I know this question has been asked a million times, but I can’t find an answer to my particular situation. Besides blocking port 80 (which I don’t want to do), I see the answer is to add VirtualHost to a conf file in /etc/httpd. The problem is that I don’t have an httpd folder (Debian 10). I tried adding VirtualHost redirect to /etc/Apache2/apache2.conf but that didn’t work.
How can I force https?
Indeed apache is apache2 in debian based OS’s, just
https://linuxize.com/post/redirect-http-to-https-in-apache/
Where the important bit is
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
Make sure you have legitimate certs installed, if you need to, keep 80 open for your acme client on HTTP-01 or better use DNS-01
Thanks! So I added this to apache2.conf:
<VirtualHost *:80>
ServerName sub.example.com
ServerAlias sub.example.com
Redirect permanent / https://sub.example.com/
</VirtualHost>
At first, apache2 wouldn’t restart, so I had to:
sudo a2enmod ssl
Then it restarted successfully. But when I went to access the site, while it redirects from http, I get this error in my browser: ERR_SSL_PROTOCOL_ERROR
curl https://sub.example.com shows:
virtualhost ssl3_get_record:wrong version
It means your cert has problems. What type of cert is this and who issued it?
Let’s Encrypt. I used Admin > Certificate Management in the FreePBX interface. I noticed also that I could also access via the IP address (GCP cloud instance), but http only. So I edited /etc/hosts and for 127.0.0.1 I changed localhost to my sub.example.com but that didn’t make a difference with anything.
FYI, I deleted the default self signed certificate in the Certificate Management module yesterday because I thought I had to… was I supposed to keep it?
It’s working now. I had to delete my certificate in the Certificate Management (made sure there were no certificates), and then I used CertBot to add the certificate instead.
Then I added the following to /etc/apache2/apache2.conf:
#secure SSL access
<VirtualHost *:443> ServerAdmin [email protected] ServerName sub.example.com
ServerAlias sub.example.com
SSLCertificateFile /etc/letsencrypt/live/sub.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.com /privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sub.example.com/fullchain.pem
</VirtualHost>
#http redirect
<VirtualHost *:80>
ServerName sub.example.com
ServerAlias sub.example.com
Redirect permanent / https://sub.example.com/
</VirtualHost>
#disable access by IP address
<VirtualHost *:80>
ServerName 11.222.33.444
<Location />
Require all denied
</Location>
</VirtualHost>
#disable access by IP address
<VirtualHost *:443>
ServerName 11.222.33.444
<Location />
Require all denied
</Location>
</VirtualHost>
It seems that there is a problem on some distros with using the Certificate Management module for generating HTTP-01 certificates, if I’m understanding this forum post correctly. And that the Certificate management console does not support DNS-01.
A couple of small to large problems with that solution, FreePBX expects its cert and key (as *.crt and *.key) in `/etc/asterisk/keys’ so the certman module can properly import and link them into /etc/asterisk/keys/integration, you will need that for seamless TLS connections and WEBRTC. It is better if your acme client and webserver follows these ‘conventions’.
I suggest that to get an A+ at
https://www.ssllabs.com/ssltest/
you can template your TLS services , be they whatever, via
https://ssl-config.mozilla.org/
If you use the certbot acme client, I don’t think they yet provide stapleing support , so leave that off.
Force HTTPS option are on latest System Admin module versions on FreePBX15 if that’s what you were looking for.
Alas, that won’t help on Debian 10.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.