Site down after running Bitnami HTTPS Configuration Tool

Keywords: WordPress Multisite - Google Cloud Platform - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: 733563d9-66ad-85cf-efa0-3f65c7e9f769
Description:
the tool was run successfully without warning, but afterward, the website can not be accessed.

I had stopped and restarted VM, but still failed.
Troubleshooting in https://docs.bitnami.com/general/how-to/understand-bncert/
Certificates Not Renewed Automatically
http://SERVER-IP can not be accessed too. 35.233.158.242

I had installed Let’s Encrypt Certificate manually before this tool, will it be the conflict? How I should resolve this?

Hi @mubiesam,

When running the Bitnami HTTP configuration tool, you accepted to force the redirection to https and www. when accessing your site. I think you configured WordPress to use the non-www domain and that’s why you are getting a redirection loop (Apache is redirecting to https and www and then WordPress says that the user should access using the non-www domain). Let’s disable the www redirection to fix the issue. Please edit the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file, it should look like this

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  RewriteEngine On
  # BEGIN: Enable HTTP to HTTPS redirection
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
  RewriteCond %{REQUEST_URI} !^/\.well-known
  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
  # END: Enable HTTP to HTTPS redirection
  # BEGIN: Enable non-www to www redirection
  #RewriteCond %{HTTP_HOST} !^www\. [NC]
  #RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
  #RewriteCond %{REQUEST_URI} !^/\.well-known
  #RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
  # END: Enable non-www to www redirection
...
<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  RewriteEngine On
  # BEGIN: Enable non-www to www redirection
  #RewriteCond %{HTTP_HOST} !^www\. [NC]
  #RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
  #RewriteCond %{REQUEST_URI} !^/\.well-known
  #RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
  # END: Enable non-www to www redirection
...

You will need to restart Apache after that

sudo /opt/bitnami/ctlscript.sh restart apache

Happy to help!

Was my answer helpful? Click on

@jota thanks for the reply, it solved the problem for the main site https://johocen.com/
But for all the sub sites, https is not working (insecure)
https://booking.johocen.com/
https://webiz.johocen.com/
…
What else I need to do?

Hi @jota
I have a Modified force HTTPS redirection in /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf

RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"
#Alias /wordpress/ "/opt/bitnami/apps/wordpress/htdocs/"
#Alias /wordpress "/opt/bitnami/apps/wordpress/htdocs"

Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"

Should I change it back to the Original Multisite setting?

Hi @jota
Sorry to bother you, but it is really urgent since the sub sites are down more than 24 hours.
Is this tool support https for subdomain?

@jota Finally I had solved the problem by adding the sub domains one by one into the domain list while running the tool, but this is not necessary while I installed Let’s Encrypt Certificate manually before.

does this mean i will need to run the tool every time when I want to add a new sub site?

Hi @mubiesam,

I don’t know how you configured the SSL certificate in the past. AFAIK, you can use wildcards when setting the domains, that way you will generate a certificate valid for all the subdomains you have. You will need to set johocen.com as primary domain and then *.johocen.com.

If you use johocen.com only, you will only generate a certificate that is valid for that domain but test.johocen.com is not included in the certificate and that’s why you obtain the error message about the site being insecure.

I hope this information helps

Hi @jota
It seems wildcards is not acceptable.
Domain list []: johocen.com *.johocen.com
Warning: Please enter valid domains
Press [Enter] to continue:

Hi @mubiesam,

Sorry for the wrong information. I was not aware about that. Our HTTPS configuration tool uses http or tls verification and those methods don’t support wildcards

https://letsencrypt.org/es/docs/challenge-types/

Yes, if you want to use our tool, you will need to run the tool every time you want to add a new domain.

You were probably using certbot and the dns verification before. You can follow our alternative approach to configure the SSL domains

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

However, the commands we have in the documentation use the tls challenge, you will need to use the dns challenge when running the commands and configure the DNS verification in your DNS provider site.

Note: if you don’t want to use the Bitnami HTTPS configuration tool anymore, you will need to remove the renew command in the cron file

sudo crontab -l

Let us know if you have any questions

Hi @jota

The alternative approach you suggested, https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach
Does it support wildcards? it seems also need to enter all the domains “as many times as the number of domains you want to specify.”

We are using RPA for adding new site, so it’s important to avoid too many additional procedure such as running HTTPS configuration tool for every new site. (It will be nice if you remind that wildcards is not supported for this tool.)

If we don’t want to use this tool anymore, only to remove the renew command sudo crontab -l will be enough to go back to the original status ? or should we remove all this tool related folders and files?

Thanks

Hi @jota

Got “no crontab for root” after running “sudo crontab -l”, can you tell me where is the crontab located ?

Thanks

Hi @jota
In the Troubleshooting for this tool, there is
Manually Revoking An Existing Certificate
If we don’t want to use this tool anymore, do we need to change these 2 lines?
SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”
SSLCertificateKeyFile “/opt/bitnami/apache2/conf/server.key”

Your earlier response is highly appreciated.

Hi @mubiesam,

The alternative approach uses the lego tool. It’s a client written in go that allows you generate Let’s Encrypt certificates. It does support other challenge types like the DNS one that allows you to use wildcards

https://github.com/go-acme/lego
https://letsencrypt.org/es/docs/challenge-types/

I mentioned that our guide uses the TLS challenge so you will need to use the DNS one when running the lego tools.

