Redirect http to https after installing Let's Encrypt Certificate?

sentinelace · March 10, 2022, 10:13pm

We just setup Let’s Encrypt and it’s working fine except our users are going to http and gettting “forbidden”. Is there a way to redirect it to https automatically? Also, can we have a second Let’s Encrypt Certificate? For example, we have a DNS entry for the UCP called UCP.domain.com and the Default Let’s Encrypt is Pbx.domain.com or do we have to have one?

dicko · March 10, 2022, 10:35pm

You need to redirect with a 301 any connections to http to https.

You can have as many certs as you want that can verify any url and any service you have control over, how you implement that is a function of whatever service answers connections to those https (and indirectly your http ) connections, mostly your simple web server will handle a ‘singleton’ but some prefer an authoritative ‘reverse proxy’ at your point of ingress for more security and more granularity

spioli · March 10, 2022, 10:35pm

Use the force options available in Port Mgmt. You can only have a single certificate installed.

dicko · March 10, 2022, 10:45pm

Perhaps more correct to say " the ‘distro’s sysadmin and certificates modules’ only support one installed certificate"

sentinelace · March 10, 2022, 10:52pm

Setting it to force doesn’t redirect it. I get:

Forbidden

You don’t have permission to access /.noindex.html on this server.

sentinelace · March 10, 2022, 10:58pm

Since the distro only supports 1, can I have it have other entries? It’s the same domain domain name. Could I have pbx.domain.com and ucp.domain.com on the same cert?

dicko · March 10, 2022, 11:05pm

I can’t answer that as I don’t use it but wildcard certs ARE available from letsencrypt, but I find that TLS transport doesn’t always like them and I don’t believe the FreePBX acme client is capable of handling them properly.

There is nothing wrong with using separate domains for provisioning, your mail server, management and your customer facing interface, id est UCP. They can all redirect to the same IP but just don’t let any ip connections to http leak your protected https services

IWFM

sentinelace · March 10, 2022, 11:14pm

adding to the alternative names fixed the other domain to now have the cert as well. Now if I can only get the redirect to work lol

lgaetz · March 10, 2022, 11:38pm

There is no restriction on the number of certs on a system, but sysadmin will only allow you to configure one cert for Apache. Redirect is pretty simple, choose the https address and toggle the arrow button:

Test at bash with

# curl http://localhost
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://freepbx.<redacted>.com:443/">here</a>.</p>
</body></html>

sentinelace · March 11, 2022, 1:17am

Okay that’s all working now execpt I need to direct ucp.domain.com to automatically direct to ucp.domain.com/ucp. Is that done in the ssl.conf or the freepbx.conf file? I was able to redirect the admin page by doing the following in the freepbx.conf file

<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{HTTPS} !=on [NC]
 RewriteRule ^/admin(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

sentinelace · March 11, 2022, 1:28am

I installed another cert but it says it’s “unsecure”

lgaetz · March 11, 2022, 1:31am

You can’t do that directly in sysadmin, but you can do it by creating the file /var/www/html/index_custom.php with the following:

<?php
$basename = pathinfo($_SERVER['PHP_SELF'],PATHINFO_DIRNAME);
$uri = (!empty($basename) && $basename != '/') ? $basename . '/ucp' : '/ucp';
header('Location: '.$uri);

Whenever anyone browses to root, it will redirect to /ucp. From that point on, the admins will have to manually browse to /admin to get to the admin gui.

sentinelace · March 11, 2022, 1:41am

Okay that works, what about redirecting http to https? That seems to break that now and I get “not secure”. So close! lol

lgaetz · March 11, 2022, 1:44am

Not sure what to tell you, redirect works exactly as expected for me in sysadmin.

sentinelace · March 11, 2022, 2:13am

Doesn’t work for me. I’m getting:

Forbidden

You don’t have permission to access /.noindex.html on this server.

lgaetz · March 11, 2022, 2:18am

Can you provide the output of fwconsole sa ports?

sentinelace · March 11, 2022, 2:21am

+----------+-------------+-------------+
| Port     | Name        | Force https |
+----------+-------------+-------------+
| 82       | restapps    | Disabled    |
| 83       | restapi     | Disabled    |
| 81       | ucp         | Enabled     |
| 8888     | acp         | Enabled     |
| 84       | hpro        | Disabled    |
| 80       | leport      |             |
| disabled | sslrestapps |             |
| disabled | sslrestapi  |             |
| 4443     | sslucp      |             |
| 443      | sslacp      |             |
| disabled | sslhpro     |             |
| disabled | sslsngphone |             |
+----------+-------------+-------------+

lgaetz · March 11, 2022, 2:47am

You have port 80 dedicated to LE cert renewal, browsing to it will get you nothing. What are you trying to accomplish here? I suspect you want 80 and 443 set for UCP with redirect enabled.

sentinelace · March 11, 2022, 2:52am

Doesn’t LetsEncrypt need to be port 80 so it can auto renew? UCP is on 81. I just want when you got to https://ucp.domain.com it should redirect to https://ucp.domain.com . What needs changed?

dicko · March 11, 2022, 2:59am

Do you mean

I just want when you got to [http://ucp.domain.com](https://ucp.domain.com/) it should redirect to [https://ucp.domain.com](https://ucp.domain.com/)

?

80 should only be redirected to the letsencypt thingy if so called for other connects should get a correct 301