Benjamin_Loison/certbot
1
0
Code Issues 5 Packages Projects Wiki

Add redirection from HTTP to HTTPS #6

New Issue
Open
opened 2024-11-15 13:26:33 +01:00 by Benjamin_Loison · 6 comments
Benjamin_Loison commented 2024-11-15 13:26:33 +01:00
Owner
Copy Link
sudo certbot enhance
Output: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please specify one or more enhancement types to configure. To list the available enhancement types, run:

certbot --help enhance

No enhancements requested, exiting.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Source: certbot --help

```bash sudo certbot enhance ``` <details> <summary>Output:</summary> ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log Please specify one or more enhancement types to configure. To list the available enhancement types, run: certbot --help enhance No enhancements requested, exiting. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ``` </details> Source: `certbot --help`
Benjamin_Loison commented 2024-11-15 13:27:05 +01:00
Author
Owner
Copy Link
certbot --help enhance
Output: 
usage: 

  certbot enhance [options]

options:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini)

enhance:
  Helps to harden the TLS configuration by adding security enhancements to already existing configuration.

  -n, --non-interactive, --noninteractive
                        Run without ever asking for user input. This may require additional command line flags; the client will try to
                        explain which ones are required if it finds one missing (default: False)
  --force-interactive   Force Certbot to be interactive even if it detects it's not being run in a terminal. This flag cannot be used
                        with the renew subcommand. (default: False)
  -d DOMAIN, --domains DOMAIN, --domain DOMAIN
                        Domain names to include. For multiple domains you can use multiple -d flags or enter a comma separated list of
                        domains as a parameter. All domains will be included as Subject Alternative Names on the certificate. The first
                        domain will be used as the certificate name, unless otherwise specified or if you already have a certificate with
                        the same name. In the case of a name conflict, a number like -0001 will be appended to the certificate name.
                        (default: Ask)
  --cert-name CERTNAME  Certificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't affect the
                        content of the certificate itself. Certificate name cannot contain filepath separators (i.e. '/' or '\',
                        depending on the platform). To see certificate names, run 'certbot certificates'. When creating a new
                        certificate, specifies the new certificate's name. (default: the first provided domain or the name of an existing
                        certificate on your system for the same domains)
  --redirect            Automatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: redirect enabled
                        for install and run, disabled for enhance)
  --hsts                Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use SSL for the
                        domain. Defends against SSL Stripping. (default: None)
  --uir                 Add the "Content-Security-Policy: upgrade-insecure-requests" header to every HTTP response. Forcing the browser
                        to use https:// for every http:// resource. (default: None)
  --auto-hsts           Gradually increasing max-age value for HTTP Strict Transport Security security header (default: False)
```bash certbot --help enhance ``` <details> <summary>Output:</summary> ``` usage: certbot enhance [options] options: -h, --help show this help message and exit -c CONFIG_FILE, --config CONFIG_FILE path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini) enhance: Helps to harden the TLS configuration by adding security enhancements to already existing configuration. -n, --non-interactive, --noninteractive Run without ever asking for user input. This may require additional command line flags; the client will try to explain which ones are required if it finds one missing (default: False) --force-interactive Force Certbot to be interactive even if it detects it's not being run in a terminal. This flag cannot be used with the renew subcommand. (default: False) -d DOMAIN, --domains DOMAIN, --domain DOMAIN Domain names to include. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter. All domains will be included as Subject Alternative Names on the certificate. The first domain will be used as the certificate name, unless otherwise specified or if you already have a certificate with the same name. In the case of a name conflict, a number like -0001 will be appended to the certificate name. (default: Ask) --cert-name CERTNAME Certificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't affect the content of the certificate itself. Certificate name cannot contain filepath separators (i.e. '/' or '\', depending on the platform). To see certificate names, run 'certbot certificates'. When creating a new certificate, specifies the new certificate's name. (default: the first provided domain or the name of an existing certificate on your system for the same domains) --redirect Automatically redirect all HTTP traffic to HTTPS for the newly authenticated vhost. (default: redirect enabled for install and run, disabled for enhance) --hsts Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use SSL for the domain. Defends against SSL Stripping. (default: None) --uir Add the "Content-Security-Policy: upgrade-insecure-requests" header to every HTTP response. Forcing the browser to use https:// for every http:// resource. (default: None) --auto-hsts Gradually increasing max-age value for HTTP Strict Transport Security security header (default: False) ``` </details>
Benjamin_Loison commented 2024-11-15 13:40:12 +01:00
Author
Owner
Copy Link
