Certbot certificate not working even though it is valid - apache

I'm using certbot to set up an ssl certificate on a domain (mydigitalbalance.com). I am changing the domain from a previous staging domain that I was using in order to do testing. In order to make sure there were no conflicts, I followed certbot's apache2 instructions and completely deleted all previous certificates that were on the server as well as certbot itself.
I re-installed certbot following the instructions, added two certificates for the naked domain and for www, and re-started apache.
However as you can see if you go to the URL, it is still showing as an insecure website.
I wanted to take a closer look at the certificate so in chrome I clicked on "Not Secure" in the url bar, and clicked on Certificate.
It says on the first dropdown that the certificate is invalid:
However when you click into the certificate itself, it correctly says it's a valid cert and that it is not expired and was issued by Lets Encrypt:
What is happening here? how do I fix it?
I completely commented out all the default .conf information on my setup, and the only conf is for mydigitalbalance.com, here is my mydigitalbalance.conf:
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydigitalbalance.com [OR]
RewriteCond %{SERVER_NAME} =mydigitalbalance.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
and here is the mydigitalbalance-le-ssl.conf that was automatically generated when i restarted apache:
GNU nano 4.8 mydigitalbalance-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.mydigitalbalance.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydigitalbalance.com/privkey.pem
</VirtualHost>
</IfModule>
Is this a propagation issue?

Related

Keep original URL after redirection by domain provider

Goal
fharrell.com/* is redirected by the domain provider to hbiostat.org/blog/*. I want to keep the address bar showing fharrell.com/*
Apache2 Setup
/etc/apache2/apache2.conf is standard with the following exception:
<Directory /home/ubuntu/htdocs/>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
/etc/apache2/sites-enabled/hbiostat.org.conf is symbolically linked from /etc/apache2/sites-available/hbiostat.org.conf
hbiostat.org.conf sets the document root as /home/ubuntu/htdocs which has been working well for some time
Contents of hbiostat.org.conf:
<VirtualHost *:443>
ServerAdmin my#email.address
DocumentRoot /home/ubuntu/htdocs
ServerName hbiostat.org
ServerAlias www.hbiostat.org
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /home/ubuntu/htdocs>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /home/ubuntu/htdocs/blog>
RewriteEngine on
RewriteBase /
RewriteRule ^hbiostat\.org/blog$ fharrell.com [R]
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/hbiostat.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hbiostat.org/privkey.pem
</VirtualHost>
<VirtualHost *:80>
ServerName hbiostat.org
ServerAlias www.hbiostat.org
DocumentRoot /home/ubuntu/htdocs
<Directory /home/ubuntu/htdocs/blog>
RewriteEngine on
RewriteBase /
RewriteRule ^hbiostat\.org/blog$ fharrell.com [R]
</Directory>
</VirtualHost>
Systax was checked using sudo apachectl -t.
I checked that mod rewrite is active using sudo a2enmod rewrite and restarted the server with sudo systemctl restart apache2
But this has no effect, with hbiostat.org/blog/* remaining in the addressbar.
Tried:
Many remedies on stackoverflow.com (including the two below) and elsewhere, including putting the commands into an .htaccess file (I'd like to avoid the .htaccess approach).
Any help appreciated.
Redirect domain but keep original url
Redirect subfolder URL but keep original domain name
You can't make the browser display a different domain after a 30x redirect.
mod_rewrite doesn't do what you're thinking it does.

My subdomain keeps redirecting to my main domain

I am sure this must have been asked multiple times already, I researched it for like a day but still couldn't figure it out.
I have a domain - domain.com and now I want to add a subdomain - test.domain.com for it. I have created a virtual host file and DNS A record - test.domain.com pointing to my server IP. But then whenever I try to access my test.domain.com, it keeps redirecting to domain.com. My Apache2 virtual host files are configured as follow
domain.com.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/domain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.domain.com [OR]
RewriteCond %{SERVER_NAME} =domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<Directory "/var/www/domain.com">
AllowOverride All
</Directory>
domain.com-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/domain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName domain.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.domain.com
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>
</IfModule>
test.domain.com.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/test.domain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.test.domain.com [OR]
RewriteCond %{SERVER_NAME} =test.domain.com
RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<Directory "/var/www/test.domain.com">
AllowOverride All
</Directory>
I have enabled the conf files with the command a2ensite and restarted apache (and desperately my server droplet) multiple times already but still couldn't get it to work. I am running on Ubuntu 16.04.6.
Any advise would be much appreciated. Thank you very much in advance!
A minimalistic example would be along these lines:
<VirtualHost *:80>
DocumentRoot /var/www/test.example.com
ServerName test.example.com
ServerAlias www.test.example.com
</VirtualHost>
In this example you declare a virtualhost for test.example.com and also www.test.example.com.
Note that I am using example.com here instead of domain.com because of posting restrictions active on this website.
The RewriteRule directives in your subdomain don't seem to be right, at least syntactically. They may be causing the redirection problem.
So I would remove them and take care of redirects later. Start with a simple configuration, validate it and expand with more rules later.
Hint: you could use curl (from the command line on your server if not available on your PC) to test like this:curl -L --head "http://example.com".
Test the main domain name, then subdomain in both http and https. There is an option in Curl to ignore SSL/TLS errors if you encounter any.
See what happens and pay attention to the redirects if any (status code 301/302).
I prefer to use Curl for testing because the browser cache can play tricks on you.

