First, I’m running a standard installation of Debian 10 with only Checkmk (and Certbot) on it and got errors for the line RequestHeader set X-Forwarded-Proto "https"—I had to activate apache’s header module: sudo a2enmod headers.
Second, I still haven’t gotten in to work and I don’t know what’s missing—maybe on of you could point me in the right direction?
There are a few threads on the forums, some are a few years old and stuff doesn’t seem to work anymore.
I’m using Ubunutu and didn’t manipulate the file 000-default.conf because I prefer it stays like it is.
I did a2dissite 000-default.conf and then added two files below /etc/apache2/sites-available:
redirect-to-ssl.conf redirects all HTTP traffic (port 80) to HTTPS (port 443):
<VirtualHost *:80>
ServerName my.server.name
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</VirtualHost>
And my.server.name-ssl.conf to handle that SSL traffic:
<VirtualHost *:443>
ServerName my.server.name
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/my.server.name/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.server.name/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Then I did
a2enmod ssl
a2ensite redirect-to-ssl.conf
a2ensite my.server.name-ssl.conf
systemctl restart apache2.service
Of course you have to adapt the SSL file paths to yours.
You may also want to try apachectl configtest to check the configuration.
Update: In a previous version I wrote systemctl status apache2. Of course it is restart.
I don’t have a /etc/letsencrypt/options-ssl-apache.conf, so I had to comment out that particular line. Also, https://my.server.name still shows the default page of apache—what would be the preferred way to redirect directly to a particular site?
To be honest, I have no idea. I’m using LetsEncrypt via Certbot as well and I have that file.
I wouldn’t care as long as my certificates are all valid and certbot runs without errors.
The header of the files says
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
and then mainly defines settings for the following parameters:
SSLProtocol
SSLCipherSuite
SSLHonorCipherOrder
SSLCompression
Maybe run certbot renew manually and/or have a look into /var/log/letsencrypt/letsencrypt.log to see if it complains somehow.
Just a quick follow-up: I hadn’t installed the package python-certbot-apache and ran certbot standalone. Did install the package just now and re-ran certbot.