Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#25 2018-09-02 14:26:13

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: http to https in textpattern

If your certificate has been generated okay, you’ll see it listed in the webfaction admin panel under Domains / Websites > SSL certificates.

If that’s worked correctly but you’re not seeing it working on your homepage, go to Domains / Websites > Websites and click on the website entry that’s taking the incoming https: requests for the domains covered by the certificate. In the row with the heading Security section, there’s now a dropdown beneath the [Normal / Encrypted] button called “Choose a certificate” where you select which certificate applies for those websites. If that’s not selected, that may be why you’re not seeing it on your homepage.


TXP Builders – finely-crafted code, design and txp

Offline

#26 2018-09-02 20:21:54

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http to https in textpattern

Can someone who has the will-n-wi LE WF setup working PLEASE show me what your .htaccess file looks like for the redirects. I’m going round and round with WF support and getting no place, and I’ve been at this certs crap all frickin’ day!

When I try to run the cert command, I keep getting an error like this for one of the subdomain sites:

sub.domain.tld: Fetching https://sub.domain.tld/.well-known/acme-challenge/bgnmz4O516-AomMS6uIb4NcfqO7PBqJvXbHn7Y1jlyk: Error getting validation data
Make sure that you can access http://sub.domain.tld/.well-known/acme-challenge/bgnmz4O516-AomMS6uIb4NcfqO7PBqJvXbHn7Y1jlyk
www.sub.domain.tld: Fetching https://sub.domain.tld/.well-known/acme-challenge/gOQG3vyjor0ov3P_XkULPyv6jNHFcEsw9fr_1KpKDr0: Error getting validation data
Make sure that you can access http://www.sub.domain.tld/.well-known/acme-challenge/gOQG3vyjor0ov3P_XkULPyv6jNHFcEsw9fr_1KpKDr0

As a result of getting even a single error, the real cert doesn’t get issued.

I’m told that I need to use this set of mod_rewrite rules to exclude the .well-known challenge from the redirect applied to the rest of the site.

So now in the main .htaccess file for the three sites I’m trying to get working, they all include this custom set of rules, exactly the same way:

## Class B (no www) redirects
 RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge #This one especially for LE-WF certs to work
 RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
 RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

## Redirects for http to https
 RewriteCond %{HTTP:X-Forwarded-SSL} !on
 RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

But that doesn’t work. I still can’t successfully issue a cert. I’m told there’s some kind of redirect looping going on, but I don’t know WTF they’re talking about, and it keeps getting pushed back on me to figure out on my own. sigh

Then I’m told this, which has to do with setting things up in the WF dashboard, but I don’t understand what they’re saying:

The way you’ve setup your sites is not incorrect, but it may be less work to maintain if you had one HTTPS site and one HTTP site for each site with the main domain and www both on each site, and the HTTP website record serving only the .htaccess file to perform the redirection.

I’m like, What?!

I’m tired of the WF way of things. I need some normalcy in a web host.

Offline

#27 2018-09-02 21:37:38

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: http to https in textpattern

Destry, can I get back to you on this tomorrow morning and outline the setup I have, which is more or less what they’re describing. It sounds complicated and roundabout but makes sense in the end. It sounds like you may be rooting http and https traffic through one webapp, and that’s much trickier. I have one webapp for http just as a redirect (with said .htaccess exemption for .well-known folder), and another for https with the actual website. That way, they don’t get in each other’s way.


TXP Builders – finely-crafted code, design and txp

Offline

#28 2018-09-02 21:42:32

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http to https in textpattern

Yes, take your time. I’m going to bed.

Also, to be fair to WF, I spilled my frustration to the support person and they are now going some extra distance to iron some things out for me. ;)

I’ll see how things are like tomorrow.

G’nighty!

Offline

#29 2018-09-03 08:57:08

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http to https in textpattern

Jakob,

I awoke to find WF had fixed all my sites. And I was provided with a decent explanation of how they made adjustments on the dashboard side (which I can see now so that helps a lot) and in my .htaccess files.

In the latter case, these are the only rules needed now for certs, and only if, like me, you want Class B redirects:

## Class B (no www) redirects
	RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
	RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

I think you had guessed correctly about what they were suggesting. And this has implications for what ‘webapp root path’ to assign in the will-n-wi config file too, so I would have never figured this all out by his instructions alone.

Basically, decent instructions for this whole process would be two parts/docs: First to clearly describe how to setup websites on the WF dashboard side (because there’s more than one way to do it, but only one way is optimally the best for certs), and then how to setup the cert(s) side with William’s gems.

