0

I’m having trouble understanding what’s missing where I’ve added a LetsEncrypt certificate to a Django web application hosted on Linode (CentOS 7) and using Apache.

I used the certbot command to obtain an SSL certificate and noted the changes it added to the VirtualHosts files.

certbot --apache

I included with the root and www domains when prompted.

Here’s what LetsEncrypt added to the /etc/httpd/sites-available directory.

<server_name>.com.conf

<VirtualHost *:80>
# Default from LetsEncrypt
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.<server_name>.com [OR]
RewriteCond %{SERVER_NAME} =<server_name>.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

And

<server_name>.com-le-ssl.conf (where it wrapped it in mod_ssl and added the LE certificate lines)

<IfModule mod_ssl.c>
<VirtualHost *:443>

# Load wsgi module
LoadModule wsgi_module <details>

# NOTE. When assigning a LetEncrypt certbot --apache the WSGI lines need to
# be commented out.
WSGIDaemonProcess <name> <details>
WSGIProcessGroup <name>
WSGIScriptAlias / <wsgi.py path>

Alias /static <static_folder_path>
<Directory <static_folder_path>>
  Require all granted
</Directory>

Alias /media <media_folder_path>
<Directory <media_folder_path>>
  Require all granted
</Directory>

<Directory <Django_app_path>>
  <Files wsgi.py>
    Require all granted
  </Files>
</Directory>

ServerName <servername.com>
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.<servername.com>
SSLCertificateFile /etc/letsencrypt/live/<servername.com>/cert.pem
SSLCertificateFile /etc/letsencrypt/live/<server_name>.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<server_name>.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/<server_name>.com/chain.pem

</VirtualHost>
</IfModule>

It also added an Include httpd.conf referencing the above.

It may have added more. These were the changes I'm aware of.

I had previously configured a symbolic link to /etc/httpd/sites-available/<server_name>.com.conf via /etc/httpd/sites-enabled/<server_name>.com.conf

The process did mention the following:

We were unable to find a vhost with a ServerName or Address of www.<server_name>.com.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ssl.conf                             |                              | HTTPS | Enabled
2: <server_name>.com.conf               |                              |       | Enabled
3: <server_name>.com-le-ssl.conf        | <server_name>.com            | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Deploying Certificate to VirtualHost /etc/httpd/sites-avilable/<server_name>.com-le-ssl.conf
Redirecting vhost in /etc/httpd/sites-enabled/<server_name>.com.conf to ssl vhost in /etc/httpd/sites-avilable/<server_name>.com-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://<server_name>.com and
https://www.<server_name>.com

I chose option 3.

While the root address https://<server_name>.com/home/ works fine and I get the secure padlock icon with a valid LetsEncrypt certificate, if I type https://www.<server_name>.com/home/ it entered fails and I get a 404 “Not Found” error:

”The requested URL /home/ was not found on this server.”

The url remains https://www.<server_name>.com/home/ so clearly is failing to redirect as intended.

In addition, it’s appearing as an unsecure link so I don’t is picking up the LetsEncrypt certificate either.

Same for the rest of the links. ie. https://<server_name>.com/weblog/2018/jan/15 works just fine but if it’s attempted as https://www.<server_name>.com/weblog/2018/jan/15 then it fails with the same “Not Found” error and again doesn’t redirect.

There’s nothing in the access or error logs that I could see. I was tailing them as I got the error.

I am redirecting in my app ie. <server_name>.com goes to <server_name>.com/home/ - as per the James Bennett’s Practical Django Projects book but I did note that if I tried this url https://www.<server_name>.com then I default to the /var/www/html directory and see the Apache Test page. I know this is the case since I can add an index.html file to /var/www/html and it will display ie.

<html>
<p>Hello</p>
</html>

I’m not experienced with Apache having previously relied on WebFaction support (sadly no longer). Links that seem to have cover the same area are here but I’ve not yet managed to fix this following any of the solutions offered up here.

https://serverfault.com/questions/816392/lets-encrypt-automatically-redirect-to-https-not-working

https://community.letsencrypt.org/t/we-were-unable-to-find-a-vhost-with-a-servername-or-address/117900

Following up in the suggestions in the comments. Here is a copy of the VirtualHost file which doens't using LetsEncrpyt for http (port 80)

<VirtualHost *:80>

    # Load wsgi module
    LoadModule wsgi_module <details>
    
    # NOTE. When assigning a LetEncrypt certbot --apache the WSGI lines need to
    # be commented out.
    WSGIDaemonProcess <name> <details>
    WSGIProcessGroup <name>
    WSGIScriptAlias / <wsgi.py path>
    