Well, our tool takes care of creating the SSL certificates, configuring the webserver and configuring the renewal process. I told you to remove the line in the cron job to not to perform the renew (because you will use a different tool to generate the new certificates and configure the renew process so you will avoid problems when removing the existing cron job) but the certificates will be kept in the instance. Please note that they are just files that contain the information about your domain.

Ok, can you check the bitnami’s crontab?

sudo crontab -l -u bitnami

If you revoke the certificates and use the dummy ones we include, you will run into the security issues that you got before. I’d keep the certificates while you generate the new ones using the wildcards. This way, you will be able to access your current domains using HTTPS. Once you have the new certificates with the wildcard, you can change the Apache’s configuration to start using them.

Happy to help!

Was my answer helpful? Click on

Hi @jota
Sorry to bother you so much, but do need your help to go through this complication.

This is what I did…

sudo crontab -l -u bitnami

0 0 1 * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="mubiesam@gmail.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=johocen.com renew && sudo 
/opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful # bncert-autorenew

sudo /opt/bitnami/letsencrypt/lego --dns --email="mubiesam@gmail.com" --domains="johocen.com" --domains="*.johocen.com" --path="/opt/bitnami/letsencrypt" run
2019/09/13 03:49:39 You have to pass an account (email address) to the program using --email or -m

Not sure what to do here, is it because I changed --tls to --dns ?
There is no instruction in Alternative Approach for using dns instead of tls.

Thanks

Hi @mubiesam,

First of all, remember to remove the lego line in the crontab when we finish creating the new ones. You can simply edit the file by running this command

sudo crontab -e -u bitnami

Note: we were using the -l option previously to list the lines but the -e option allows you to edit the file.

You are missing some parameters when running the lego command. You will need to set the provider and provide the required information

Credentials for DNS providers must be passed through environment variables.

To display the documentation for a DNS providers:

  $ lego dnshelp -c code

All DNS codes:
  acme-dns, alidns, auroradns, azure, bindman, bluecat, cloudflare, cloudns, cloudxns, conoha, designate, digitalocean, dnsimple, dnsmadeeasy, dnspod, dode, dreamhost, duckdns, dyn, easydns, exec, exoscale, fastdns, gandi, gandiv5, gcloud, glesys, godaddy, hostingde, httpreq, iij, inwx, joker, lightsail, linode, linodev4, manual, mydnsjp, namecheap, namedotcom, namesilo, netcup, nifcloud, ns1, oraclecloud, otc, ovh, pdns, rackspace, rfc2136, route53, sakuracloud, selectel, stackpath, transip, vegadns, versio, vscale, vultr, zoneee

More information: https://go-acme.github.io/lego/dns

You can either review the lego documentation, ask in its forum to know more about that, follow the approach of this other user who followed the Lightsail documentation (please note that you are using Google) or use the same method you used in the past to generate the certificates

I hope it helps

Hi @jota

Thank you for the explanation, but sorry for my poor English with not enough technical background, still not quite sure after studying all the documents. Please correct me if there is anything wrong for the steps I’m going to do:

1. Obtain a certificate using the DNS challenge

   sudo /opt/bitnami/ctlscript.sh stop
   NAMESILO_API_KEY=xxxxxxxxxxxa84330febba8a83208921177bffe733
   sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains=“johocen.com” --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run
   Is the Additional Configuration necessary as stated in https://go-acme.github.io/lego/dns/namesilo/ ???

2. Configure The Web Server To Use The Let’s Encrypt Certificate For Apache:

   sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
   sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
   sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
   sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.key /opt/bitnami/apache2/conf/server.key
   sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.crt /opt/bitnami/apache2/conf/server.crt
   sudo chown root:root /opt/bitnami/apache2/conf/server*
   sudo chmod 600 /opt/bitnami/apache2/conf/server*
   sudo /opt/bitnami/ctlscript.sh start

3. Test The Configuration

4. Renew The Let’s Encrypt Certificate

   sudo /opt/bitnami/ctlscript.sh stop
   sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains=“johocen.com” --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
   sudo /opt/bitnami/ctlscript.sh start

5. Create a script

   sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
   Save the following content into script

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache

6. Make the script executable:

   chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
   sudo crontab -e -u bitnami

7. Add the following lines to the crontab file and save it:

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

But where is the crontab file located???

Thanks

Hi @jota
I tried

NAMESILO_API_KEY=xxxxxxxxxxx \
sudo /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run 

But got

namesilo: some credentials information are missing: NAMESILO_API_KEY

Your help is highly appreciated.

Hi @mubiesam,

Try this command

sudo NAMESILO_API_KEY=xxxxxxxxxxx /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run

And ensure you don’t need to set the API key when renewing the certificate.

Thanks

Hi @jota

Do you mean supposedly I should set the API key when renewing the certificate? or where I can find the instruction to ensure?

I think you will need to set the API Key value when running the renew command. You can try to renew the certificate once you finish creating it, this command will allow you to run the renewal process

sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90

If it doesn’t return any error, you are good to go.