Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#37 2018-02-20 17:29:49

jpdupont
Member
Registered: 2004-10-01
Posts: 752

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

Destry wrote #309254:

JP,

My app folder on WebFaction does NOT have .well-known in it. At least not according to using ls -a via command-line. Does that get added in course of following these instructions, or is that something every app folder is supposed to have?

I installed a certificate yesterday and I immersed myself again in the tutorials of the web and mine.

One of the tutorials stated that it was necessary to create this directory .well-known . It does not exist by default in Webfaction applications.

Offline

#38 2018-02-20 17:58:59

jpdupont
Member
Registered: 2004-10-01
Posts: 752

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

Destry wrote #309257:

More Qs…

I’m guessing that is for a real cert. What if I just want to test?

I do not know because I have never installed a test certificate. I just played on a test site, with the definitive certificate

Contab

To adjust my crontab, I went to these sites:

https://crontab-generator.org/
http://cron.schlitt.info/ (test my different settings)

Also, at the end of the line, there is nothing like this …

Here are the real lines of my crontab :

MAILTO="jean.pol.dupont@mysite.be"
MAILFROM="jean.pol.dupont@mysite.be"
0 0 1 2-12/2 *  PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.site1.yml
0 0 1 2-12/2 *  PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.siteorsubdomain2.yml
0 0 1 2-12/2 *  PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.site3.yml

I do not save the job information in a logfile, but I prefer to send me an email that warns me every 2 months that the certificate has been renewed.

Do not copy the lines as they are, because they point to my ruby installation, and my ~/le_config directory where I save my .yml files. I never tried to separate the lines with a blank line.

Offline

#39 2018-02-20 18:13:29

jpdupont
Member
Registered: 2004-10-01
Posts: 752

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

Destry wrote #309258:

For convenience, I’ve made a web doc for JP’s instructions and tried to clear some things up for myself, though it’s very beta at the moment and still needs the questions above answered for my own benefit and a second round of revisions.

Great, and very interesting, thank you Destry. Suggestion: separate what should be done once, and the few lines that must be repeated at each installation.
Here’s what I repeat for each certificate creation:

A. Check that the hidden .well-known folder is present in your application folder. Create it if necessary.
B. Create the config.newsite.yml file and drop it in your certificate config directory. 
C. Run the command by SSH:
           letsencrypt_webfaction --config ~ / le_config / config.newsite.yml
This command must return a completion message indicating that the certificate is installed.
D. In SSH, open crontab in the NANO editor by typing the command:
           EDITOR = nano crontab -e
In the editor, in the crontab file,  add a line of this type by configuration file (by newsite), and therefore by certificate :
           0 0 1 2-12 / 2 * PATH = $ PATH: $ GEM_HOME / bin GEM_HOME = $ HOME / .letsencrypt_webfaction / gems RUBYLIB = $ GEM_HOME / lib /home/xxxxx/ruby-2.3.1/bin/ruby $ HOME / .letsencrypt_webfaction / gems / bin / letsencrypt_webfaction --config ~ / le_config / config.newsite.yml
E. Add in your .htaccess the lines to redirect http:// to https:// (and the lines to redirect www.mysite.com to mysite.com, without "www").

Last edited by jpdupont (2018-02-20 18:21:18)

Offline

#40 2018-02-20 18:18:48

jpdupont
Member
Registered: 2004-10-01
Posts: 752

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

Last but not least: While some info on Let’s Encrypt indicate that a certificate is valid for a domain and all its subdomains, I think that on Webfaction you have to create an additional certificate per subdomain.

As I redirect in the .htaccess subdomain with www to the domain without www, it is useless to create a certificate for this www subdomain.

Offline

#41 2018-02-20 22:04:34

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

WebFaction just recommended I use this method, which looks good to me since I was already using acme.sh.

But nobody is clarifying this issue I have about the “.well-known” directory.

In this new doc linked here, it says under Usage, number 1:

Note you’ll need to set up your site to serve the files in /path/to/webroot/.well-known at http://example.com/.well-known. If you’re working with a static or php site, you can just add your actual webroot here.

Clear as mud.

