Textpattern CMS support forum

You are not logged in. Register | Login | Help

#31 2018-09-03 12:32:32

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,209
Website

Re: http to https in textpattern

Jakob,

Thanks for that, and sorry about the extra work. We all <txp:love /> you for it.

Also, I’m just now seeing this post of yours from yesterday. Not sure how I missed that, but my posts probably seemed strange to you after that. Must have been my red lens filter blurring my vision.

Regarding your instructions, there’s one thing there seemingly different than how they set it up for me in the config file, or I’m just not getting it. But for the webapp root path (public) you have two paths for each site (migratio and integratio)? They only have one path for me for each webapp, and it’s the redirect webapp path. I’m not saying you’re wrong, but that does seem to one one difference.

Regarding the domains list, I was under the impression you could only put all sites concerning a single common domain name on a given certificate (e.g. domain1.tld, www.domain1.tld, sub1.domain1.tld, sub2.domain1.tld, etc). But it appears you have it working with multiple different domains too on a single cert? Interesting.

I actually only have three sites right now on a common domain, and they split them into separate config file certificates, for example:

#Common domain cert
[[certificate]]
domains = [
  "domain.tld",
  "www.domain.tld"
]

#method = "http01"

public = "~/webapps/domain_redirect"

name = "domain_ssl"

key_size = 4096

#A subdomain cert
[[certificate]]
domains = [
  "sub1.domain.tld",
  "www.sub1.domain.tld"
]

#method = "http01"

public = "~/webapps/sub1_redirect"

name = "sub1_domain_ssl"

key_size = 4096

#Repeat pattern for each additional subdomain cert assignment accordingly.

Reason given was if there was a problem during initial setup with will-in-wi, it would be easier to troubleshoot which site was problematic. Probably makes sense.

I guess I could now, knowing the dashboard is setup better, reassign a single cert for the three sites, but I’ll leave it alone for the time being. As long as they auto-renew as the car salesman promised, it doesn’t really matter now. ;)

I would not have guessed you need to provide the method = and key_size = lines each time, but that’s how they did it. Maybe that is redundant across the certificate blocks, I don’t know.


The text persuades, the *notes prove。

Offline

#32 2018-09-03 12:53:53

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,488
Website

Re: http to https in textpattern

Destry wrote #313785:

But for the webapp root path (public) you have two paths for each site (migratio and integratio)? They only have one path for me for each webapp, and it’s the redirect webapp path. I’m not saying you’re wrong, but that does seem to one one difference.

I wasn’t sure but you may be right. The validation check only needs to be performed on the redirect webapps but then again the SSL certificates are needed for the others. I’m not sure what the right answer is but I suspect it is yours ;-)

Regarding the domains list, I was under the impression you could only put all sites concerning a single common domain name on a given certificate (e.g. domain1.tld, www.domain1.tld, sub1.domain1.tld, sub2.domain1.tld, etc). But it appears you have it working with multiple different domains too on a single cert? Interesting.

That definitely works. The script was an earlier pre v3 version when I set it up and if I recall correctly it wasn’t possible then to create different certificates for different sites. I think that came in response to a feature request not all that long ago.

That was the main reason I investigated the whole thing as I didn’t want to create separate certificates – and webapps, and sites – for each separate domain. At the time, I wasn’t sure whether the cron job would work independently and wasn’t relishing renewing about 10-12 certificates every three months. I first looked at the new LetsEncrypt wildcard certificate that Yiannis posted about a while back but will-in-wi’s script doesn’t (yet) support that. Then I discovered he’d improved on his script and I could update a list of domains at once.

That said, I don’t think it matters either way. If you were hosting sites for clients on webfaction, I’m pretty sure you’d want to have separate certificates for separate clients should one need to be revised/removed/expanded without affecting the others.


TXP Builders – finely-crafted code, design and txp

Offline

#33 2018-09-03 12:58:23

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,209
Website

Re: http to https in textpattern

jakob wrote #313781:

PS: I don’t have any other Class B entries you mention (not even sure what that is).

The ‘Class B’ was a campaign from quite a few years back that argued ‘no www’. There used to be a flagship website for the effort breaking the reasons down, but I don’t find it anymore. Maybe it’s in the Waback. It made sense to me at the time, and I just got in the habit of being in that camp ever since.

One main reason argued for not using www was that it forced all calls to your site to one domain (without www) instead of spread across two domains (with and without www.) depending on how they searched for it, and thus the spread was a hit against SEO. But my main reason was URLs are already crufty enough in most cases, so why pollute them more with ‘www.’ The redirect rules make all calls for both www and no-www urls to go to just the no-www domain, and make sure anyone saving a bookmark saves the no-www version.

Oddly enough, there is a site dedicated to the other camp, yes www. Frankly, nothing there is very convincing to me. I’ve been using no www for years and have never had problems.


