Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#13 2016-06-08 13:29:07
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: rewrite http to https
Destry wrote #299616:
Btw, if anyone would like a tutorial on the LE certs with WebFaction, let me know. I have a knack for taking developer notes and making then 10x more understandable after wrestling through the process myself. ;)
I’m interested by your tutorial on Webfaction.
BTW, I just install a LE cert on Infomaniak. It’s a one clik and more than easy work !
Offline
Re: rewrite http to https
jpdupont wrote #299625:
I’m interested by your tutorial on Webfaction. BTW, I just install a LE cert on Infomaniak. It’s a one clik and more than easy work !
WebFaction seems to be the odd one out on handling SSL certs. Seems to have caught them with their pants down. A lot of their customers have been pissing about it pretty heavily. So I know they’re working on some dashboard install solution now, but there’s been no commitment to say when it will be ready. So for those on WebFaction who want SSL certs, it’s kind of a different roads to the doghouse approach. All of which require some domains/websites juggling in the dashboard and time on the command-line with SSH, finished with a ticket to WF to finally activate your cert files.
Anyway, I’ll write up the tutorial after I’ve got all my redirection figured out. That’s part of the story, I think… The ending.
Offline
Re: rewrite http to https
Missed this WebFaction doc for redirecting http to https.
It seems WF loves to handle everything by creating more and more “websites” and “applications” in it’s dashboard, which I find very confusing. I followed the doc all they way to step 1.13 and got errors when trying to save.
So I scrapped that and I skipped ahead to step 2.2, since I only needed rewrite rules anyway, and these worked like a charm:
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L].So to get both Class B and SSL redirects working right on WebFaction, this recipe works:
## Class B (no www) redirects
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
## Redirects for http to https
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]Whew!
Offline
Re: rewrite http to https
Cool! Glad you got it working and for teaching us WF-users something new. I’ll give that a try too some time.
Firefox shows a yellow warning triangle and notes that can be because not all elements (e.g. graphics) are from a secure source. Looking at the page infos, it seems there is just one: connective.svg that is being pulled in from graphicpush.com. If you host that yourself, you should have it. The other pages that don’t have that graphic get a green padlock. On discussion.csf.community a couple of graphics in your template just needing switching to load via https: (or protocol-less if that works) to qualify. You already have those graphics (stripe and marquee_bg) loading fine via https on the other pages.
TXP Builders – finely-crafted code, design and txp
Offline
Re: rewrite http to https
Good spots. Yeah, the connective.svg graphic is Kevin’s. Getting that from him has been surprisingly difficult. Maybe this will finally convince him. ;)
I’ll track the other two down now.
Offline
Re: rewrite http to https
You should be able to just save it to your computer and upload it to txp (or whatever) and then change the src to csf.community.
TXP Builders – finely-crafted code, design and txp
Offline
Re: rewrite http to https
jakob wrote #299633:
You should be able to just save it to your computer
Believe me, I have tried. I don’t know if it’s because it’s an .svg file, or he has some lock on it, or I’m just a dope, but I cannot seem to harvest it, just link to it.
In any case, Kevin has delivered!
Offline
Re: rewrite http to https
Offline
#21 2016-09-04 06:21:26
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: rewrite http to https
Thanks Destry !
Offline
Re: rewrite http to https
Just a note. The LE instructions do not account for auto-requesting cert renewals with WebFaction, as I realized when the certs expired yesterday. For that you need to contact WF again as described in step 7 and request the necessary renewals. At least I think so. I’m doing that now to see if they’ll do it. Whatever the fallout, I’ll update the doc to account for the renewal hoop.
There is supposed to be a cron job you can do to handle the auto-renewal requests, apparently, but I’ve not been able to find the tutorial or have any idea how to create one (never worked with crons before).
—-
Edit: WebFaction renewed the certs quickly. Word from them is that my LE doc, notably the result of having installed the acme.sh script (step 3), should have enabled auto-renewal requests to WF, but it didn’t work for some reason. They suggested the acme.sh script might need updated, which is good advice, it’s a one-liner.
Anyway, I’ll just be maintaining the doc at this point with any further updates as they are learned.
Last edited by Destry (2016-09-06 14:15:02)
Offline
Re: rewrite http to https
I lied. Back on this again, mainly because I need the collective wisdom…
I just came across this issue for the acme.sh script, which seems to indicate the script was set for renewals at 80 days, when in fact Let’s Encrypt requires renewals at 70 days?
That might explain why the script didn’t renew my certs, but not sure.
You can see in that issue I posed a couple of questions I’m confused about, but maybe someone here can shed light(?), because I actually ran the command he gives there, this one:
acme.sh --renew -d domain.tld --days 69 --force (correcting domains)
And got this back in Terminal:
$ acme.sh --renew -d csf.community -d www.csf.community -d discussion.csf.community -d www.discussion.csf.community --days 69 --force
[Wed Sep 7 15:14:23 UTC 2016] Standalone mode.
[Wed Sep 7 15:14:23 UTC 2016] Skip register account key
[Wed Sep 7 15:14:23 UTC 2016] Creating csr
[Wed Sep 7 15:14:23 UTC 2016] Multi domain='DNS:www.csf.community'
[Wed Sep 7 15:14:23 UTC 2016] Verify each domain
[Wed Sep 7 15:14:23 UTC 2016] Getting webroot for domain='csf.community'
[Wed Sep 7 15:14:23 UTC 2016] Getting token for domain='csf.community'
[Wed Sep 7 15:14:25 UTC 2016] Getting webroot for domain='www.csf.community'
[Wed Sep 7 15:14:25 UTC 2016] Getting token for domain='www.csf.community'
[Wed Sep 7 15:14:26 UTC 2016] Verifying:csf.community
[Wed Sep 7 15:14:26 UTC 2016] Standalone mode server
[Wed Sep 7 15:14:35 UTC 2016] Success
[Wed Sep 7 15:14:35 UTC 2016] Skip for removelevel:
[Wed Sep 7 15:14:35 UTC 2016] Verifying:www.csf.community
[Wed Sep 7 15:14:35 UTC 2016] Standalone mode server
[Wed Sep 7 15:14:44 UTC 2016] Success
[Wed Sep 7 15:14:44 UTC 2016] Skip for removelevel:
[Wed Sep 7 15:14:44 UTC 2016] Verify finished, start to sign.
[Wed Sep 7 15:14:46 UTC 2016] Cert success.
-----BEGIN CERTIFICATE-----
remove the hash
-----END CERTIFICATE-----
[Wed Sep 7 15:14:46 UTC 2016] Your cert is in /home/user/.acme.sh/csf.community/csf.community.cer
[Wed Sep 7 15:14:46 UTC 2016] The intermediate CA cert is in /home/user/.acme.sh/csf.community/ca.cer
[Wed Sep 7 15:14:46 UTC 2016] And the full chain certs is there: /home/user/.acme.sh/csf.community/fullchain.cerWhatever it did, it seems to have done it successfully. But I’m not sure if it updated the script with the shorter renewal time value and I don’t have to do anything else? Or do I need to notify WebFaction again with a renewal request on these latest changes?
On that last point, I guess if anyone is seeing a security notice (I’m not) when visiting a CSF link, for example, I probably need to request the renewal again with WebFaction.
Finally, the script update command the dev gives doesn’t seem to work, or I’m running it wrong. When I try this as given:
acme.sh --upgrade
(i.e. ~/.acme.sh/acme.sh --upgrade
I get this response:
Unknown parameter : --upgrade
Am I doing it wrong, or is his script bad?
Offline