I have an issue with the certificate that I have generated for a website (dubbed here example.com).
I can type in browser http://www.example.com and successfully redirected to https://example.com as I wanted (with a certificate generated by let's encrypt). I have done this redirection with Rewrite Rules with Apache2. The redirection to https://example.com also works fine when I type http://example.com.
Now, I am face to an issue when I type directly in browser https://wwww.example.com: I get the following error:
To generate let's encrypt certificate, I have executed the following command:
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d example.com --rsa-key-size 4096
I would like to generate a certificate working both for example.com and www.example.com: is the command above with cerbot-auto correct for this?
It seems that before my migration from Debian 7 to Debian 10, I had a *.example.com name in the certificate info window of the browser but I am not sure.
How to type https://www.example.com and to be correctly redirected to https://example.com without having the error illustrated in the figure above?
Update 1
Is a single certificate sufficient to make all the redirections to be performed, I mean in my case only one certificate example.com? This was the case on my previous OS, I think that I had only a unique certificate (for example.com).
I want to have the following redirections:
http://example.com -----> https://example.com
http://www.example.com -----> https://example.com
https://www.example.com -----> https://example.com
except for URL containing the directory podcast where I want to stay in HTTP mode.
So, from Ref: Apache redirect www to non-www and HTTP to HTTPS, I did:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]
Does these Rewrite rules seem to be correct?
Unfortunately, if I type directly https://www.example.com, I am not redirected to https://example.com and the Warning window figure above appears, I don't know what to do.
Update 2
1) Does Let's Encrypt offer the possibility to generate a "wildcards" certificate ?, I mean under the form *.example.com when we look at the certificate in browsers.
2) Moreover, Does anyone know how to perform with Apache2 Rewrite rules the rule which allows to redirect https://www.example.com to https://example.com.
To get more information, I am starting a bounty.
At the end of the bounty, I talk about what to do to make a redirection from https://www.example.com to https://example.com (these URL are masked into bounty under the same href tag but they are different).
Update 3
I think my issue is not about wildcards certificates since I just want a redirection from https://www.example.com to https://example.com (don't take into account of the UPDATE 2 above. Surely a simple rewrite rule should be enough. Before my current OS (Debian 10), I was running well all my config files that I try to use again now. Especially, I was using only one certificate generated with the option "-d example.com" (I didn't use a second domain "www.example.com").
I am going to try to modify these rewrite rules to get this redirection without being obliged to generate a www.example.com certificate files.
You could try running this minor update to your original certbot-auto command to get your certificate to include the additional www.example.com domain name
(I believe this is what John Hanley was talking about in his comment on your original question)
Please note, according to one source (letsencrypt community link below) you may have to remove URL rewrite rules if you already have them set up, before the certification process will work. (if you run the command and get an error, that might be why)
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d example.com -d www.example.com --rsa-key-size 4096
references that might be helpful:
command paramter reference for certbot (man page)
https://certbot.eff.org/docs/man/certbot.html?highlight=bootstrap
letsencrypt community discussion of adding a new domain
https://community.letsencrypt.org/t/add-a-domain-using-certbot-auto/33660
letsencrypt documentation for updating an existing certificate
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
note, according to the man page, --renew-by-default implies --expand, which is used in these examples
(--expand just prevents you from having to answer whether you are intentionally updating the existing certificate)
I think your rewrite rule looks mostly fine as it is, as mentioned before it might need to be removed temporarily to get you certificate generated. And you may need "RewriteEngine On" before those rules:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]
And to the question about wildcard certificates, they are supported but only with the help of additional plugins. See more here:
https://certbot.eff.org/docs/using.html?highlight=wildcard#id14
LetsEncrypt offers wildcard certificates in order to do *.example.com however they can only be issued via DNS-01 level challenges.
You're using HTTP validation, where a specific file is uploaded to prove ownership, however this is insufficient for proving that you have ownership of an entire domain.
Certbot has limited support for being able to issue wildcard certs automatically, but this may be of use to you if you scroll to the wildcard section. It's limited in terms of which OS + Server + DNS provider that you have. Basically you need to be able to automatically create and modify DNS TXT records with your registrar.
I've found that using the acme.sh project to issue wildcard certs is much more flexible and works with more DNS providers, although it's a bit more of a manual process.
If your main DNS provider for your domain isn't supported, you can look into "alias mode" where you can use a subdomain or other domain on another DNS provider that is supported to act as your proxy-domain for validating that you own your main domain.
Related
I've read plenty of Stackoverflows but I seem to be missing something.
I have a PHP application running on https://subdomain.example.com/page/x but for SEO reasons I want people/bots to see https://example.com/subdomain/page/x.
I can rewrite the URL by using:
RewriteEngine on
RewriteCond %{HTTP_HOST} subdomain.example.com
RewriteRule ^(.*)$ https://example.com/subdomain/$1 [L,NC,QSA]
This rewrite results in: https://example.com/subdomain/page/x, but I keep recieving a 404 error since the "main" domain doesn't know the path /subdomain/page/x of course.
