1. What I want to do:
I have a domain example.me, and a sub-domain text.example.me which is hosted on my Windows Server. It's running Apache with php 5.6
I want to install and SSL certificate using Let's Encrypt and this tool https://github.com/PKISharp/win-acme
2. The problem:
It doesn't seem to be working, I get the following error when trying to access https://test.example.me
This site can’t provide a secure connection
3. What I have done so far
I followed every step from:
https://commaster.net/content/how-setup-lets-encrypt-apache-windows
This is the content of my httpd-ssl.conf
<VirtualHost *:443>
ServerAdmin me#examole.com
ServerName text.example.me
DocumentRoot "D:/xampp/htdocs"
RewriteEngine On
# Redirect to the correct domain name
RewriteCond %{HTTP_HOST} !^test.example.me$ [NC]
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
Alias /.well-known D:/xampp/htdocs/.well-known
SSLEngine on
SSLCertificateFile "conf/ssl.crt/text.example.me-crt.pem"
SSLCertificateKeyFile "conf/ssl.key/test.example.me-key.pem"
SSLCertificateChainFile "conf/ssl.csr/ca-test.example.me-crt.pem"
</VirtualHost>
My 80,443 ports are avaiable, and not being used by Skype, so that's not
the issue.
This is the content of my httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin me#example.me
ServerName test.example.me
RewriteEngine On
# Redirect to the HTTPS site
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
ErrorLog logs/slog.log
</VirtualHost>
I am using Let's Encrypt since some years - but without(!) RewriteEngine.
So here is a snipped from my http-vhosts.conf
<VirtualHost *:80>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Redirect permanent / https://www.example.com/
# For the case that you are using ModProxy to forward to a Tomcat, please also add:
# ProxyPass "/.well-known/" "!"
</VirtualHost>
A snipped from my httpd-ssl.conf:
<VirtualHost *:443>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Protocols h2 http/1.1
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-crt.pem"
SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-key.pem"
SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-www.example.com-crt.pem"
<IfModule headers_module>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
#Header always set Content-Security-Policy "script-src 'self'"
</IfModule>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
#For the case that you use ModProxy to forward to a Tomcat or so
#ProxyPass "/.well-known/" "!"
EnableSendfile off
EnableMMAP off
</VirtualHost>
Also please keep in mind that when you want to use multiple hostnames, then you need a wildcard certificate - otherwise it's simple with Let's Encrypt to have one certificate for each host/domian name - but you need one virtual host section for each host/domain name you are using.
Last but not least my personal opinion is thet ModRewrite should not be used when there is no need, because it is complicate and not really understood by most people.
How to add SSL certificate from Certbot in Windows Apache
Go to Certbot’s official website: Certbot Instructions | Certbot (eff.org)
Download the latest version of the Certbot installer for Windows at
https://dl.eff.org/certbot-beta-installer-win_amd64.exe.
Install it in your C drive.
Run > Command Prompt > Run as administrator
C:\Users\Administrator>certbot --help
C:\Users\Administrator>certbot certonly --webroot
Enter your email address > Y > Y
Enter your domain/subdomain name: abc.com / abc.xyz.com
Go to : C:\xampp\apache\conf\extra
Open: httpd-vhosts.conf
Edit:
<VirtualHost *:443>
DocumentRoot C:\xampp\htdocs\aeapp
ServerName callum.aeapp.uk
SSLEngine on
SSLCertificateFile "C:\Certbot\live\abc.com\fullchain.pem"
SSLCertificateKeyFile "C:\Certbot\live\abc.com\privkey.pem"
Add port 443 in firewall settings (if you have already added then skip this step)
Search > Type: Firewall and open Windows Defender Firewall with Advanced Security on Local Computer
Go to: Inbound rules > New Rule > Select “Port” > Specific Local Ports : Type “443” > Allow the connection > Tick all 3 options > Add name “ ex: abc ssl” > Finish.
