.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/compata.com/privkey.pem
    Your cert will expire on 2020-12-10. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Apache (httpd-2.4.46-1.fc32.x86_64)

The operating system my web server runs on is (include version): Fedora 32 x86_64

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.7.0

Further details:

Redirects are in place in Apache from both compata.com and www.compata.com to https://www.compata.com. Redirects do not always seem to work so that http://compata.com may return an unencrypted page.

Access to https:compata.com via Firefox reports:
www.compata.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

1 Like

Welcome to the Let’s Encrypt Community :slightly_smiling_face:

Let’s see what we can do for you… :thinking:

It appears to me that these three:

http://compata.com
https://compata.com
http://www.compata.com

Redirect to:
https://www.compata.com

Which is then serving a self-signed certificate.

I definitely see that you have acquired a correct certificate today, so DO NOT try to acquire another new certificate. We just need to get your configuration to be functional.

https://crt.sh/?id=3370267575

Redirects are intentional. But the only certificate I have is the one just installed by certbot.

1 Like

Your redirects are great. No problem there. :slightly_smiling_face:

Your server is currently serving the default (self-signed) certificate instead of your new one. Have you tried restarting apache after acquiring your new certificate? certbot is supposed to do this for you, but try it anyhow.

Interesting… I can now see your new certificate being served, but your content now appears to be unreachable.

This ONLY happens if I’m redirected from:
http://compata.com
https://compata.com

to:
https://www.compata.com

But not if I directly visit:
https://www.compata.com

Yes, I’m working on it. I found the localhost.crt. After I removed the references, Apache fails to start.

1 Like

So certbot --apache both acquires AND "installs" your certificate, meaning that it makes changes to your configuration. I'm in the midst of drafting a certbot handbook to make this process more distinct and clear. If your configuration has a certain amount of "complexity", certbot tends to break your configuration. If you didn't change things too much, you can use the following to rollback the most recent changes it made:

certbot rollback --cert-name compata.com

Odds are that you might have multiple and/or combined vhosts.

The trail:

Thanks for the quick responses. Rollback seems to have worked but my redirects are still present. I’ll need to remove them to get things back to working (I hope). For now, I have to go away a little while.

1 Like

No worries. I need to run too. There’s almost always someone around here within an hour or two that can help with these sorts of things. We have a very dedicated community. You can really help us out by posting the relevant configuration files when you get stuck with three backticks (`) on a single line above and below the contents of each file. This formats the contents to be much more readable. Putting a label at the top of each to indicate the file helps too.

Like this:

“httpd -S”
three backticks
output
three backticks

“/etc/httpd/conf/httpd.conf”
three backticks
contents
three backticks

“/etc/httpd/conf/httpd-le-ssl.conf”
three backticks
contents
three backticks

I don't see any redirects now.
But since you rolled back the configs, there is no valid cert for HTTPS.
It is now using the "default" self-sighed cert.

The next step should be (as @griffen suggested) showing the output of:
[whichever works - you may need to include sudo to get it to work properly]

apachectl -S
or
httpd -S

1 Like

@rg305

I’m just happy the rollback reverted the configuration damage. :slightly_smiling_face: At least he should still have the new certificate stored even though it’s not currently being served. I still get valid redirects (all to https://www). Maybe mine are cached?

Definitely cached:

curl -Iki http://compata.com/
HTTP/1.1 200 OK
Date: Sat, 12 Sep 2020 04:35:14 GMT
Server: Apache/2.4.46 (Fedora) OpenSSL/1.1.1g
Last-Modified: Mon, 24 Feb 2020 22:28:04 GMT
ETag: "6bb-59f59e27a45f1"
Accept-Ranges: bytes
Content-Length: 1723
Content-Type: text/html; charset=UTF-8

curl -Iki http://www.compata.com/
HTTP/1.1 200 OK
Date: Sat, 12 Sep 2020 04:35:21 GMT
Server: Apache/2.4.46 (Fedora) OpenSSL/1.1.1g
Last-Modified: Mon, 24 Feb 2020 22:28:04 GMT
ETag: "6bb-59f59e27a45f1"
Accept-Ranges: bytes
Content-Length: 1723
Content-Type: text/html; charset=UTF-8