So if I have a webapp at ~/webapps/myapp, where I would normally install Txp, it’s saying I need to install certs at ~/webapps/myapp/.well-known?

And thus I need to make and empty directory there?

Offline

#42 2018-02-20 22:49:25

bici
Member
From: vancouver
Registered: 2004-02-24
Posts: 2,091
Website Mastodon

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

hmmm. is it not saying that you install it on your PUBLIC webroot area.
i.e. http://example.com/.well-known

so in your case it would be http://wion.com/.well-known

that is how interpret the instructions

PS where does Webfaction recommend this approach? Was it in their documentation somewhere?


…. texted postive

Offline

#43 2018-02-21 06:33:31

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

jpdupont wrote #309263:

I think that on Webfaction you have to create an additional certificate per subdomain.

You are correct. I just got webfaction confirmation. A cert for each (sub)domain, but they can include the ‘www’ handling.

Offline

#44 2018-02-21 06:53:46

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

bici wrote #309351:

hmmm. is it not saying that you install it on your PUBLIC webroot area.
i.e. http://example.com/.well-known

It represents the same thing. For example site here, ~/webapps/site, is equivalent to example.com once you link up all the parts in the dashboard.

What I’m confused about is if I have to create a folder like this, ~/webapps/site/.well-known, or if the script is supposed to create it on the fly.

I’ve never had to create such a folder before, but now it seems to be a problem. WebFaction support has not given me a straight answer on this either.

I guess I’ll try adding it and see what happens.

PS where does Webfaction recommend this approach? Was it in their documentation somewhere?

Every support person recommends one of these script approaches, either in the user community to questions about ssl, or via support ticket, like I got. The approaches being either the letsencrypt-webfaction one JP’s notes are based on, which is a Ruby gems method. Or, more recently, the acme-webfaction one suggested to me.

Neil Pang’s original acme.sh script is more general use, not specifically for WebFaction. Greg Brown use it, I guess, to create a more specific process for WF that also includes a cron job for auto-renewals. Since I used Pang’s work before, I’ll try this new one by Brown. Seems very straightforward.

Here’s my version of Brown’s acme-webfaction tute that I just put together for dips like myself.

Last edited by Destry (2018-02-21 09:25:22)

Offline

#45 2018-02-21 09:14:41

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

jpdupont wrote #309262:

Great, and very interesting, thank you Destry.

Note I have replaced that initial document with a new one following the acme-webfaction process instead, which uses acme.sh instead of Ruby gems, etc.

I’m about to test it.

Offline

#46 2018-02-21 11:00:53

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

Testing is failing. Still having errors in relation to the .well-known folder. WebFaction support is telling me everything except how to solve the problem. Have no idea what to do.

If I don’t give a crap about SEO ranking in Gaggle, and I don’t have any forms or sign-ups… Do I really need HTTPS? Because, honestly, I don’t care about being a cool kid.

Offline

#47 2018-02-21 11:42:09

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

Destry wrote #309355:

If I don’t give a crap about SEO ranking in Gaggle, and I don’t have any forms or sign-ups… Do I really need HTTPS? Because, honestly, I don’t care about being a cool kid.

No, you don’t need it. But your site will be flagged as insecure by Chrome come July. It’s bullshit (HTTP sites can be secure – just slapping a HTTPS protocol and free certificate onto a domain doesn’t make a secure site), but expect other browsers to follow.

Offline

#48 2018-02-21 13:25:32

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome

philwareham wrote #309356:

No, you don’t need it. But your site will be flagged as insecure by Chrome come July.

BS, indeed.

On the plus side, I think I have it working now. Seems I had cooked up some dashboard soup, which is easy to do in WebFaction (not crazy about their method, to be honest). Once that was ironed out, I stopped getting the ‘verify’ errors.

I still haven’t done the last cron job setup step, though, because the WebFaction people are telling me the renewal won’t work if redirects are used in the .htaccess, or something. You have to comment them out at point of renewal.

I’m like what?! What’s the point of auto-renewals if I have to remember to comment frickin’ lines of code first? I might as well just manually update the certs.

I don’t get. If anyone does, please enlighten me.

Offline

Board footer

Powered by FluxBB