Restart Xampp
Check your website/webapp; if it's locked, you've added an SSL certificate successfully.
Related
I am facing a problem of certificate SSL.
I have a dedicated host, and I cannot get what I am missing to receive the error by navigator:
Chrome:
NET::ERR_CERT_COMMON_NAME_INVALID
Mozilla:
SSL_ERROR_BAD_CERT_DOMAIN
Messages in browser are quite similar:
Impossible to verify from server that it is truly domain: site2.com, because its certif of security come from *.sub.site1.com. It may come from a bad config or connection getting catch by pirate. (translated message)
So it seems that the certificate is not taken while it goes threw vitrual box:
<VirtualHost *:80>
ServerName www.site2.com
ServerAlias site2.com
Redirect permanent / https://site2.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.site2.com
ServerAlias site2.com
DocumentRoot /var/www/site2
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.site2.com'">
Redirect permanent / https://site2.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/site2-error.log
CustomLog ${APACHE_LOG_DIR}/site2-access.log combined
SSLEngine On
SSLCertificateFile /home/certifs/site2.crt
SSLCertificateKeyFile /home/certifs/site2.key
SSLCertificateChainFile /home/certifs/site2.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/site2/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/site2/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
FInaly, if I choose to go anyway to the website it is arriving to a sign in gitlab page like:
site2.com/users/sign_in
For information server works with apache2 and debian, and we have gitlab install.
Thank you in advance for your help.
The problem was that in apache2, I was creating well the conf file into the site-available folder. But I was never adding it to site-enabling folder.
Executing the command "a2ensite site2.conf" Fix this problem.
To check if you a enable well your site, I advice you to execute this command: apachectl -S. Please check this subject to because it may change depending your server config: How to debug an apache virtual host configuration?
I have several hostnames running on Apache for which I'd like to have specific strong TLS configuration. There are 2 .conf files enabled in Apache: the first one contains all the VirtualHosts for port 80 (say default.conf) and the other one stores respective VirtualHosts for port 443 (default443.conf).
It is possible to access only the hostname from the very first VirtualHost of default.conf via https://. All remaining hosts are throwing ERR_SSL_VERSION_OR_CIPHER_MISMATCH in any web browser. When accessing such a failing hostname via curl, the below error appears:
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
default.conf:
Protocols h2 h2c http/1.1
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example
RewriteEngine on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
#RewriteRule ^(.*)$ https://example.com$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteRule ^(.*)$ https://example2.com$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default443.conf:
Protocols h2 h2c http/1.1
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html/example
RewriteEngine on
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1
SSLEngine On
SSLCertificateFile /path/to/example.crt
SSLCertificateKeyFile /path/to/example.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
<VirtualHost *:443>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} www\.example2\.com$
RewriteRule ^(.*)$ https://example2.com$1 [R=301,L]
SSLEngine On
SSLCertificateFile /path/to/example2.crt
SSLCertificateKeyFile /path/to/example2.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
SSLProtocol -all +TLSv1.2
SSLCipherSuite -all:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
According to the above configuration, example.com is properly resolving via https:// using the cipher suites declared while SSL handshake is failing for example2.com.
In case of commenting our the SSLCipherSuite directive or replacing the cipher suites with the ones suggested by Mozilla for TLS 1.2, example2.com starts working properly via https:// as well.
apachectl -v
Server version: Apache/2.4.41
openssl version
OpenSSL 1.1.1c 28 May 2019
I would like to clear out the reason why only one hostname is functioning properly via https:// while the remaining ones keep getting failed SSL handshakes with ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 ciphers declared.
The resolution appeared to be pretty obvious after some research.
There was ECDSA SSL/TLS certificate installed for the hostname working properly (example.com from the listings) while all the other hosts had certificates with RSA private keys installed for them.
As the declared cipher suites were ECDSA-authentication only (1) (2) the handshake was failing for hosts with RSA private keys.
Reissuing the remaining certs with EC keys solved the issue.