curl -Iki https://www.compata.com/
HTTP/1.1 200 OK
Date: Sat, 12 Sep 2020 04:35:35 GMT
Server: Apache/2.4.46 (Fedora) OpenSSL/1.1.1g
Last-Modified: Mon, 24 Feb 2020 22:28:04 GMT
ETag: "6bb-59f59e27a45f1"
Accept-Ranges: bytes
Content-Length: 1723
Content-Type: text/html; charset=UTF-8

curl -Iki https://compata.com/
HTTP/1.1 200 OK
Date: Sat, 12 Sep 2020 04:37:29 GMT
Server: Apache/2.4.46 (Fedora) OpenSSL/1.1.1g
Last-Modified: Mon, 24 Feb 2020 22:28:04 GMT
ETag: "6bb-59f59e27a45f1"
Accept-Ranges: bytes
Content-Length: 1723
Content-Type: text/html; charset=UTF-8
1 Like

All show 200 - no 301 nor 302

1 Like

Cleared my cache. I concur fully @rg305. I see same content on all now.

lol
curl has no cache

1 Like

Thanks for all the clues. It is back to half working. https://compata.com seems to respond correctly but https://www.compata.com does not. But the first should redirect to the second but isn’t right now. If that was working, neither URL would work correctly. Here’s some file information.

“httpd -S”

[Sat Sep 12 14:03:56.257516 2020] [core:trace3] [pid 211965:tid 211965] core.c(3388): Setting LogLevel for all modules to trace5
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server compata.com (/etc/httpd/conf/httpd.conf:358)
         port 80 namevhost compata.com (/etc/httpd/conf/httpd.conf:358)
         port 80 namevhost www.compata.com (/etc/httpd/conf/httpd.conf:363)
*:443                  is a NameVirtualHost
         default server www.compata.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.compata.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost compata.com (/etc/httpd/conf/httpd-le-ssl.conf:10)
                 alias www.compata.com
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default 
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

"/etc/httpd/conf/httpd.conf"

ServerRoot “/etc/httpd”

Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

ServerName www.compata.com:80

AllowOverride none Require all denied

DocumentRoot “/var/www/html”

<Directory “/var/www”>
AllowOverride None
# Allow open access:
Require all granted

<Directory “/var/www/html”>
#
# Possible values for the Options directive are “None”, “All”,
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that “MultiViews” must be named explicitly — “Options All”
# doesn’t give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Require all granted
DirectoryIndex index.html

<Files “.ht*”>
Require all denied

ErrorLog “logs/error_log”

LogLevel trace5

# # The following directives define some format nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
  # You need to enable mod_logio.c to use %I and %O
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here.  Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common

#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
# # Redirect: Allows you to tell clients about documents that used to # exist in your server's namespace, but do not anymore. The client # will make a new request for the document at its new location. # Example: # Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL.  You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.

#
# ScriptAlias: This controls which directories contain server scripts. 
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client.  The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Require all granted

# # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. # TypesConfig /etc/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi

# For type maps (negotiated resources):
#AddHandler type-map var

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

AddDefaultCharset UTF-8

# # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # MIMEMagicFile conf/magic

EnableSendfile on

IncludeOptional conf.d/*.conf

<VirtualHost *:80>
ServerName compata.com
Redirect permanent / https://www.compata.com/

<VirtualHost *:80>
ServerName www.compata.com
Redirect permanent / https://www.compata.com/

Include /etc/httpd/conf/httpd-le-ssl.conf

“/etc/httpd/conf/httpd-le-ssl…conf”

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256 
SSLRandomSeed connect builtin 
SSLCryptoDevice builtin

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName compata.com
    ServerAlias www.compata.com
    SSLHonorCipherOrder on
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/compata.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/compata.com/privkey.pem
    BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  </VirtualHost>
</IfModule>
         port 443 namevhost www.compata.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost compata.com (/etc/httpd/conf/httpd-le-ssl.conf:10)
                 alias www.compata.com

The same FQDN (www) appears in both of those files - that is not good.

Let’s have a look at this file:
/etc/httpd/conf.d/ssl.conf

[please use three backticks " ``` " above and below your posted file outputs]

“/etc/httpd/conf.d/ssl.conf”

Listen 443 https


SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on


SSLHonorCipherOrder on

SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key





<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>