How to switch off SSL (port 443) and revert to port 80 http?

We have an Intranet which, at some time, used SSL https for access externally. This has now been changed to internal only and I wish to revert to using http so that I don't get nagged that my certificate has expired.  I commented out the 443 listener in my ports.conf file and restarted apache but I could not get onto the intranet.  I uncommented (to put back to where it was) and noticed that port 80 is already configured in both ports.conf and the .conf in sites avaliable so I thought maybe just hitting http://intranet.domain.com would work but I get a "There is a problem with this website's security certificate." error in the browser. If I continue, it reverts to using https:// andshows the page but still warns me of a certificate error.
Ideally, I wish to completely remove the certificate and any reference to it.
Thanks.
LVL 4
fuzzyfreakAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
/etc/HTTPd/conf.d or /etc/apache2conf.d

See if you gave a domain.con edit the virtual host that has ip443 replacing it with *:80 after you confirm, that there is no intranet /port 80 for this site already in the system.
0
fuzzyfreakAuthor Commented:
do you mean /etc/apache2/conf.d   ?
or apache2.conf?

Apache2.conf has no reference to my domain or 443.
0
arnoldCommented:
yes. /etc/apache2/conf.d/

In short, you need to alter the VirtualHost entry for your site to no longer bind to IP:443 and to bind to *:80
ServerName www.yourdomain.com
ServerAlias yourdomain.com
My advise would be to either copy the current https .conf file as its own,
then comment the virtualhose or change its name from secure_mydomain.conf to secure_mydomain_conf to make sure it is not loaded when apache/web server is loaded.

run the following command:
httpd -D DUMP_VHOSTS

or
apachectl -t -D DUMP_VHOSTS

Both will list the virtual host entries you have defined both in httpd.conf and within the conf.d directory any_filename.conf.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

fuzzyfreakAuthor Commented:
Please find screen shot of that directory - which file are you referring to?
apache.jpg
0
arnoldCommented:
Please run the HTTPd or apachectl -t -D DUMP_VHOST

Within the directory
grep -I 'virtualhost' /etc/apache2/conf.d/*

Which files are listed you are looking for the :443 entry.


 Does your system use cpanel?
0
fuzzyfreakAuthor Commented:
I ran
apachectl -t -D DUMP_VHOST

Open in new window

then
grep -I 'virtualhost' /etc/apache2/conf.d/*

Open in new window


But there was no result, it simply went to the next line with the cursor.
0
fuzzyfreakAuthor Commented:
My apologies, only when I put the code tags around your syntax did I realise the grep command has a hyphen i (not L)
So here is my result -

/etc/apache2/conf.d/localized-error-pages:# even on a per-VirtualHost basis.  If you inc                  lude the Alias in the global server
/etc/apache2/conf.d/other-vhosts-access-log:# Define an access log for VirtualHosts that                   don't define their own logfile
0
arnoldCommented:
Run lsof -i:443 trying to determine what responds in port 443 since it is not Apache.

You need to trek down which app/service is responding in where and how they are managed.
0
fuzzyfreakAuthor Commented:
It is apache - why did you not think it was apache?
0
arnoldCommented:
There was no output from DUMP_VHOSTS
Oops the second command example had a typo

apachectl -t -DUMP_VHOSTS

You should get a Listing of VirtualHosts

Look within /etc/apache2/conf/httpd.conf or /etc/apache2/httpd.conf
0
fuzzyfreakAuthor Commented:
Nope. Same again, just moves to the next line.
0
arnoldCommented:
Does it only have a 443 referenced virtual host?

I am not a clervoiant that can see what you see when you see it.

In order to adjust your settings you need to identify the correct configuration that your system uses. And make the adjustments, first make sure your virtualhost for port 80 points to the correct documentroot that matches the 443. Note this change will be reflected immediately, unless the redirect to 443 is done within the configuration



You could be looking in the wrong place. I.e. The Apache server is only listening and responding on port 80.
0
fuzzyfreakAuthor Commented:
Do you mean clairvoyant?
Perhaps the screen shot will help :)
apache.docx
0
arnoldCommented:
Yes,

You are missing a parameter -D .

apachectl -t -D DUMP_VHOSTS
or
httpd -D DUMP_VHOSTS

Often copying and pasting text is better than images/.....

grep -i 'virtualhost' /etc/apache2/* /etc/apache2/conf.d/*


If you can post the httpd.conf, /etc/apach2/conf.d/ssl.conf
Note I am going on the standard location.  There are times where the standard location is not the one being used.
0
fuzzyfreakAuthor Commented:
OK, now you are confusing me. If you scroll up, you will see that is what I ran first of all - copying and pasting your command. You then omitted the -D telling me there was a typo - you are now adding it back in and effectively telling me to run the same command I already ran earlier???
0
arnoldCommented:
Note the correction I posted following your earlier post following my request which used incomplete term DUMP_VHOST versus the correct DUMP_VHOSTS
The syntax is specific.

