Problem with SSL Sites Certification

Hello,

I am installing SSL Certification on my Linux Centos Server. And I am trying the first Domains. It is almost working. But I have one strange problem. If I use a URL to the Site root (www) it comes as Secure. But if I use a URL to any internal directory it comes as Unsecure, depending on using www or a slash at the end.

Please try it in your Chrome Browser, but, clear its Cache memory between the tests. I have added SSL to 2 of our Sites:

segurosagro.com.br
multisites.com.br

And I created a simple directory called testredirect which has just an index.html file with an image.

1) segurosagro.com.br/testredirect

It comes as Unsecure.

2) segurosagro.com.br/testredirect/

It works, and comes as Secure.

3) www.segurosagro.com.br/testredirect

It also works, and comes as Secure.

In the same way:

1) multisites.com.br/testredirect

It comes as Unsecure.

2) multisites.com.br/testredirect/

It works, and comes as Secure.

3) www.multisites.com.br/testredirect

It also works, and comes as Secure.

My actual httpd.conf <virtualhosts> entries for segurosagro.com.br and multisites.com.br are as below. You will see that they are slightly different. This is due to tests I was doing trying to solve the problem:

#--------------------------------------------------------
#                 multisites.com.br
#--------------------------------------------------------
<virtualhost 66.226.75.86:80>
ServerAdmin webmaster@multisitesdominios.com.br
ServerName www.multisites.com.br
ServerAlias multisites.com.br
ServerAlias www.multisites.net.br
DocumentRoot /var/www/html/multisites/www
ScriptAlias /cgi-bin/ /var/www/html/multisites/www/cgi-multisites/
<Directory "/var/www/html/multisites/www/cgi-multisites/">
        Options ExecCGI Includes
        AllowOverride None
</Directory>
ErrorLog logs/multisites-error-log
TransferLog logs/multisites-access-log
#
#Redirection to https
#
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
</virtualhost>

#--------------------------------------------------------
#                 segurosagro.com.br
#--------------------------------------------------------
<virtualhost 66.226.75.86:80>
ServerAdmin webmaster@multisitesdominios.com.br
ServerName www.segurosagro.com.br
ServerAlias segurosagro.com.br
DocumentRoot /home/segurosagro/www
ScriptAlias /cgi-bin/ /home/segurosagro/www/cgi-segurosagro/
<Directory "/home/segurosagro/www/cgi-segurosagro/">
        Options ExecCGI Includes
        AllowOverride None
</Directory>
TransferLog logs/segurosagro-access-log
#
#Redirection to https
#
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
</virtualhost>

Thanks for any help.
Mario LimaOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
First problem for you to resolve.

Fix your SSL cert.

Your current cert....

1) Correctly provides www.segurosagro.com.br coverage.

2) Incorrectly provides segurosagro.com.br coverage.

Your cert should cover both segurosagro.com.br + www.segurosagro.com.br or all manner of strange problems will arise.

Use free https://LetsEncrypt.org to simplify your life.
2
Bernard S.CTOCommented:
You really should follow David's suggestion above, this will be the easiest and safest path to what you want to achieve
-  Make and move a backup copy of your files *.conf currently inside /etc/apache2/sites-available/
- restore your *.conf to the no https and no rewrite status, do the same to *ssl*.conf
- update /sites-enabled/ so that they have only your standard non https sites
------- now you are in a state similar to your initial state
check that with
apachectl configtest
which sould say OK without an other text

Go to David's link and select the right version

Now install and run the srcipts provided (I would suggest to place them into /root/letsencrypt/)
The prgramm will
- look at all your active sites
- ask you to get certificate for all or a selected subset of these sites
- ask you if you want to place an automatic redirect

And voilà, it's done
.. almost...: you need to activate and autmatic renewal of the certificate, since it ids frre but valid 3 months only.
my cron job for this is

21 13 * * 3 /root/letsencrypt/certbot-renew.sh
(day 3 in the week, each week,,at 13:12).
(since it uses very few resources, doing that weekly is not a real waste)
2
Mihai BarbosTrying to tame bits. They're nasty.Commented:
To clarify a bit more David Favor's answer: add aliases to the DNS name. Technically, add an subjectAltName field.
2
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Here's an example of how I generate/manage certs...

So first you generate a cert.

Then you have to manage cert auto renewal + when renewals occur, restart all services which require pulling in the new cert.

# First time generation.
# I use /var/www/html or DNS verification, because certbot-auto randomly seems to break using other directories
certbot-auto certonly --no-self-upgrade --non-interactive --rsa-key-size 4096 --email david\@davidfavor.com --agree-tos --webroot -w /var/www/html -d segurosagro.com.br -d www.segurosagro.com.br

# CRON job for - Auto renew + Auto reingest cert when auto renew occurs...
0 */1 * * * (echo '#####' && date && certbot-auto renew --non-interactive --post-hook "service apache2 reload; service dovecot reload") >> /var/log/ssl-renewals.log 2>&1

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bernard S.CTOCommented:
The last version of certbot handles restarting Apache when needed

The problem you mention with certbot-auto might come from a slight versions difference between the "standard" version (ie the one you get with ap-get install). Downloading the script and using it does not have those problem and the srcipt updates itself (if needed) before renewing yhe certs
0
Bernard S.CTOCommented:
The link I would recommend is
https://certbot.eff.org/docs/install.html 
and more precisely installing and using certbot-auto a s detailed at
https://certbot.eff.org/docs/install.html#certbot-auto 

This is really a no-brainer!
0
Mario LimaOwnerAuthor Commented:
Hi, guys, I thank you a lot for all the suggestions and comments. I have submitted everything to my technician, and I will tell you later how the things have gone.
Mário Lima./
0
Bernard S.CTOCommented:
Mihai's suggestion is useful.
Best sontributions are the 2 from David.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.