I have a website with CloudFlare protection, seems good at too, but if you enter the original IP adress of my server you can enter normally.
I'm using Apache (XAMPP) and SSL (https://)
I want something similar when you enter from the IP address with CloudFlare, which throws error 1003
Edit or create a default vhost and put this inside:
<VirtualHost *:80>
ServerName xxx.xxx.xxx.xxx
Redirect 403 /
DocumentRoot /var/www/html
</VirtualHost>
xxx.xxx.xxx.xxx is your server ip address
After that restart your apache
sudo a2ensite your-vhost.conf
sudo systemctl restart apache2
Hope that helps
You can verify if the domain received in the request matches your site domain. If not, force a redirection to the user. Like so:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.example.com
RewriteRule (.*) https://www.example.com$1 [R=301,L]
So IP accesses will be forced back to the domain name.
Obviously, you could return anything, this is just one method I see often.
Under the ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
i just copied my 000-default-ssl.conf as disable-ip.ssl.conf and put below the content
cd /etc/apache2/sites-available
cp 000-default-ssl.conf disable-ip.ssl.conf
content of disable-ip.ssl.conf vhost file
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root#localhost
ServerName localhost
ServerAlias XXX.XXX.XX.XX # here write ip adresss of your web site
UseCanonicalName Off
Redirect 403 /
ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
then
a2ensite disable-ip.ssl.conf
service apache2 restart
I cannot make a connection from my dockerized Apache2.4 to the mailcow-dockerized web front-end. The particular Apache error is:
Connection refused: AH00957: HTTPS: attempt to connect to
127.0.0.1:8443 (127.0.0.1) failed
We have: 2 docker-compose files.
1. Mailcow (mailcow-dockerized), 2. apache-letsencrypt (enoniccloud/apache2-letsencrypt image)
We want:
Utilization of the Apache2.4 as reverse-proxy for the mailcow-dockerized web front-end + Apache2.4 usage as web-server for a website.
Additional Info:
Mailcow front-end can be reached when the Apache2.4 is not up and the bindings in its config are set to default.
Docker-Compose apache-letsencrypt container:
version: '2.1'
services:
apache2:
build: apache2
hostname: root.yyy.com
restart: always
volumes_from:
- letsencryptstore
volumes:
- /var/www/html:/var/www/html
ports:
- "80:80"
- "443:443"
expose:
- "8080"
- "8443"
environment:
LETS_ENCRYPT_EMAIL: "xyz#yahoo.de"
LETS_ENCRYPT_DOMAINS: "root.yyy.com,mail2.yyy.com"
labels:
io.enonic.backup.data: "/etc/letsencrypt,/var/lib/letsencrypt"
networks:
- mailcowdockerized_mailcow-network
letsencryptstore:
image: busybox
volumes:
- "/etc/letsencrypt"
- "/var/lib/letsencrypt"
networks:
mailcowdockerized_mailcow-network:
external: true
Apache config:
<VirtualHost *:80>
ServerName root.yyy.com
DocumentRoot /var/www/html/
RewriteEngine on
RewriteRule ^/(.*) https://root.yyy.com/$1 [L,R=301]
</VirtualHost>
<VirtualHost *:80>
ServerName mail2.yyy.com
RewriteEngine on
RewriteRule ^/(.*) https://mail2.yyy.com/$1 [L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName mail2.yyy.com
ServerAlias autodiscover.mail2.yyy.com
ServerAlias autoconfig.mail2.yyy.com
# You should proxy to a plain HTTP session to offload SSL processing
ProxyPass / https://127.0.0.1:8443/
ProxyPassReverse / https://127.0.0.1:8443/
ProxyPreserveHost On
ProxyAddHeaders On
# This header does not need to be set when using http
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
RequestHeader set X-Forwarded-Proto "https"
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
<VirtualHost *:443>
ServerName root.yyy.com
DocumentRoot /var/www/html/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
RequestHeader set X-Forwarded-Proto "https"
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Mailcow-Config:
# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=mail2.yyy.com
# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcow
DBUSER=mailcow
# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=RdnvlN1CXSAHA98CVz4sYUgfrMuF
DBROOT=Ve91gtedyLa8xGJf6sXNmMcNzFUp
# ------------------------------
# HTTP/S Bindings
# ------------------------------
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=8080
HTTP_BIND=127.0.0.1
HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1
Rest of the config is default.