What I want is to have the URL https://example.com/subdomain/page/x but run it on https://subdomain.example.com/ in the background since this is the place where the PHP application is running.
Is this possible? How should I do this?
There is no strong SEO reason not to use subdomains. See Do subdomains help/hurt SEO? I recommend using subdirectories most of the time but subdomains when they are warranted.
One place where subdomains are warranted is when your content is hosted on a separate server in a separate hosting location. While it is technically possible to serve the content from a subdirectory from the separate server, that comes with its own set of SEO problems:
It will be slow.
It will introduce duplicate content.
From a technical standpoint, you would need to use a reverse proxy to on your example.com webserver to fetch content for the /subdomain/ subdirectory from subdomain.example.com. The code for doing so in the .htaccess file of example.com would be something like:
RewriteEngine on
RewriteRule ^subdomain/(.*)$ https://subdomain.example.com/$1 [P]
The [P] flag means "reverse proxy" which will cause the server to fetch the content from the remote subdomain. This will necessarily make it slower for users. So much so that it would be better for SEO to use a subdomain.
For this to work you would also need to leave the subdomain up and running and serving content for the main server to fetch. This causes duplicate content. You could solve this issue by implementing canonical tags pointing to the subdirectory.
This requires several Apache modules to be available. On my Debian based system I needed to run sudo a2enmod ssl proxy rewrite proxy_connect proxy_http and sudo service apache2 reload. I also had to add SSLProxyEngine on in my <VirtualHost> directive for the site I wanted to use this on.
I registered a expired domain to forward all incoming links to another domain. The problem is: many inlinks are placed on subdomains, for example: axa-art.cdn.contento-v41.eu/axa-art/0eee9cec-58cb-45b2-a4e2-b5f73920068e_091216_axa+art_classic+car+study_de_rz.pdf
I am looking for a 301 redirect rule in htaccess that forward any url (no matter on main domain or subdomain) to "new-url.tld"
axa-art.cdn.contento-v41.eu
axa-art.cdn.contento-v41.eu/slug
any-subdomain.contento-v41.eu
any-subdomain.contento-v41.eu/slug
all of this example above should
forward to this exact URL: new-domain.tld
Question 1:
Is it possible to create a "general" rule and place it into htaccess of the main directory?
Question 2:
Or do i have to write a specific rule for each subdomain?
Question 3:
Do I have to create a sub-directory and create a separate htaccess in every sub-directory for each subdomain I want to add redirection-rules?
Help or suggestions are highly appreciated. Thank you very much for your help in advance.
This isn't just a .htaccess question. In order for your server to receive requests to <any-subdomain>.example.com the necessary DNS and server config directives need to be in place. If the request doesn't reach your server then you can't implement a redirect in .htaccess.
So, I suspect that these subdomains are not even resolving?
You either need to create the necessary DNS A records and ServerAlias directives one by one for each hostname (ie. subdomain) or create a "wildcard" DNS A record (and ServerAlias *.example.com directive in the vHost). But then you still have an issue with these hostnames being covered by an SSL cert if you need to redirect from HTTPS.
You can then create the necessary redirect in .htaccess. Although, since you need access to the server config (or a using a control panel that does this for you) to implement the directives above, you should also implement this redirect in the server config also.
For example, at the top of your .htaccess file, before the existing directives (or in your vHost):
RewriteEngine On
RewriteCond %{HTTP_HOST} !^new\.example$
RewriteRule ^ https://new.example%{REQUEST_URI} [R=301,L]
The above states... for any request that is not for new.example then 301 redirect to https://new.example/<same-url>.
However, if you have access to the server config and this other domain is configured in its own vHost container then the redirect can be simplified:
Redirect 301 / https://new.example/
UPDATE#1:
this rule does forward any URL form the main domain to the new domain.
# Permanent URL redirect- by netgrade
RewriteEngine on
RewriteCond %{REQUEST_URI} !https://www.marco-mahling.de/$
RewriteRule $ https://www.marco-mahling.de/ [R=302,L]
The rule I posted above should probably replace your existing rule entirely.
Yes, your rule does redirect every URL to the root of the new domain, but it is arguably incorrect. The RewriteCond directive is superflous and isn't actually doing anything. The REQUEST_URI server variable contains the URL-path, it never contains the scheme + hostname. So, the RewriteCond directive you've posted will always be successful.
If that is the rule you currently have then it would already redirect everything. In which case your problem would seem to the necessary DNS and server config directives as mentioned above.
From your directives, I assume that the other domain actually points to a different server (or different vHost on the same server). Otherwise, this would have resulted in a redirect-loop. In which case, you only need the much simpler Redirect directive that I posted above.
