Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#31 2017-10-02 15:34:18
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Here is my tutorial : Installation of Let’s Encrypt certificates on Webfaction
Method recommended by Webfaction …
Last edited by jpdupont (2017-10-04 21:52:41)
Offline
#32 2017-10-04 21:49:59
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
I just installed a certificate on a new site, and a new Webfaction server by following my step-by-step tutorial successfully.
Small modification in the tutorial regarding the creation of the site safe and the site not secure. Updated file.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
JP,
Your instruction has the following note:
Note : Check that the .well-known hidden folder is present in your application folder !
My app folder on WebFaction does NOT have .well-known in it. At least not according to using ls -a via command-line. Does that get added in course of following these instructions, or is that something every app folder is supposed to have?
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
For the record, I’ve been using Neil Pang’s wonderful acme.sh script on WebFaction, and it has always worked fine, until today. I’m adding a new subdomain and wanted to include that on an existing cert for that root domain. In other words, one cert for all of these:
- domain.tld
- www.domain.tld
- sub.domain.tld
- www.sub.domain.tld
I’ve ditched the old cert that was originally mounted for the first two, and I’m redoing it to work on all four.
But I’m getting these errors on tests:
domain.tld:Verify error:Invalid response from http://domain.tld/.well-known/acme-challenge/[long string here]It seems that folder, .well-known, is missing each time and causing verification issues.
I wonder if this is why WebFaction is suggesting people use the “will-in-wi” approach instead? They’ve made changes somewhere that favors it?
One obvious advantage is the cron job automation for updates, which I didnt’ have with the acme.sh approach.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
JP,
More Qs…
Step 2
For this command:
letsencrypt_webfaction --config ~/le_config/config.monsite.ymlI’m guessing that is for a real cert. What if I just want to test? Is it as easy as this…
letsencrypt_webfaction --test --config ~/le_config/config.monsite.ymlAnd there’s a line that says (referring to the CL output)…
Add the
--quietparameter in your cron task to remove this message.
Do you mean that could be used in the command above, or is that supposed to go in the crontab line in step 3?
Step 3
The crontab line, it begins with:
0 0 1 1-11/2 * ...But then your example lines show:
0 1 2 */2 * ...What’s the difference? How does one decipher the values there?
Also, at the end of the line, there is nothing like this:
... >> $HOME/logs/user/cron.log 2>&1But then you include them in the example lines. What is going on there, exactly? Do we add them for each line exactly as shown?
Finally, is it safe to add a blank line between crontab lines? I’ve not worked in a file like that before, but it would be good for me to discern lines easier with a blank if possible.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
For convenience, I’ve made a web doc for JP’s instructions and tried to clear some things up for myself, though it’s very beta at the moment and still needs the questions above answered for my own benefit and a second round of revisions.
If anyone wants to test and chime in with suggestions, please do.
I have also not actually used the doc yet, which I’ll get to tomorrow-ish. So, still needs fool-proofed.
=================
Update: The above link no longer exists (sorry). The tute now describes a new process using acme.sh and a cron job, not Ruby gems as JP’s tutorial describes. See the new instruction file.
Offline
#37 2018-02-20 17:29:49
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Destry wrote #309254:
JP,
My app folder on WebFaction does NOT have .well-known in it. At least not according to using
ls -avia command-line. Does that get added in course of following these instructions, or is that something every app folder is supposed to have?
I installed a certificate yesterday and I immersed myself again in the tutorials of the web and mine.
One of the tutorials stated that it was necessary to create this directory .well-known . It does not exist by default in Webfaction applications.
Offline
#38 2018-02-20 17:58:59
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Destry wrote #309257:
More Qs…
I’m guessing that is for a real cert. What if I just want to test?
I do not know because I have never installed a test certificate. I just played on a test site, with the definitive certificate
Contab
To adjust my crontab, I went to these sites:
https://crontab-generator.org/
http://cron.schlitt.info/ (test my different settings)
Also, at the end of the line, there is nothing like this …
Here are the real lines of my crontab :
MAILTO="jean.pol.dupont@mysite.be"
MAILFROM="jean.pol.dupont@mysite.be"
0 0 1 2-12/2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.site1.yml
0 0 1 2-12/2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.siteorsubdomain2.yml
0 0 1 2-12/2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.site3.ymlI do not save the job information in a logfile, but I prefer to send me an email that warns me every 2 months that the certificate has been renewed.
Do not copy the lines as they are, because they point to my ruby installation, and my ~/le_config directory where I save my .yml files. I never tried to separate the lines with a blank line.