You are the only one who can make the adjustment:
1) on the port 80 virtulahost to make sure it is not redirecting all requests within the config.
a) make sure the documentroot used in the port 80 setup points to the same location as the 443

I ask not for remit ion, but because what was asked has not been answered.
The image you listed of conf.d did not reflect what I expected to see meaning a .conf file that would likely contain the configuration you are looking for making the adjustment.
In its absence, I asked whether you are certain that the config you are reviewing are the correct ones.
Tracing back the HTTPd startup. To determine which config it is using.
0
fuzzyfreakAuthor Commented:
Right, so grep found the entries I beleive you were looking for in ports.conf - which is the file I referred to in my original question.
Here is the information in ports.conf -

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

#NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>
0
arnoldCommented:
This is the enabling listener

Look in
/etc/apache2/sites-enabled/000-default
/etc/apache2/sites-available/default-ssl
0
fuzzyfreakAuthor Commented:
the only one of those that seemed to contain the information you have pointed me to is the .conf file under sites-enabled, hopefully I am not giving too much away here but here is a paste from that file -

# host definition
<VirtualHost 192.168.2.235:80>
  ServerName intranet.goptions.co.uk
  ServerAlias intranet.goptions.co.uk
  DocumentRoot "/sites/intranet/htdocs"
  CustomLog "/var/log/apache2/intranet-access.log" combined
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule  ^/.* https://%{SERVER_NAME}/$1 [R]
  HostNameLookups off
  #IdentityCheck off
</VirtualHost>

# SSL virtual host
<VirtualHost 192.168.2.235:443>
  ServerName intranet.goptions.co.uk
  DocumentRoot "/sites/intranet/htdocs"
  CustomLog "/var/log/apache2/intranet-access.log" combined
  php_admin_flag allow_url_fopen  On
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/apache2/ssl/apache.crt
  SSLCertificateKeyFile /etc/apache2/ssl/apache.key
  SSLCertificateChainFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
  HostNameLookups off
  #IdentityCheck off
</VirtualHost>
0
fuzzyfreakAuthor Commented:
Hi, any chance I can get some further assistance on this please?
Many thanks
0
arnoldCommented:
Reverse your rules.  note you have :80 rewrites to https
one option is comment out the rewrite on port 80.
Make sure to add the options from :443 that are missing.
# host definition
<VirtualHost 192.168.2.235:80>
  ServerName intranet.goptions.co.uk
  ServerAlias intranet.goptions.co.uk
  DocumentRoot "/sites/intranet/htdocs"
  CustomLog "/var/log/apache2/intranet-access.log" combined
 #disable redirect to secure site 
 #RewriteEngine On
  #RewriteCond %{HTTPS} !=on
  #RewriteRule  ^/.* https://%{SERVER_NAME}/$1 [R]
  #Add php exception
  php_admin_flag allow_url_fopen  On
  HostNameLookups off
  #IdentityCheck off
</VirtualHost>

# SSL virtual host
<VirtualHost 192.168.2.235:443>
  ServerName intranet.goptions.co.uk
  DocumentRoot "/sites/intranet/htdocs"
  CustomLog "/var/log/apache2/intranet-access.log" combined
  php_admin_flag allow_url_fopen  On
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/apache2/ssl/apache.crt
  SSLCertificateKeyFile /etc/apache2/ssl/apache.key
  SSLCertificateChainFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
 #disabled redirect to secure site 
 #RewriteEngine On
  #RewriteCond %{HTTPS} =on
  #RewriteRule  ^/.* http://%{SERVER_NAME}/$1 [R]
  HostNameLookups off
  #IdentityCheck off
</VirtualHost> 

Open in new window


Once you validate that port 80 works as expected, you may have to rewrite the redirect back from 443 to port 80.I added the lines, they need to be uncommented.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fuzzyfreakAuthor Commented:
If I understand correctly, copying and pasting your code above was supposed to work, it does not.  Browsers are still trying to use https.  Therefore I cannot continue with your next suggestion.
0
arnoldCommented:
You need to make your current config match what I have posted.

If you do  copy/paste you need to replace what your config is.
try first to comment out the rewrite option on your :80 settings.
then reload httpd (apachectl reload)
then see if port 80 access is as you expected.
Since you are writing both sites into the same log file, ...

see how that works, your next step after some time has passed and no issues arose, you would copy and paste the commented section in my 443 example into yours and uncomment them.  This upon running apachectl reload will start redirecting users who are accessing the intranet site via SSL back to port 80.

The difficulty with these types of transition, the user does not know if they are using a bookmark/favorite that it is going away and they need to make changes.
0
fuzzyfreakAuthor Commented:
OK, I think we have won!  I simply removed the entire 443 part, then I had to change the Wordpress and Site Address and some broken links.  It seems OK so far...
0
arnoldCommented:
Removing 443 means anyone who has favorites/links to that https:// will get an error site can not be displayed, etc.
including someone in the middle of the session.

<virtualhost *:80>
non secure
removal of/commenting out of the "rewrite" directives and reload of apache is all that was needed. If it still forwarded, changes as you made within wordpress might have been required as well, i.e. wordpress URL https://yoursite 
</VirtualHost>
<virtualhost IP:443>
https relatedsite
</VirtualHost>

You have the config above if you need to have both

As long as you are set, glad I could help.
0
fuzzyfreakAuthor Commented:
Thanks for your persistence on this!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.