UPDATE#2: That works fine BUT the incoming links are still not forwarded cuz of a "%" in the url: https://axa-art.cdn.contento-v41.eu/axa-art%2F0eee9cec-58cb-45b2-a4e2-b5f73920068e_091216_axa+art_classic+car+study_de_rz.pdf
It's actually because of the %2F - an encoded slash (/) in the URL-path. By default, Apache will reject such URLs with a 404 (for security reasons).
To allow encoded slashes in the URL you would need to set AllowEncodedSlashes On in the server config (or vHost container). You cannot set this in .htaccess. (The server generated 404 occurs before .htaccess is even processed.)
However, I would express caution about enabling this feature. (Is there a specific requirement here? Are you recreating these documents on the new server?)
If this request was intended to map directly to a PDF file on disk then this actually looks like an incorrectly URL encoded request, since a slash / is not a permitted filename character on either Windows or Linux.
If you enable AllowEncodedSlashes then the above RewriteRule will redirect the request to /axa-art/0eee9cec....pdf - note the %-decoded / in the resulting URL. You would need to take additional steps to maintain the URL-encoding (if that was required), but as I say, that looks like a mistake to begin with.
I am using ISPConfig as hosting panel on my Centos VPS Machine and Cloudflare for DNS management.
I have added the following rewrite rules to my vhost which automatically reroutes sub-folders to sub-domains.
Code:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.domain.com
RewriteCond %{HTTP_HOST} ^(www\.)?(([^\.]+)\.){1}domain..com$
RewriteCond /var/www/backoffice.ge/web/build/%3 -d
All works fine and perfect on http (*80), but i have certificate issue on https (*443). Based on my workaround, issue is in Let's Encrypt certificate which is generated for main domain only (domain.com).
If possible, i want to create universal wildcard certificate which will automatically work for all sub domains, or create sub domain/directory certificates on the fly via PHP.
I have found some articles about Certbot. But, not sure how to make it work for the above setup.
Found Solution, works perfectly with my ispconfig setup. i have generated wildcard certificate and all sub-domains have ssl.
https://bjornjohansen.no/wildcard-certificate-letsencrypt-cloudflare
I have two sites in openshift rhc. For the first one I use cloudflare and tk domain by name of www.elasa.ir and set my first site by the name of first.rhcloud.com .
I want to have a sub domain for the first domain similar to dl1.example.com that redirects to the second site in openshift rhc.
I added the dl1.example.com in the secondry site in openshift rhc as a CNAME, and set it to secondery-.rhcloud.com to shope.elasa.ir
and in cloudeflare in setting of example.com.
I added a CNAME record for pointing shope.elasa.ir to secondery-.rhcloud.com
and finally by clicking to dl1.example.com it showing the secondary site, but after another clicking the address-bar change to secondery-.rhcloud.com.
So what i must to do for redirecting the secondery-.rhcloud.com to subdomain (dl1.exmple.com) for all the time:
I added an .htaccess file with this code:
Options +SymLinksIfOwnerMatch
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www\.)?tomatocart-beyhagh.rhcloud\.com$ [NC]
RewriteRule ^(.*)$ "http\:\/\/shope\.elasa\.ir\/$1" [R=301,L]
but I get the following error:
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for
this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
You can just create a alias domain in OpenShift console and redirect to your subdomain.
Use cloudflare to create your subdomain and setting a CNAME to secondery-.rhcloud.com.
I have Apache and hgwebdir.cgi running fine via HTTPS (with a self-signed certificate), I can view the repositories via a browser and clone it locally. I don't know if it'd have any effect, but I'm rewriting the URLs to make them prettier:
$ cat .htaccess
Options +ExecCGI
RewriteEngine On
RewriteBase /public
RewriteRule ^$ hgwebdir.cgi [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) hgwebdir.cgi/$1 [QSA,L]
However, when I try to run hg push to send the changes back, I get this:
$ hg push
pushing to https://<repository>
searching for changes
http authorization required
realm: Mercurial
user: virtualwolf
password:
remote: ssl required
Apache is set to redirect all requests that are on HTTP to HTTPS. The remote server is running CentOS, with Apache 2.2.3 and Mercurial 1.3.1 (both installed via yum).
I've done a bunch of searching on this problem, the closest I've come to an answer is this but it's referring to NGINX not Apache.
Thanks!
You can resolve this problem by running hg server like this (no push ssl):
hg serve --config web.push_ssl=No --config "web.allow_push=*"
So it turns out the problem was the same as described here. It wasn't anything directly to do with Mercurial, but was oddness on Apache's end.
I had to copy the SSLEngine On and associated SSLProtocol, SSLCipherSuite, SSLCertificateFile, and SSLCertificateKeyFile directives from my separate "Enable SSL" Apache configuration file to my Mercurial virtual host file, even though everything else was working quite happily via HTTPS.
Add this lines to your central repository where you want to push
[web]
push_ssl=False
allow_push=*
Needless to say, this is rather unsafe, but if you’re on a nice protected LAN at work and there’s a good firewall and you trust everybody on your LAN, this is reasonably OK.