Apache mods proxy, proxy_balancer, proxy_http are enabled.
Help would be much appreciated :)
I have Mailcow Nginx dockerized installed on my ubuntu 16 web server
The only difference I have from your setup are the HTTP_BIND IPs:
Mine looks like:
HTTP_PORT=8080
HTTP_BIND=0.0.0.0
HTTPS_PORT=8443
HTTPS_BIND=0.0.0.0
I have only set the binds to 0.0.0.0 so I can access my mail server trough port 8080 or 8443 from any IP in case my apache web server is down.
mail.domain.com-le-ssl.conf [generated by let's encrypt]
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
SSLCertificateFile /etc/letsencrypt/live/mail.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
My apache2 virtual host config for reverse proxy: mail.example.com.conf
<VirtualHost *:80>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Please note that my original apache2 config file is:
<VirtualHost *:80>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
</VirtualHost>
Because I don't really need ssl encryption between apache and nginx, the rewrite rule was added when I installed let's encrypt certificate on apache mail server for mail.example.com.
I like and only use SOGo web client so I don't need mail ssl certificate, if you are going to use an external mail client, then you may want to consider pointing your Mailcow ssl certificate file to the files created by let's encrypt-apache2
In other words:
[me]---ssl:443--->[mail.example.com]--local-->http://example.com:8080/
Maybe I could achieve the same result if I set my BIND address like yours, and it should be more secure.
Maybe http://localhost.com:8080/ will also work.
I'm sure my setup is venerable, this is my 1st try.
Please let me know if you need any info about my setup.
These are the tutorials and documentations I followed to get this running.
https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04
https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/
https://www.youtube.com/watch?v=VsiYowuiT6A&t=389s
https://www.youtube.com/watch?v=A3Prx_2YEm8&t=62s
Apache/2.2.15, CentOS Linux.
I have a site where I want the whole site to be SSL-encrypted all the time. Normally, I don't use mod_rewrite to do my www/non-www redirects; I just use VirtualHosts and the Redirect directive.
Trying to do this with my HTTPS site, however, is returning a generic SSL connection error in all browsers. Here's my vhost file (domain names and IP addresses changed):
NameVirtualHost 192.168.0.256:80
NameVirtualHost 192.168.0.256:443
<VirtualHost 192.168.0.256:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
# ############################
# This block breaks everything
# ############################
<VirtualHost 192.168.0.256:443>
ServerName example.com:443
Redirect / https://www.example.com/
</VirtualHost>
<VirtualHost 192.168.0.256:443>
DocumentRoot /var/www/example_site/htdocs/
ServerName www.example.com:443
ErrorLog /var/www/logs/example_site/error_log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl.crt/www.example.com.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/www.example.com.key
SSLCACertificateFile /etc/httpd/ssl.crt/www.example.com.ca-bundle
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Directory /var/www/example_site/htdocs/>
Options FollowSymLinks MultiViews
AllowOverride All
</Directory>
<Files ~ "\.php$">
SSLOptions +StdEnvVars
</Files>
</VirtualHost>
The block marked "This block breaks everything" appears to be the culprit. When that VirtualHost block is commented out, the site loads as expected and everything's fine. But I really want/need to redirect non-www to www, and when that block is enabled, I get this on every attempt to load the site:
Error logs don't seem to show anything useful. Can anyone tell from this what exactly is going wrong?
Port 443 always needs a certificate attached to it. Even if its just a simple redirect. Connect -> SSL -> Data transfer.