sudo certbot enhance --redirect
Output: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No existing certificates found.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Maybe suffer of #4.

```bash sudo certbot enhance --redirect ``` <details> <summary>Output:</summary> ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log No existing certificates found. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ``` </details> Maybe suffer of #4.
Benjamin_Loison commented 2024-11-15 13:41:41 +01:00
Author
Owner
Copy Link
/var/log/letsencrypt/letsencrypt.log: 
...
2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:certbot version: 2.9.0
2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:Arguments: ['--redirect']
2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-11-15 12:37:38,297:DEBUG:certbot._internal.log:Root logging level set at 30
2024-11-15 12:37:38,297:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-11-15 12:37:38,343:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.58
2024-11-15 12:37:38,490:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='apache', value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0xf523dbe67f20>
Prep: True
2024-11-15 12:37:38,491:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0xf523dbe67f20>
2024-11-15 12:37:38,491:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator None, Installer apache
2024-11-15 12:37:38,491:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.9.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1223, in enhance
    config.certname = cert_manager.get_certnames(
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/cert_manager.py", line 347, in get_certnames
    raise errors.Error("No existing certificates found.")
certbot.errors.Error: No existing certificates found.
2024-11-15 12:37:38,493:ERROR:certbot._internal.log:No existing certificates found.
<details> <summary><code>/var/log/letsencrypt/letsencrypt.log</code>:</summary> ``` ... 2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:certbot version: 2.9.0 2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot 2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:Arguments: ['--redirect'] 2024-11-15 12:37:38,291:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2024-11-15 12:37:38,297:DEBUG:certbot._internal.log:Root logging level set at 30 2024-11-15 12:37:38,297:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None 2024-11-15 12:37:38,343:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.58 2024-11-15 12:37:38,490:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache Description: Apache Web Server plugin Interfaces: Authenticator, Installer, Plugin Entry point: EntryPoint(name='apache', value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins') Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0xf523dbe67f20> Prep: True 2024-11-15 12:37:38,491:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0xf523dbe67f20> 2024-11-15 12:37:38,491:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator None, Installer apache 2024-11-15 12:37:38,491:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.9.0', 'console_scripts', 'certbot')()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1223, in enhance config.certname = cert_manager.get_certnames( ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/cert_manager.py", line 347, in get_certnames raise errors.Error("No existing certificates found.") certbot.errors.Error: No existing certificates found. 2024-11-15 12:37:38,493:ERROR:certbot._internal.log:No existing certificates found. ``` </details>
Benjamin_Loison commented 2024-11-15 13:42:20 +01:00
Author
Owner
Copy Link

DuckDuckGo search certbot redirect without domain name.

DuckDuckGo search *certbot redirect without domain name*.
Benjamin_Loison commented 2024-11-15 13:46:07 +01:00
Author
Owner
Copy Link

Could just disable HTTP but it is nice as a shortcut and more user-friendly approach to just redirect.

Could just disable HTTP but it is nice as a shortcut and more user-friendly approach to just redirect.
Benjamin_Loison commented 2024-11-15 13:57:32 +01:00
Author
Owner
Copy Link

Adding to /etc/apache2/sites-enabled/000-default.conf:

Redirect permanent / https://XXX.XXX.XXX.XXX

Source: the Stack Overflow answer 16201658

sudo service apache2 reload
curl http://XXX.XXX.XXX.XXX/test
Output: 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://XXX.XXX.XXX.XXXtest">here</a>.</p>
<hr>
<address>Apache/2.4.58 (Ubuntu) Server at XXX.XXX.XXX.XXX Port 80</address>
</body></html>

Adding to /etc/apache2/sites-enabled/000-default.conf:

Redirect permanent / https://XXX.XXX.XXX.XXX/

sudo service apache2 reload
curl http://XXX.XXX.XXX.XXX/test
Output: 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://XXX.XXX.XXX.XXX/test">here</a>.</p>
<hr>
<address>Apache/2.4.58 (Ubuntu) Server at XXX.XXX.XXX.XXX Port 80</address>
</body></html>

How to avoid hardcoding the IP?

Adding to `/etc/apache2/sites-enabled/000-default.conf`: ``` Redirect permanent / https://XXX.XXX.XXX.XXX ``` Source: [the Stack Overflow answer 16201658](https://stackoverflow.com/a/16201658) ```bash sudo service apache2 reload curl http://XXX.XXX.XXX.XXX/test ``` <details> <summary>Output:</summary> ```html <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://XXX.XXX.XXX.XXXtest">here</a>.</p> <hr> <address>Apache/2.4.58 (Ubuntu) Server at XXX.XXX.XXX.XXX Port 80</address> </body></html> ``` </details> Adding to `/etc/apache2/sites-enabled/000-default.conf`: ``` Redirect permanent / https://XXX.XXX.XXX.XXX/ ``` ```bash sudo service apache2 reload curl http://XXX.XXX.XXX.XXX/test ``` <details> <summary>Output:</summary> ```html <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://XXX.XXX.XXX.XXX/test">here</a>.</p> <hr> <address>Apache/2.4.58 (Ubuntu) Server at XXX.XXX.XXX.XXX Port 80</address> </body></html> ``` </details> How to avoid hardcoding the IP?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Loison/certbot#6
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?