I will be writing those docs for my benefit now since I’ve fought through the process and have the pieces before me.

You are off the hook as far as it concerns helping me. I would love if you’d read the docs later when ready, though, to see it all jives.

Oh, I did also learn that WF plans to integrate certs creation a lot better in the dashboard (probably automating a lot in relation to their API), but I wouldn’t count on this happening any time soon.

Offline

#30 2018-09-03 09:22:15

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: http to https in textpattern

Ah well, I only just read this after writing my instructions. Glad you got it sorted. Having written them, I’ll include them here in case they help others, or yourself when updating your instructions. I’ll send you the beginnings of my instructions via email in case that helps to get you started (which in turn are originally based on yours and Jean-Pol’s).

I think part of Webfaction’s unusual / idiosyncratic setup stems from the fact that you can install multiple different systems (Node, Rails, Go, Python…) on one account and I agree, their separation into domains, applications and websites is a bit disorientating compared with other hosts.

The client I have on webfaction has two different actual websites – one running on txp, the other on wp – and a number of domains (same domain name with different TLDs) that feed into them.

Domains

I don’t have any special settings here. Each domain and subdomain is listed as hosted by Webfaction. No other special DNS entries.

Applications

For each of these actual websites, I have two applications all of type Static/CGI/PHP. In the menu Domains/Websites » Applications:

Application name Application type
migratio_redirect_to_https Static/CGI/PHP-x.x
migratio_www Static/CGI/PHP-x.x
integratio_redirect_to_https Static/CGI/PHP-x.x
integratio_www Static/CGI/PHP-x.x

You see these in (s)ftp as separate directories in the /webapps directory. (migratio and integratio are what my accounts are called, yours will be different).

The {sitename}_www folder contains the actual website installation (txp, wp, etc.) as usual.

The {sitename}_redirect_to_https folder contains just an .htaccess file and the .well-known directory (I forget now whether I created that or whether the certificate installation script did). My .htaccess looks like this:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/?\.well\-known/acme\-challenge
RewriteRule ^(.*)$ https://www.maindomainname.org%{REQUEST_URI} [R=301,L]

but you could also use the one outlined on the Exception RewriteCond you linked to above. The difference is primarily that in my case I have hard-coded the domain name so that all the other domainname.com/.net/.eu etc. TLDs get redirected to the .org domain using www.

Reminder: Don’t forget to add this webapp to the public section of your letsencrypt_webfaction config file.

PS: I don’t have any other Class B entries you mention (not even sure what that is). I think that may hang together with the previous script you were using.

Websites

In the menu Domains/Websites » Websites.

For each actual website, I have two entries, one for http and one for https.

Website name Domains Security Application
SitenameA_http http://domainA.org
http://www.domainA.org
http://domainA.net
http://www.domainA.net
etc.
Normal (http) migratio_redirect_to_https
SitenameA_live_ssl https://domainA.org
https://www.domainA.org
https://domainA.net
https://www.domainA.net
etc.
Encrypted (https)
{certificate_name}
migratio_www
SitenameB_http http://domainB.org
http://www.domainB.org
etc.
Normal (http) integratio_redirect_to_https
SitenameB_live_ssl https://domainB.org
https://www.domainB.org
etc.
Encrypted (https)
{certificate_name}
integratio_www

Reminder for later: Don’t forget (if the script doesn’t already set it) to set the certificate name for the https entries under “Choose a certificate”.

Run will-in-wi/letsencrypt-webfaction

Now you can return to the will-in-wii letsencrypt_webfaction script and update your config. I’m still running a slightly earlier version but it also uses a config file that’s very similar to the current instructions (example here). Under domains I have:

domains = [
  "domainA.org",
  "www.domainA.org",
  "domainA.net",
  "www.domainA.net",
  "domainA.eu",
  "www.domainA.eu",
  "domainB.org",
  "www.domainB.org",
  "domainB.org.uk",
  "www.domainB.org.uk"
]

Add further subdomains (e.g. beta. etc.) to the list, if you’re using them.

And under public I have:

public = [
"~/webapps/migratio_redirect_to_https/",
"~/webapps/migratio_www/",
"~/webapps/integratio_redirect_to_https/",
"~/webapps/integratio_www/"
]

With that setup, you can have a single LetsEncrypt certificate for multiple domains and subdomains on one account. If you prefer to have separate certificates for separate actual websites, you can, I believe, now make a new [[certificate]] entry for each set of domains and webapps as described in will-in-wi’s example.

