<snip>

The first thing that strikes me is that this virtualhost is only for
port 80. Port 443 (https) connections aren't going to hit this vhost
at all, I don't think. Where do port 443 connections go?

[PJL] Yes, you’re right, I didn’t include the SSL VirtualHost, which is pretty much identical, but with SSL certificates and configured and the RewriteConds commented out:

DocumentRoot /var/www/savouredescapes

ServerName www.savouredescapes.com

ServerAlias savouredescapes.com origin-www.savouredescapes.com www-test.savouredescapes.com

AllowOverride All

</Directory>

ErrorDocument 403 /error/noindex.html

ErrorLog ${APACHE_LOG_DIR}/savouredescapes-error.log

CustomLog ${APACHE_LOG_DIR}/savouredescapes-access.log combined

RewriteEngine on

# Some rewrite rules in this file were disabled on your HTTPS site,

# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =savouredescapes.com [OR]

# RewriteCond %{SERVER_NAME} =origin-www.savouredescapes.com [OR]

# RewriteCond %{SERVER_NAME} =www.savouredescapes.com [OR]

# RewriteCond %{SERVER_NAME} =www-test.savouredescapes.com

# RewriteRule ^ https://www.savouredescapes.com%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/savouredescapes.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/savouredescapes.com/privkey.pem

</VirtualHost>

</IfModule>

Note: Let’s Encrypt sets up the redirect rules for the HTTP virtual host (I edit the RewriteRule to go to the specific www URI I want, rather than using the generic ${SERVER_NAME} URI Let’s Encrypt adds by default), and comments them out in the HTTPS virtual host, to avoid potential redirect loops, as per the comment. I think I could re-enable these rules without creating those loops, but as you point out below, it doesn’t seem that Apache’s doing the redirects anyway, so maybe this config is all just pointless and should be removed.