Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#37 2018-02-20 17:29:49
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Destry wrote #309254:
JP,
My app folder on WebFaction does NOT have .well-known in it. At least not according to using
ls -avia command-line. Does that get added in course of following these instructions, or is that something every app folder is supposed to have?
I installed a certificate yesterday and I immersed myself again in the tutorials of the web and mine.
One of the tutorials stated that it was necessary to create this directory .well-known . It does not exist by default in Webfaction applications.
Offline
#38 2018-02-20 17:58:59
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Destry wrote #309257:
More Qs…
I’m guessing that is for a real cert. What if I just want to test?
I do not know because I have never installed a test certificate. I just played on a test site, with the definitive certificate
Contab
To adjust my crontab, I went to these sites:
https://crontab-generator.org/
http://cron.schlitt.info/ (test my different settings)
Also, at the end of the line, there is nothing like this …
Here are the real lines of my crontab :
MAILTO="jean.pol.dupont@mysite.be"
MAILFROM="jean.pol.dupont@mysite.be"
0 0 1 2-12/2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.site1.yml
0 0 1 2-12/2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.siteorsubdomain2.yml
0 0 1 2-12/2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /home/xxxxx/ruby-2.3.1/bin/ruby $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/le_config/config.site3.ymlI do not save the job information in a logfile, but I prefer to send me an email that warns me every 2 months that the certificate has been renewed.
Do not copy the lines as they are, because they point to my ruby installation, and my ~/le_config directory where I save my .yml files. I never tried to separate the lines with a blank line.
Offline
#39 2018-02-20 18:13:29
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Destry wrote #309258:
For convenience, I’ve made a web doc for JP’s instructions and tried to clear some things up for myself, though it’s very beta at the moment and still needs the questions above answered for my own benefit and a second round of revisions.
Great, and very interesting, thank you Destry. Suggestion: separate what should be done once, and the few lines that must be repeated at each installation.
Here’s what I repeat for each certificate creation:
A. Check that the hidden .well-known folder is present in your application folder. Create it if necessary.
B. Create the config.newsite.yml file and drop it in your certificate config directory.
C. Run the command by SSH:
letsencrypt_webfaction --config ~ / le_config / config.newsite.yml
This command must return a completion message indicating that the certificate is installed.
D. In SSH, open crontab in the NANO editor by typing the command:
EDITOR = nano crontab -e
In the editor, in the crontab file, add a line of this type by configuration file (by newsite), and therefore by certificate :
0 0 1 2-12 / 2 * PATH = $ PATH: $ GEM_HOME / bin GEM_HOME = $ HOME / .letsencrypt_webfaction / gems RUBYLIB = $ GEM_HOME / lib /home/xxxxx/ruby-2.3.1/bin/ruby $ HOME / .letsencrypt_webfaction / gems / bin / letsencrypt_webfaction --config ~ / le_config / config.newsite.yml
E. Add in your .htaccess the lines to redirect http:// to https:// (and the lines to redirect www.mysite.com to mysite.com, without "www").Last edited by jpdupont (2018-02-20 18:21:18)
Offline
#40 2018-02-20 18:18:48
- jpdupont
- Member
- Registered: 2004-10-01
- Posts: 752
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Last but not least: While some info on Let’s Encrypt indicate that a certificate is valid for a domain and all its subdomains, I think that on Webfaction you have to create an additional certificate per subdomain.
As I redirect in the .htaccess subdomain with www to the domain without www, it is useless to create a certificate for this www subdomain.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
WebFaction just recommended I use this method, which looks good to me since I was already using acme.sh.
But nobody is clarifying this issue I have about the “.well-known” directory.
In this new doc linked here, it says under Usage, number 1:
Note you’ll need to set up your site to serve the files in /path/to/webroot/.well-known at http://example.com/.well-known. If you’re working with a static or php site, you can just add your actual webroot here.
Clear as mud.
So if I have a webapp at ~/webapps/myapp, where I would normally install Txp, it’s saying I need to install certs at ~/webapps/myapp/.well-known?
And thus I need to make and empty directory there?
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
hmmm. is it not saying that you install it on your PUBLIC webroot area.
i.e. http://example.com/.well-known
so in your case it would be http://wion.com/.well-known
that is how interpret the instructions
PS where does Webfaction recommend this approach? Was it in their documentation somewhere?
…. texted postive
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
jpdupont wrote #309263:
I think that on Webfaction you have to create an additional certificate per subdomain.
You are correct. I just got webfaction confirmation. A cert for each (sub)domain, but they can include the ‘www’ handling.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
bici wrote #309351:
hmmm. is it not saying that you install it on your PUBLIC webroot area.
i.e. http://example.com/.well-known
It represents the same thing. For example site here, ~/webapps/site, is equivalent to example.com once you link up all the parts in the dashboard.
What I’m confused about is if I have to create a folder like this, ~/webapps/site/.well-known, or if the script is supposed to create it on the fly.
I’ve never had to create such a folder before, but now it seems to be a problem. WebFaction support has not given me a straight answer on this either.
I guess I’ll try adding it and see what happens.
PS where does Webfaction recommend this approach? Was it in their documentation somewhere?
Every support person recommends one of these script approaches, either in the user community to questions about ssl, or via support ticket, like I got. The approaches being either the letsencrypt-webfaction one JP’s notes are based on, which is a Ruby gems method. Or, more recently, the acme-webfaction one suggested to me.
Neil Pang’s original acme.sh script is more general use, not specifically for WebFaction. Greg Brown use it, I guess, to create a more specific process for WF that also includes a cron job for auto-renewals. Since I used Pang’s work before, I’ll try this new one by Brown. Seems very straightforward.
Here’s my version of Brown’s acme-webfaction tute that I just put together for dips like myself.
Last edited by Destry (2018-02-21 09:25:22)
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
jpdupont wrote #309262:
Great, and very interesting, thank you Destry.
Note I have replaced that initial document with a new one following the acme-webfaction process instead, which uses acme.sh instead of Ruby gems, etc.
I’m about to test it.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Testing is failing. Still having errors in relation to the .well-known folder. WebFaction support is telling me everything except how to solve the problem. Have no idea what to do.
If I don’t give a crap about SEO ranking in Gaggle, and I don’t have any forms or sign-ups… Do I really need HTTPS? Because, honestly, I don’t care about being a cool kid.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
Destry wrote #309355:
If I don’t give a crap about SEO ranking in Gaggle, and I don’t have any forms or sign-ups… Do I really need HTTPS? Because, honestly, I don’t care about being a cool kid.
No, you don’t need it. But your site will be flagged as insecure by Chrome come July. It’s bullshit (HTTP sites can be secure – just slapping a HTTPS protocol and free certificate onto a domain doesn’t make a secure site), but expect other browsers to follow.
Offline
Re: Non-HTTPS Sites Labeled "Not Secure" by Chrome
philwareham wrote #309356:
No, you don’t need it. But your site will be flagged as insecure by Chrome come July.
BS, indeed.
On the plus side, I think I have it working now. Seems I had cooked up some dashboard soup, which is easy to do in WebFaction (not crazy about their method, to be honest). Once that was ironed out, I stopped getting the ‘verify’ errors.
I still haven’t done the last cron job setup step, though, because the WebFaction people are telling me the renewal won’t work if redirects are used in the .htaccess, or something. You have to comment them out at point of renewal.
I’m like what?! What’s the point of auto-renewals if I have to remember to comment frickin’ lines of code first? I might as well just manually update the certs.
I don’t get. If anyone does, please enlighten me.
Offline