I am using ISPConfig as hosting panel on my Centos VPS Machine and Cloudflare for DNS management.
I have added the following rewrite rules to my vhost which automatically reroutes sub-folders to sub-domains.
Code:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.domain.com
RewriteCond %{HTTP_HOST} ^(www\.)?(([^\.]+)\.){1}domain..com$
RewriteCond /var/www/backoffice.ge/web/build/%3 -d
All works fine and perfect on http (*80), but i have certificate issue on https (*443). Based on my workaround, issue is in Let's Encrypt certificate which is generated for main domain only (domain.com).
If possible, i want to create universal wildcard certificate which will automatically work for all sub domains, or create sub domain/directory certificates on the fly via PHP.
I have found some articles about Certbot. But, not sure how to make it work for the above setup.
Found Solution, works perfectly with my ispconfig setup. i have generated wildcard certificate and all sub-domains have ssl.
https://bjornjohansen.no/wildcard-certificate-letsencrypt-cloudflare
Related
I have a website for my podcast built with Python / Django that is hosted on Heroku: https://dinpodcast.herokuapp.com/
I have a custom domain parked on GoDaddy, dinpodcast.com, that has a www CNAME directing to my heroku application. This works just fine: https://www.dinpoddcast.com
I wanted dinpodcast.com to redirect to the www website, so I have the following domain forwarding set up on Godaddy:
This also works great, for the most part. Now, when I enter http://dinpodcast.com, or just dinpodcast.com, both will redirect to https://www.dinpodcast.com.
Here's the problem. When I enter the naked domain WITH HTTPS, so when I enter https://dinpodcast.com into a browser's address bar, I get the following response:
Here's what I THINK is happening. My SSL certificate is provided by Heroku under their Automated Certificate Management program. So, I assume that since I don't have an SSL certificate with GoDaddy, it's timing out trying to find one before it can redirect to my www subdomain. Would this be correct? If so, is there any way around this WITHOUT buying an SSL certificate with GoDaddy? If that's not what's happening, then what is and how do I fix it?
When you create an ssl certificate in your domain do you include your root domain? Tried using this tool in your root domain and it seems that there is no ssl certificate. However the subdomain https://dinpodcast.herokuapp.com/ has one. I suggest putting an ssl certificate in all subdomain and root domain that you are using.
I also checked the root domain’s IP address using this tool and checked port 443 using another tool and apparently the port is closed. Double check your firewall and make sure 443 is open.
I have an issue with the certificate that I have generated for a website (dubbed here example.com).
I can type in browser http://www.example.com and successfully redirected to https://example.com as I wanted (with a certificate generated by let's encrypt). I have done this redirection with Rewrite Rules with Apache2. The redirection to https://example.com also works fine when I type http://example.com.
Now, I am face to an issue when I type directly in browser https://wwww.example.com: I get the following error:
To generate let's encrypt certificate, I have executed the following command:
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d example.com --rsa-key-size 4096
I would like to generate a certificate working both for example.com and www.example.com: is the command above with cerbot-auto correct for this?
It seems that before my migration from Debian 7 to Debian 10, I had a *.example.com name in the certificate info window of the browser but I am not sure.
How to type https://www.example.com and to be correctly redirected to https://example.com without having the error illustrated in the figure above?
Update 1
Is a single certificate sufficient to make all the redirections to be performed, I mean in my case only one certificate example.com? This was the case on my previous OS, I think that I had only a unique certificate (for example.com).
I want to have the following redirections:
http://example.com -----> https://example.com
http://www.example.com -----> https://example.com
https://www.example.com -----> https://example.com
except for URL containing the directory podcast where I want to stay in HTTP mode.
So, from Ref: Apache redirect www to non-www and HTTP to HTTPS, I did:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]
Does these Rewrite rules seem to be correct?
Unfortunately, if I type directly https://www.example.com, I am not redirected to https://example.com and the Warning window figure above appears, I don't know what to do.
Update 2
1) Does Let's Encrypt offer the possibility to generate a "wildcards" certificate ?, I mean under the form *.example.com when we look at the certificate in browsers.
2) Moreover, Does anyone know how to perform with Apache2 Rewrite rules the rule which allows to redirect https://www.example.com to https://example.com.
To get more information, I am starting a bounty.
At the end of the bounty, I talk about what to do to make a redirection from https://www.example.com to https://example.com (these URL are masked into bounty under the same href tag but they are different).
Update 3
I think my issue is not about wildcards certificates since I just want a redirection from https://www.example.com to https://example.com (don't take into account of the UPDATE 2 above. Surely a simple rewrite rule should be enough. Before my current OS (Debian 10), I was running well all my config files that I try to use again now. Especially, I was using only one certificate generated with the option "-d example.com" (I didn't use a second domain "www.example.com").
I am going to try to modify these rewrite rules to get this redirection without being obliged to generate a www.example.com certificate files.
You could try running this minor update to your original certbot-auto command to get your certificate to include the additional www.example.com domain name
(I believe this is what John Hanley was talking about in his comment on your original question)
Please note, according to one source (letsencrypt community link below) you may have to remove URL rewrite rules if you already have them set up, before the certification process will work. (if you run the command and get an error, that might be why)
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d example.com -d www.example.com --rsa-key-size 4096
references that might be helpful:
command paramter reference for certbot (man page)
https://certbot.eff.org/docs/man/certbot.html?highlight=bootstrap
letsencrypt community discussion of adding a new domain
https://community.letsencrypt.org/t/add-a-domain-using-certbot-auto/33660
letsencrypt documentation for updating an existing certificate
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
note, according to the man page, --renew-by-default implies --expand, which is used in these examples
(--expand just prevents you from having to answer whether you are intentionally updating the existing certificate)
I think your rewrite rule looks mostly fine as it is, as mentioned before it might need to be removed temporarily to get you certificate generated. And you may need "RewriteEngine On" before those rules:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]
And to the question about wildcard certificates, they are supported but only with the help of additional plugins. See more here:
https://certbot.eff.org/docs/using.html?highlight=wildcard#id14
LetsEncrypt offers wildcard certificates in order to do *.example.com however they can only be issued via DNS-01 level challenges.