    Alias /static <static_folder_path>
    <Directory <static_folder_path>>
      Require all granted
    </Directory>
    
    Alias /media <media_folder_path>
    <Directory <media_folder_path>>
      Require all granted
    </Directory>
    
    <Directory <Django_app_path>>
      <Files wsgi.py>
        Require all granted
      </Files>
    </Directory>

    # Try some redirects redirect all www to domain.
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www\. [NC]
    RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
    RewriteRule ^ http://%1%{REQUEST_URI} [L,NE,R=301]

</VirtualHost>

Under these circumstance the Rewrite works.

So having proved that the redirect works using http without LetsEncrypt to simplify things I comment out the line in http.conf so that I'm just focusing on one VirtualHost file - the one produced by LetsEncrpyt

IncludeOptional conf.d/*.conf
#IncludeOptional sites-enabled/*.conf
Include /etc/httpd/sites-avilable/<server_name>.com-le-ssl.conf

Restart Apache and the https://<server_name>.com works just fine. As before https://www.<server_name>.com fails with a 404.

Right now then I'm assuming there's only one VirtualHost file being used /etc/httpd/sites-avilable/<server_name>.com-le-ssl.conf so I try adding Redirects directly within that.

RewriteEngine on
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTPS_HOST} ^www\. [NC]
RewriteCond %{HTTPS_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

I put these at the end of the VirtualHost file immediately after references to the LetsEncrypt config. I'm not seeing a redirect. I put www in the request, www stays in the request presenting me with the 404.

jayuu
  • 443
  • 1
  • 4
  • 17
  • Do the non `www` redirects work ? `http://.com` ? – Michael Lindsay Jan 09 '21 at 12:10
  • I don't think I ever set them up to do so initially. I'll look to switch off SSL and go back to running on port 80 then comment again. – jayuu Jan 09 '21 at 16:01
  • If both domains do not work under http, that indicates it’s the virtual_host. – Michael Lindsay Jan 09 '21 at 16:29
  • Currently I'm unable to revert to http. Everything auto-redirects to https.I don't know if it's Apache doing this now or whether it's browser behavior. I've tried using questions like this (https://superuser.com/questions/565409/how-to-stop-an-automatic-redirect-from-http-to-https-in-chrome) but I'm still seeing redirects (even if I use the server IP address). – jayuu Jan 10 '21 at 11:14
  • Continuing from the previous comment - I then get the 'Your connect isn't private' as expected since these old VirutalHost don't include the LetsEncrpt details. If I continue through though I get a 404. – jayuu Jan 10 '21 at 11:24
  • It would seem like the letsencrypt virtual host is not catching the requests. Are there any other virtual host blocks? – Michael Lindsay Jan 10 '21 at 11:26
  • No. I moved them all into another folder. I've put a copy of the VH in the original post. – jayuu Jan 10 '21 at 11:35
  • And you restarted Apache? – Michael Lindsay Jan 10 '21 at 11:35
  • Yes - systemctl restart httpd.service – jayuu Jan 10 '21 at 11:42
  • The reason for the http redirect was a line in the Django conf which I'd recently added SECURE_SSL_REDIRECT = True. I've removed this and http works. I also added a redirects to the VirtualHost which correctly redirects www to the domain. I've added these lines to the Virtual Host (80) in the origianl post. – jayuu Jan 10 '21 at 12:48
  • So after all that and to answer the initial question - yes redirects work with http. – jayuu Jan 10 '21 at 14:58
  • So it’s all working now? – Michael Lindsay Jan 10 '21 at 15:12
  • No, just http works. https still fails. Though if I make a change in the VirutalHost changing this line to :443> then both work (www and root) . Redirects from www to root however still do not. – jayuu Jan 10 '21 at 15:17
  • Is the allowed_hosts configured to allow both domains? – Michael Lindsay Jan 10 '21 at 15:18
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/227117/discussion-between-jayuu-and-michael-lindsay). – jayuu Jan 10 '21 at 17:26
  • Just to wrap up. I'm not using SECURE_SSL_REDIRECT = True. It's commented out. The only difference now made is the addition of the server name to the tag. Two conf files are used one for 80 - which remains as described above and one for 443 - with changes as described. Everything else remains the same and the redirect now works. Thanks @MichaelLindsay for your comments - they were helpful in working this out. – jayuu Jan 17 '21 at 00:40

0 Answers0