Offline
#39 2018-02-20 18:13:29
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Destry wrote #309258:
For convenience, I’ve made a web doc for JP’s instructions and tried to clear some things up for myself, though it’s very beta at the moment and still needs the questions above answered for my own benefit and a second round of revisions.
Great, and very interesting, thank you Destry. Suggestion: separate what should be done once, and the few lines that must be repeated at each installation.
Here’s what I repeat for each certificate creation:
A. Check that the hidden .well-known folder is present in your application folder. Create it if necessary.
B. Create the config.newsite.yml file and drop it in your certificate config directory.
C. Run the command by SSH:
letsencrypt_webfaction --config ~ / le_config / config.newsite.yml
This command must return a completion message indicating that the certificate is installed.
D. In SSH, open crontab in the NANO editor by typing the command:
EDITOR = nano crontab -e
In the editor, in the crontab file, add a line of this type by configuration file (by newsite), and therefore by certificate :
0 0 1 2-12 / 2 * PATH = $ PATH: $ GEM_HOME / bin GEM_HOME = $ HOME / .letsencrypt_webfaction / gems RUBYLIB = $ GEM_HOME / lib /home/xxxxx/ruby-2.3.1/bin/ruby $ HOME / .letsencrypt_webfaction / gems / bin / letsencrypt_webfaction --config ~ / le_config / config.newsite.yml
E. Add in your .htaccess the lines to redirect http:// to https:// (and the lines to redirect www.mysite.com to mysite.com, without "www").Last edited by jpdupont (2018-02-20 18:21:18)
Offline
#40 2018-02-20 18:18:48
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Last but not least: While some info on Let’s Encrypt indicate that a certificate is valid for a domain and all its subdomains, I think that on Webfaction you have to create an additional certificate per subdomain.
As I redirect in the .htaccess subdomain with www to the domain without www, it is useless to create a certificate for this www subdomain.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
WebFaction just recommended I use this method, which looks good to me since I was already using acme.sh.
But nobody is clarifying this issue I have about the “.well-known” directory.
In this new doc linked here, it says under Usage, number 1:
Note you’ll need to set up your site to serve the files in /path/to/webroot/.well-known at http://example.com/.well-known. If you’re working with a static or php site, you can just add your actual webroot here.
Clear as mud.
So if I have a webapp at ~/webapps/myapp, where I would normally install Txp, it’s saying I need to install certs at ~/webapps/myapp/.well-known?
And thus I need to make and empty directory there?
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
hmmm. is it not saying that you install it on your PUBLIC webroot area.
i.e. http://example.com/.well-known
so in your case it would be http://wion.com/.well-known
that is how interpret the instructions
PS where does Webfaction recommend this approach? Was it in their documentation somewhere?
…. texted postive
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
jpdupont wrote #309263:
I think that on Webfaction you have to create an additional certificate per subdomain.
You are correct. I just got webfaction confirmation. A cert for each (sub)domain, but they can include the ‘www’ handling.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
bici wrote #309351:
hmmm. is it not saying that you install it on your PUBLIC webroot area.
i.e. http://example.com/.well-known
It represents the same thing. For example site here, ~/webapps/site, is equivalent to example.com once you link up all the parts in the dashboard.
What I’m confused about is if I have to create a folder like this, ~/webapps/site/.well-known, or if the script is supposed to create it on the fly.
I’ve never had to create such a folder before, but now it seems to be a problem. WebFaction support has not given me a straight answer on this either.
I guess I’ll try adding it and see what happens.
PS where does Webfaction recommend this approach? Was it in their documentation somewhere?
Every support person recommends one of these script approaches, either in the user community to questions about ssl, or via support ticket, like I got. The approaches being either the letsencrypt-webfaction one JP’s notes are based on, which is a Ruby gems method. Or, more recently, the acme-webfaction one suggested to me.
Neil Pang’s original acme.sh script is more general use, not specifically for WebFaction. Greg Brown use it, I guess, to create a more specific process for WF that also includes a cron job for auto-renewals. Since I used Pang’s work before, I’ll try this new one by Brown. Seems very straightforward.
Here’s my version of Brown’s acme-webfaction tute that I just put together for dips like myself.
Last edited by Destry (2018-02-21 09:25:22)
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
jpdupont wrote #309262:
Great, and very interesting, thank you Destry.
Note I have replaced that initial document with a new one following the acme-webfaction process instead, which uses acme.sh instead of Ruby gems, etc.
I’m about to test it.
Offline