You're using HTTP validation, where a specific file is uploaded to prove ownership, however this is insufficient for proving that you have ownership of an entire domain.
Certbot has limited support for being able to issue wildcard certs automatically, but this may be of use to you if you scroll to the wildcard section. It's limited in terms of which OS + Server + DNS provider that you have. Basically you need to be able to automatically create and modify DNS TXT records with your registrar.
I've found that using the acme.sh project to issue wildcard certs is much more flexible and works with more DNS providers, although it's a bit more of a manual process.
If your main DNS provider for your domain isn't supported, you can look into "alias mode" where you can use a subdomain or other domain on another DNS provider that is supported to act as your proxy-domain for validating that you own your main domain.
I've been using Heroku to host and manage a website of mine that requires an SSL certificate. For the last year and a half I've been using ZerigoDNS to manage my domain and SSL redirecting (although, redirecting from non-https, non-www to https and www does not work).
I just got a notice from Heroku that they will be shutting down ZerigoDNS soon and they recommend switching to PointDNS. I couldn't find any information in the PointDNS documentation about managing SSL redirects.
Here's what I'm looking to do:
non-www non-https redirects to https and www
non-https redirects to https and www
https but non-www redirects to https and www
The reason everything needs to be forwarded to https and www is that's what the ssl cert was created for (the www is required. I don't have a wildcard certificate).
Does anyone familiar with PointDNS know how to to set up the records and redirects properly?
Thanks in advance!
Regarding non-www to www redirects, I just got that to work as follows:
First, you must add both www.your-domain.com and your-domain.com as custom domains.
heroku domains:add andrewpuglionesi.com
heroku domains:add www.andrewpuglionesi.com
I have a CNAME record with name www.my-domain.com.. The text in its data field is my-heroku-domain.herokuapp.com. I also have an alias record with the name my-domain.com., and I made its data field www.my-domain.com. In other words, the alias just points to the CNAME.
I don't know if this is well-advised, but it seems to work (and without sticking www in the user's URL, at that). It simply solves the problem where you can't access pages other than the index without having www there). I like how Heroku and PointDNS' documentation both say you can easily do redirects and then don't actually explain how to... I guess this is one way.
I've previously been able to force https protocol through the backend of a Django site. I can't remember the exact method I used, but you might be able to do it without the DNS stuff.
First, add both www.your-domain.com and your-domain.com as custom domains under settings or run below commands
heroku domains:add domainname.com
heroku domains:add www.domainname.com
For redirection, you need to do it via server, eg. if you are using apache you can achieve redirections via .htacess file.
Also, you can only redirect non-www to www with pointDNS redirect option
I bought certificate for my website. Our sysadmin installed it and it works correctly but for domain with www but if I type without www the browser show me certificate error. Don't suppose that I should by 2 certificates for this purpose and assume that is configuration issue, am I right?
Thanks
There are some ways for protecting both the domains with a single SSL certificate and they are:-
Purchasing an SSL certificate from those brands who gives such facility:
SSL Brands like RapidSSL and GeoTrust provide the advance feature of securing the WWW domain name and non-WWW domain name by single certificate. Within such process when the certificate is issued, generate the CSR (code signing request) key for the www domain and in turn it will secure a non www domain. For example, if the CSR is generated for www.mydomain.com then it will also work in hand for mydomain.com. The browser will show the “http” before the both addresses.
Redirecting the non www domain to the www domain:
If you have already purchased an SSL certificate from other brand, then this alternative way is free of cost as it can be achieved at development level. For this you need to use “301″ redirection. “301″ is the HTTP response status code for redirecting permanently to another URL location. Suppose you type abc.com then it should be redirected to www.abc.com. You can then acquire an SSL certificate for WWW domain.
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
Installing wildcard SSL certificate:
Wildcard SSL certificate provides security to unlimited sub domains if purchased for a single domain. If you purchase a wildcard certificate for yourdomain.com, your www.yourdomain.com will be secured along with every other sub domains of your site.
The redirection option is not that convenient because it requires a thorough change in the coding of the website. Whereas purchasing the wildcard certificate is the costliest choice.
I have ordered an SSL certificate which covers my root domain only and it can be successfully accessed through https://domain.com.
I have created a redirection from all requests from https://www.domain.com to the root domain.
However, when trying to access https://www.domain.com which was supposed to get redirected to https://domain.com the browser returns the following warning mentioning about a security risk of proceeding with the navigation:
This is probably not the site your are looking for!
You attempted to reach www.domain.com, but instead you actually reached a server identifying itself as domain.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.domain.com.
You should not proceed, especially if you have never seen this warning before for this site.
Is it somehow possible to redirect from www to the root domain using HTTPS without having to order another SSL certificate for www only for redirections?
PS: domain.com is just a placeholder to help illustrating the question.
Unfortunately SSL certificate negotiation happens before mod_rewrite rules come into effect. THerefore even before your 301 rule can redirect URIs to non-www domain, browser has already received certs for non-www while still on www domain. That is the point it shows that dreaded warning to visitor that cert is invalid.
You have 2 options:
(Recommended) Most of the certs these days allow you to use www with TLD, check with your provided if this is the option.
Go for wildcard certs (more expensive).