The text persuades, the *notes prove。

Offline

#34 2018-09-03 12:58:32

jpdupont
Member
From: Virton (BE)
Registered: 2004-10-01
Posts: 752
Website

Re: http to https in textpattern

jakob wrote #313781:


An attempt at an explanation

For this reason, you need:

  • an extra webapp and website entry in webfaction for accepting http:// requests and redirecting incoming http: requests to https:. Those redirected requests are then handled by the other webapp with your site installation.

I’m currently creating for each projet two websites (aname, and aname_notsecure) that both point to the domain and to the same webapp . The .htaccess file on this webapp redirects from http to https. It works on all my sites, but is it bad for one reason or another, Jakob?

Offline

#35 2018-09-03 13:27:19

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,488
Website

Re: http to https in textpattern

jpdupont wrote #313789:

I’m currently creating for each projet two websites (aname, and aname_notsecure) that both point to the domain and to the same webapp . The .htaccess file on this webapp redirects from http to https. It works on all my sites, but is it bad for one reason or another, Jakob?

Good question. I wondered if that works too given that there is actually only an htaccess file in the redirect apps I have above. I simply followed webfaction’s recommendation. I presume you also have the exemption line in your htaccess file to allow http access to the .well-known directory?

If it all works on one webapp, that would, I agree, be simpler. And it would also simplify the instructions a great deal.

When I next get some time to upgrade that site, maybe I’ll renew that setup and try out your configuration using the most recent version of the will-in-wi script.


TXP Builders – finely-crafted code, design and txp

Offline

#36 2018-09-03 13:41:25

jpdupont
Member
From: Virton (BE)
Registered: 2004-10-01
Posts: 752
Website

Re: http to https in textpattern

jakob wrote #313791:

I presume you also have the exemption line in your htaccess file to allow http access to the .well-known directory?

No Jakob, I do not have this line in my .htaccess file. I have not passed version 3 of the certificate installation yet … Everything works normally with version 2, and I’m afraid to cause problems. My procedure is well defined and I need a few minutes for each project, with the creation of websites, domains, webapps and certificates.

I do this to create my “secure” website: I choose the shared certificate. Then I create the correct certificate for the domain, then return to websites to assign the definitive certificate. With this procedure, I no longer have the error message that I sometimes had .well-known not accessible.

Offline

#37 2018-09-03 18:06:41

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,488
Website

Re: http to https in textpattern

jpdupont wrote #313792:

No Jakob, I do not have this line in my .htaccess file. I have not passed version 3 of the certificate installation yet … I do this to create my “secure” website: I choose the shared certificate. Then I create the correct certificate for the domain, then return to websites to assign the definitive certificate. With this procedure, I no longer have the error message that I sometimes had .well-known not accessible.

Interesting. So by setting Webfaction’s shared certificate first before running the will-in-wi script, you allow LetsEncrypt to get through via https to do its validation. Then after that you set it back to the new certificate. Thereafter, it should be able to renew via https because the previous LetsEncrypt certificate you’re about to renew is still active.

That would explain why you don’t need two webapps, and why you don’t have the htaccess line allowing http access to the .well-known directory. I suppose the only ‘downside’ with your method is having to do the manual setting at the beginning, but it’s not that bad because you should only ever need to do that once the very first time you set up a certificate…


TXP Builders – finely-crafted code, design and txp

Offline

#38 2018-09-03 18:30:09

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,209
Website

Re: http to https in textpattern

When I first started using LE on WF, I used Neil Pang’s acme.sh shell only, which was a general tool, not geared specifically for WF. So the process for making that work was exactly like JP is doing, more or less. That was the way to do it at the time. I never changed my setup, which is why I started having problems recently when switching to the Will-in-Wi method.

WebFaction did tell me that while I wasn’t doing it wrong, exactly, neither was I doing it in the ideal way anymore if using Will-n-Wi’s (man, I hate typing that), which now seems to be the double-website process as Jakob and I have been commenting on.

So, as much as it’s a pain (and I know), you (JP) probably want to think about upgrading to WillnWi’s v.3, adjusting your setup in WF dashboard, and adding the .well-known exception in the mod_rewrite rules as noted. You’ll probably have fewer problems in the longer run if you do.

But, as they say, you’re mileage (kilometres) will vary. ;)


The text persuades, the *notes prove。

Offline

#39 2018-09-03 18:49:33

jpdupont
Member
From: Virton (BE)
Registered: 2004-10-01
Posts: 752
Website

Re: http to https in textpattern

Thank you very much, Destry and Jakob, for your advice and for the long explanation that I will read in a few days … before embarking on version 3 ;-)

Offline

#40 2018-09-06 15:39:59

jpdupont
Member
From: Virton (BE)
Registered: 2004-10-01
Posts: 752
Website

Re: http to https in textpattern

I am currently testing the French host o2switch.fr: what a pleasure to install an LE certificate in 2 clicks and 10 seconds!

Offline

Board footer

Powered by FluxBB