Textpattern CMS support forum

You are not logged in. Register | Login | Help

#21 2018-08-31 14:25:57

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,020
Website

Re: http to https in textpattern

Destry wrote #313741:

letsencrypt_webfaction [cmd] [*args]...

Where [cmd] options are init and run. But do I use them both? One or the other? It doesn’t say nor describes either one. I don’t want to just start blasting commands experimentally and blow up my neighbourhood.

Looking at it closer, I think what it’s saying in the instructions — in not so clear terms — is ‘these are the only to commands, use them both’.

So I tried. The neighbourhood didn’t explode, but…

letsencrypt_webfaction init run
Config file already exists. Skipping copy...
Account private key already exists. Skipping generation...
Your system is set up. Next, edit the config file: run `nano ~/letsencrypt_webfaction.toml`.

I guess that means I need to manually delete all the old/expired certificates from the ~/certificates directory? Becuase as far as I can tell, the config file is now ready to go. Not sure why it’s sending me back there.

Deleting old stuff now.


The text persuades, the *notes prove。

Offline

#22 2018-08-31 15:05:02

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,020
Website

Re: http to https in textpattern

Welp, that didn’t work. I’m not allowed to delete the old/outdated cert files.

Might be time to hit up the dev, or WF. I’ve reached the end of my efforts.


The text persuades, the *notes prove。

Offline

#23 2018-09-02 12:23:51

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,020
Website

Re: http to https in textpattern

I’ve managed to get through the Will-n-Wi process. The new, sole cert has been updated and all subdomain sites on that domain applied to it. But I’m not seeing any valid encryption on the domain yet. Maybe there’s a propagation wait?

Also, side Q, where is the best place to position custom mod_rewrite rules in the main .htaccess file? Notably rules for ‘www’ class B redirections and http-to-https redirections.

Never mind, I found Jakob’s suggestion from first page, so I have it like this:

...
<IfModule mod_rewrite.c>
    RewriteEngine On

    #RewriteBase /relative/web/path/

    # BEGIN CUSTOM REDIRECT RULES (NOT CORE TEXTPATTERN)
            ## Class B redirection (no "www")
            RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
            RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

            ## Redirect http to https
            RewriteCond %{HTTPS} !=on
            RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # END CUSTOM RULES
...
</IfModule>
...

The text persuades, the *notes prove。

Offline

#24 2018-09-02 13:56:17

jakob
Moderator
From: Germany
Registered: 2005-01-20
Posts: 3,159
Website

Re: http to https in textpattern

Sorry, I overlooked this. I did start writing some instructions based on your earlier version and Jean-Pol’s and then will-in-wi updated his script and my instructions were outdated before I had finished them. I’ve not updated my own will-in-wi script yet but the earlier version still works as the cron job updated the certificates as of this morning.

Your stumbling block might be that before letsencrypt issues a certificate it tests if a task can be completed on the actual domain (the acme challenge). On my setup it does that via http: (not https:) and you therefore need to ensure the service has access to your .well-known directory before your webapp redirects any incoming requests to https://.

I added this line:

RewriteCond %{REQUEST_URI} !^/?\.well\-known/acme\-challenge

anywhere after `RewriteEngine On` but in the block of lines directly before your redirect from `http` to `https` to allow requests to that directory via http (without s) to go through. For example:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/?\.well\-known/acme\-challenge
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I followed webfaction’s instructions and created a static PHP app for the non-secure domain(s) containing just an htaccess file to redirect all requests from http: to https:. All the secure domains point directly to the actual webapp running textpattern. Does that make sense, or should I write out my setup in more detail?


TXP Builders – finely-crafted code, design and txp

Offline

#25 2018-09-02 14:26:13

jakob
Moderator
From: Germany
Registered: 2005-01-20
Posts: 3,159
Website

Re: http to https in textpattern

If your certificate has been generated okay, you’ll see it listed in the webfaction admin panel under Domains / Websites > SSL certificates.

If that’s worked correctly but you’re not seeing it working on your homepage, go to Domains / Websites > Websites and click on the website entry that’s taking the incoming https: requests for the domains covered by the certificate. In the row with the heading Security section, there’s now a dropdown beneath the [Normal / Encrypted] button called “Choose a certificate” where you select which certificate applies for those websites. If that’s not selected, that may be why you’re not seeing it on your homepage.


TXP Builders – finely-crafted code, design and txp

Offline

#26 2018-09-02 20:21:54

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,020
Website

Re: http to https in textpattern

Can someone who has the will-n-wi LE WF setup working PLEASE show me what your .htaccess file looks like for the redirects. I’m going round and round with WF support and getting no place, and I’ve been at this certs crap all frickin’ day!