Why is Apache serving a new certificate and an expired one?

Due to the fact that this is a sensitive client project, all uses of the domain name I'm talking about have been replaced with "example.com".
I am managing a public website whose Let's Encrypt certificate expired recently. So I followed the DigitalOcean tutorial here and used certbot-auto renew to renew the certificate (yes, I ran sudo service apache2 reload afterwards). It worked, but the problem is that the site now serves both the new certificate and the expired one, and it seems like a random selection happens. Sometimes the site is trusted by the browser because it receives the new one, other times the browser rejects the expired certificate. Even running the site through the SSL Labs analyzer gives an A grade sometimes and a failure other times.
What could possibly be causing both certificates to continue to be used when my configuration explicitly includes only the new one? I'm very confused.
Running certbot-auto renew right now gives this result:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted
Apache's sites-enabled directory looks like this:
000-default.conf 000-default-le-ssl.conf
And the configuration for each are as follows:
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName example.com
</VirtualHost>
</IfModule>
I was able to solve the issue by calling sudo service apache2 stop to stop apache, and then running ps aux | grep apache. I discovered that there were multiple instances of apache running. So I killed them and started apache up again, and everything is now working.

Apache / Letsencrypt - redirecting to https not working on subdomains

I have a Ubuntu 16.04 VPS. I use Letsencrypt for my ssl certificates, when creating or creating a certificate, they ask if you want easy or secure access. Secure means it will redirect to https no matter what.
This works on the homepage, but it doesn't work on the subdomains. I am not redirected to https, and I just see my index.html whats just the apache default page.
So how do I fix this?
My Virtualhost:
<VirtualHost *:80>
ServerName school.luukwuijster.eu
Redirect / https://school.luukwuijster.eu
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/school.luukwuijster.eu/public/
<Directory /var/www/html/school.luukwuijster.eu/public/>
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =school.luukwuijster.eu
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
le-ssl:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName school.luukwuijster.eu
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/school.luukwuijster.eu/public/
<Directory /var/www/html/school.luukwuijster.eu/public/>
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =school.luukwuijster.eu
# Some rewrite rules in this file were were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/luukwuijster.eu-0003/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/luukwuijster.eu-0003/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
For some reason its just not redirecting.
When I go to http://luukwuijster.eu I am redirected to https://luukwuijster.eu
So that works fine, but when I go to http://school.luukwuijster.eu I am not redirected and get to see the same page as on https://luukwuijster.eu
Ofcourse when I go to https://school.luukwuijster.eu i am not redirected, but I do see the right page.
How do I solve this problem?
Try to change line 3 from Redirect / https://school.luukwuijster.eu to RedirectPermanent / https://school.luukwuijster.eu/.
BTW currently your SSL cert is only valid for api.luukwuijster.eu. You should add school.luukwuijster.eu and all other domains you want to secure to your letsencrypt config.

Apache: SSL certificate not working with www, how to remove?

Im trying to setup our VPS with a newly installed SSL certificate. The certificate is for only domain.com, not www.domain.com. So when a user visits https://www.domain.com they now get an "insecure page" warning - which I of course don't want to have. I want to redirect the user to https://domain.com, but I keep getting stuck in infinite loops all the time..
Here's my virtual host file..
<VirtualHost *:80>
ServerAdmin my#email.com
ServerName domain.com
ServerAlias domain.com
Redirect permanent / https://domain.com/
DocumentRoot /var/www/domain.com/
<Directory /var/www/domain.com/>
AllowOverride ALL
</Directory>
ErrorLog /var/www/logs/domain.com/error.log
CustomLog /var/www/logs/domain.com/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin my#email.com
ServerName domain.com
ServerAlias domain.com
DocumentRoot /var/www/domain.com/
<Directory /var/www/domain.com/>
AllowOverride ALL
</Directory>
ErrorLog /var/www/logs/domain.com/error.log
CustomLog /var/www/logs/domain.com/access.log combined
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/ssl/mycert.crt
SSLCertificateKeyFile /etc/ssl/mykey.key
SSLCACertificateFile /etc/ssl/myca.crt
</VirtualHost>
Im a beginner at this, and I can't seem to find a solution besides buying a wildcard certificate which I really cannot afford..
Thank you very much in advance!
You might needed to redirect all your www url calls to non-www.. Try the following rewrite rules with your .htaccess
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.example.com [nocase]
RewriteRule ^(.*) http://example.com/ [last,redirect=301]
Replace example.com with your domain name and make sure to put this in the .htaccess at the document root of your website.