Now you should be able to run the script and, fingers crossed, your certificate (or certificates) will be created and you should see it (or them) shortly after under Domains/Websites » SSL certificates in the webfaction admin area, along with a valid until date, the domains it applies to and the webfaction website names it applies to.

Remember to check that the certificate name also shows under “Choose a certificate” in your respective website entry in the webfaction panel. If not, specify the certificate.

Cron job

My cron job has just this in it (but I’m not running any other scripts on there):

ILFROM={email-you-specified-under-letsencrypt_account_email-in-the-config-file}
MAILTO={my-personal-email-address}

# Let's Encrypt Update (System Ruby) at 05:00 on day-of-month 2 in every 2nd month.
0 5 2 */2 *     PATH=$PATH:$GEM_HOME/bin:/usr/local/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction run --quiet

Use crontab.guru to determine the code you need for your cron schedule.

As you will have seen on your issue thread on GitHub, the will-in-wi author suggests running the script much more often – like every few days. Apparently the script will not renew certificates more than 30 days prior to expiry, so it’s better to let it run more often so that you don’t get left high and dry should the certificate update happen to fail. I will update mine accordingly.

An attempt at an explanation

This is my interpretation of why things need to be set up this way. As far as I have understood this, this rather convoluted-looking setup has two reasons:

  • Webfaction allows you to setup up website entries in its admin area that receive requests via http or via https but not both.
  • Browsers will only accept https requests to a website if the site has an SSL certificate (or if you actively override that requirement). I presume the server does the same. As the LetsEncrypt validation procedure (the so-called acme-challenge) can’t assume there is already a certificate in place, it sends a regular http: request.

For this reason, you need:

  • an extra webapp and website entry in webfaction for accepting http:// requests and redirecting incoming http: requests to https:. Those redirected requests are then handled by the other webapp with your site installation.
  • a line in your .htaccess file that exempts the LetsEncrypt validation procedure request from being redirected to https.

If you have other areas/subdirectories of your site that need regular http:// access, you need to add those as further RewritCond entries to your htaccess.

I hope that’s some help!!


TXP Builders – finely-crafted code, design and txp

Offline

#31 2018-09-03 12:32:32

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http to https in textpattern

Jakob,

Thanks for that, and sorry about the extra work. We all <txp:love /> you for it.

Also, I’m just now seeing this post of yours from yesterday. Not sure how I missed that, but my posts probably seemed strange to you after that. Must have been my red lens filter blurring my vision.

Regarding your instructions, there’s one thing there seemingly different than how they set it up for me in the config file, or I’m just not getting it. But for the webapp root path (public) you have two paths for each site (migratio and integratio)? They only have one path for me for each webapp, and it’s the redirect webapp path. I’m not saying you’re wrong, but that does seem to one one difference.

Regarding the domains list, I was under the impression you could only put all sites concerning a single common domain name on a given certificate (e.g. domain1.tld, www.domain1.tld, sub1.domain1.tld, sub2.domain1.tld, etc). But it appears you have it working with multiple different domains too on a single cert? Interesting.

I actually only have three sites right now on a common domain, and they split them into separate config file certificates, for example:

#Common domain cert
[[certificate]]
domains = [
  "domain.tld",
  "www.domain.tld"
]

#method = "http01"

public = "~/webapps/domain_redirect"

name = "domain_ssl"

key_size = 4096

#A subdomain cert
[[certificate]]
domains = [
  "sub1.domain.tld",
  "www.sub1.domain.tld"
]

#method = "http01"

public = "~/webapps/sub1_redirect"

name = "sub1_domain_ssl"

key_size = 4096

#Repeat pattern for each additional subdomain cert assignment accordingly.

Reason given was if there was a problem during initial setup with will-in-wi, it would be easier to troubleshoot which site was problematic. Probably makes sense.

I guess I could now, knowing the dashboard is setup better, reassign a single cert for the three sites, but I’ll leave it alone for the time being. As long as they auto-renew as the car salesman promised, it doesn’t really matter now. ;)

I would not have guessed you need to provide the method = and key_size = lines each time, but that’s how they did it. Maybe that is redundant across the certificate blocks, I don’t know.

Offline

#32 2018-09-03 12:53:53

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: http to https in textpattern

Destry wrote #313785:

But for the webapp root path (public) you have two paths for each site (migratio and integratio)? They only have one path for me for each webapp, and it’s the redirect webapp path. I’m not saying you’re wrong, but that does seem to one one difference.