When I try to run the cert command, I keep getting an error like this for one of the subdomain sites:

sub.domain.tld: Fetching https://sub.domain.tld/.well-known/acme-challenge/bgnmz4O516-AomMS6uIb4NcfqO7PBqJvXbHn7Y1jlyk: Error getting validation data
Make sure that you can access http://sub.domain.tld/.well-known/acme-challenge/bgnmz4O516-AomMS6uIb4NcfqO7PBqJvXbHn7Y1jlyk
www.sub.domain.tld: Fetching https://sub.domain.tld/.well-known/acme-challenge/gOQG3vyjor0ov3P_XkULPyv6jNHFcEsw9fr_1KpKDr0: Error getting validation data
Make sure that you can access http://www.sub.domain.tld/.well-known/acme-challenge/gOQG3vyjor0ov3P_XkULPyv6jNHFcEsw9fr_1KpKDr0

As a result of getting even a single error, the real cert doesn’t get issued.

I’m told that I need to use this set of mod_rewrite rules to exclude the .well-known challenge from the redirect applied to the rest of the site.

So now in the main .htaccess file for the three sites I’m trying to get working, they all include this custom set of rules, exactly the same way:

## Class B (no www) redirects
 RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge #This one especially for LE-WF certs to work
 RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
 RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

## Redirects for http to https
 RewriteCond %{HTTP:X-Forwarded-SSL} !on
 RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

But that doesn’t work. I still can’t successfully issue a cert. I’m told there’s some kind of redirect looping going on, but I don’t know WTF they’re talking about, and it keeps getting pushed back on me to figure out on my own. sigh

Then I’m told this, which has to do with setting things up in the WF dashboard, but I don’t understand what they’re saying:

The way you’ve setup your sites is not incorrect, but it may be less work to maintain if you had one HTTPS site and one HTTP site for each site with the main domain and www both on each site, and the HTTP website record serving only the .htaccess file to perform the redirection.

I’m like, What?!

I’m tired of the WF way of things. I need some normalcy in a web host.


The text persuades, the *notes prove。

Offline

#27 2018-09-02 21:37:38

jakob
Moderator
From: Germany
Registered: 2005-01-20
Posts: 3,159
Website

Re: http to https in textpattern

Destry, can I get back to you on this tomorrow morning and outline the setup I have, which is more or less what they’re describing. It sounds complicated and roundabout but makes sense in the end. It sounds like you may be rooting http and https traffic through one webapp, and that’s much trickier. I have one webapp for http just as a redirect (with said .htaccess exemption for .well-known folder), and another for https with the actual website. That way, they don’t get in each other’s way.


TXP Builders – finely-crafted code, design and txp

Offline

#28 2018-09-02 21:42:32

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,020
Website

Re: http to https in textpattern

Yes, take your time. I’m going to bed.

Also, to be fair to WF, I spilled my frustration to the support person and they are now going some extra distance to iron some things out for me. ;)

I’ll see how things are like tomorrow.

G’nighty!


The text persuades, the *notes prove。

Offline

#29 2018-09-03 08:57:08

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,020
Website

Re: http to https in textpattern

Jakob,

I awoke to find WF had fixed all my sites. And I was provided with a decent explanation of how they made adjustments on the dashboard side (which I can see now so that helps a lot) and in my .htaccess files.

In the latter case, these are the only rules needed now for certs, and only if, like me, you want Class B redirects:

## Class B (no www) redirects
	RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
	RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

I think you had guessed correctly about what they were suggesting. And this has implications for what ‘webapp root path’ to assign in the will-n-wi config file too, so I would have never figured this all out by his instructions alone.

Basically, decent instructions for this whole process would be two parts/docs: First to clearly describe how to setup websites on the WF dashboard side (because there’s more than one way to do it, but only one way is optimally the best for certs), and then how to setup the cert(s) side with William’s gems.

I will be writing those docs for my benefit now since I’ve fought through the process and have the pieces before me.

You are off the hook as far as it concerns helping me. I would love if you’d read the docs later when ready, though, to see it all jives.

Oh, I did also learn that WF plans to integrate certs creation a lot better in the dashboard (probably automating a lot in relation to their API), but I wouldn’t count on this happening any time soon.


The text persuades, the *notes prove。

Offline

#30 2018-09-03 09:22:15

jakob
Moderator
From: Germany
Registered: 2005-01-20
Posts: 3,159
Website

Re: http to https in textpattern

Ah well, I only just read this after writing my instructions. Glad you got it sorted. Having written them, I’ll include them here in case they help others, or yourself when updating your instructions. I’ll send you the beginnings of my instructions via email in case that helps to get you started (which in turn are originally based on yours and Jean-Pol’s).