I wasn’t sure but you may be right. The validation check only needs to be performed on the redirect webapps but then again the SSL certificates are needed for the others. I’m not sure what the right answer is but I suspect it is yours ;-)

Regarding the domains list, I was under the impression you could only put all sites concerning a single common domain name on a given certificate (e.g. domain1.tld, www.domain1.tld, sub1.domain1.tld, sub2.domain1.tld, etc). But it appears you have it working with multiple different domains too on a single cert? Interesting.

That definitely works. The script was an earlier pre v3 version when I set it up and if I recall correctly it wasn’t possible then to create different certificates for different sites. I think that came in response to a feature request not all that long ago.

That was the main reason I investigated the whole thing as I didn’t want to create separate certificates – and webapps, and sites – for each separate domain. At the time, I wasn’t sure whether the cron job would work independently and wasn’t relishing renewing about 10-12 certificates every three months. I first looked at the new LetsEncrypt wildcard certificate that Yiannis posted about a while back but will-in-wi’s script doesn’t (yet) support that. Then I discovered he’d improved on his script and I could update a list of domains at once.

That said, I don’t think it matters either way. If you were hosting sites for clients on webfaction, I’m pretty sure you’d want to have separate certificates for separate clients should one need to be revised/removed/expanded without affecting the others.


TXP Builders – finely-crafted code, design and txp

Offline

#33 2018-09-03 12:58:23

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: http to https in textpattern

jakob wrote #313781:

PS: I don’t have any other Class B entries you mention (not even sure what that is).

The ‘Class B’ was a campaign from quite a few years back that argued ‘no www’. There used to be a flagship website for the effort breaking the reasons down, but I don’t find it anymore. Maybe it’s in the Waback. It made sense to me at the time, and I just got in the habit of being in that camp ever since.

One main reason argued for not using www was that it forced all calls to your site to one domain (without www) instead of spread across two domains (with and without www.) depending on how they searched for it, and thus the spread was a hit against SEO. But my main reason was URLs are already crufty enough in most cases, so why pollute them more with ‘www.’ The redirect rules make all calls for both www and no-www urls to go to just the no-www domain, and make sure anyone saving a bookmark saves the no-www version.

Oddly enough, there is a site dedicated to the other camp, yes www. Frankly, nothing there is very convincing to me. I’ve been using no www for years and have never had problems.

Offline

#34 2018-09-03 12:58:32

jpdupont
Member
Registered: 2004-10-01
Posts: 752

Re: http to https in textpattern

jakob wrote #313781:


An attempt at an explanation

For this reason, you need:

  • an extra webapp and website entry in webfaction for accepting http:// requests and redirecting incoming http: requests to https:. Those redirected requests are then handled by the other webapp with your site installation.

I’m currently creating for each projet two websites (aname, and aname_notsecure) that both point to the domain and to the same webapp . The .htaccess file on this webapp redirects from http to https. It works on all my sites, but is it bad for one reason or another, Jakob?

Offline

#35 2018-09-03 13:27:19

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: http to https in textpattern

jpdupont wrote #313789:

I’m currently creating for each projet two websites (aname, and aname_notsecure) that both point to the domain and to the same webapp . The .htaccess file on this webapp redirects from http to https. It works on all my sites, but is it bad for one reason or another, Jakob?

Good question. I wondered if that works too given that there is actually only an htaccess file in the redirect apps I have above. I simply followed webfaction’s recommendation. I presume you also have the exemption line in your htaccess file to allow http access to the .well-known directory?

If it all works on one webapp, that would, I agree, be simpler. And it would also simplify the instructions a great deal.

When I next get some time to upgrade that site, maybe I’ll renew that setup and try out your configuration using the most recent version of the will-in-wi script.


TXP Builders – finely-crafted code, design and txp

Offline

#36 2018-09-03 13:41:25

jpdupont
Member
Registered: 2004-10-01
Posts: 752

Re: http to https in textpattern

jakob wrote #313791:

I presume you also have the exemption line in your htaccess file to allow http access to the .well-known directory?

No Jakob, I do not have this line in my .htaccess file. I have not passed version 3 of the certificate installation yet … Everything works normally with version 2, and I’m afraid to cause problems. My procedure is well defined and I need a few minutes for each project, with the creation of websites, domains, webapps and certificates.

I do this to create my “secure” website: I choose the shared certificate. Then I create the correct certificate for the domain, then return to websites to assign the definitive certificate. With this procedure, I no longer have the error message that I sometimes had .well-known not accessible.

Offline

Board footer

Powered by FluxBB