I think part of Webfaction’s unusual / idiosyncratic setup stems from the fact that you can install multiple different systems (Node, Rails, Go, Python…) on one account and I agree, their separation into domains, applications and websites is a bit disorientating compared with other hosts.

The client I have on webfaction has two different actual websites – one running on txp, the other on wp – and a number of domains (same domain name with different TLDs) that feed into them.

Domains

I don’t have any special settings here. Each domain and subdomain is listed as hosted by Webfaction. No other special DNS entries.

Applications

For each of these actual websites, I have two applications all of type Static/CGI/PHP. In the menu Domains/Websites » Applications:

Application name Application type
migratio_redirect_to_https Static/CGI/PHP-x.x
migratio_www Static/CGI/PHP-x.x
integratio_redirect_to_https Static/CGI/PHP-x.x
integratio_www Static/CGI/PHP-x.x

You see these in (s)ftp as separate directories in the /webapps directory. (migratio and integratio are what my accounts are called, yours will be different).

The {sitename}_www folder contains the actual website installation (txp, wp, etc.) as usual.

The {sitename}_redirect_to_https folder contains just an .htaccess file and the .well-known directory (I forget now whether I created that or whether the certificate installation script did). My .htaccess looks like this:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/?\.well\-known/acme\-challenge
RewriteRule ^(.*)$ https://www.maindomainname.org%{REQUEST_URI} [R=301,L]

but you could also use the one outlined on the Exception RewriteCond you linked to above. The difference is primarily that in my case I have hard-coded the domain name so that all the other domainname.com/.net/.eu etc. TLDs get redirected to the .org domain using www.

Reminder: Don’t forget to add this webapp to the public section of your letsencrypt_webfaction config file.

PS: I don’t have any other Class B entries you mention (not even sure what that is). I think that may hang together with the previous script you were using.

Websites

In the menu Domains/Websites » Websites.

For each actual website, I have two entries, one for http and one for https.

Website name Domains Security Application
SitenameA_http http://domainA.org
http://www.domainA.org
http://domainA.net
http://www.domainA.net
etc.
Normal (http) migratio_redirect_to_https
SitenameA_live_ssl https://domainA.org
https://www.domainA.org
https://domainA.net
https://www.domainA.net
etc.
Encrypted (https)
{certificate_name}
migratio_www
SitenameB_http http://domainB.org
http://www.domainB.org
etc.
Normal (http) integratio_redirect_to_https
SitenameB_live_ssl https://domainB.org
https://www.domainB.org
etc.
Encrypted (https)
{certificate_name}
integratio_www

Reminder for later: Don’t forget (if the script doesn’t already set it) to set the certificate name for the https entries under “Choose a certificate”.

Run will-in-wi/letsencrypt-webfaction

Now you can return to the will-in-wii letsencrypt_webfaction script and update your config. I’m still running a slightly earlier version but it also uses a config file that’s very similar to the current instructions (example here). Under domains I have:

domains = [
  "domainA.org",
  "www.domainA.org",
  "domainA.net",
  "www.domainA.net",
  "domainA.eu",
  "www.domainA.eu",
  "domainB.org",
  "www.domainB.org",
  "domainB.org.uk",
  "www.domainB.org.uk"
]

Add further subdomains (e.g. beta. etc.) to the list, if you’re using them.

And under public I have:

public = [
"~/webapps/migratio_redirect_to_https/",
"~/webapps/migratio_www/",
"~/webapps/integratio_redirect_to_https/",
"~/webapps/integratio_www/"
]

With that setup, you can have a single LetsEncrypt certificate for multiple domains and subdomains on one account. If you prefer to have separate certificates for separate actual websites, you can, I believe, now make a new [[certificate]] entry for each set of domains and webapps as described in will-in-wi’s example.

Now you should be able to run the script and, fingers crossed, your certificate (or certificates) will be created and you should see it (or them) shortly after under Domains/Websites » SSL certificates in the webfaction admin area, along with a valid until date, the domains it applies to and the webfaction website names it applies to.

Remember to check that the certificate name also shows under “Choose a certificate” in your respective website entry in the webfaction panel. If not, specify the certificate.

Cron job

My cron job has just this in it (but I’m not running any other scripts on there):

ILFROM={email-you-specified-under-letsencrypt_account_email-in-the-config-file}
MAILTO={my-personal-email-address}

# Let's Encrypt Update (System Ruby) at 05:00 on day-of-month 2 in every 2nd month.
0 5 2 */2 *     PATH=$PATH:$GEM_HOME/bin:/usr/local/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction run --quiet

Use crontab.guru to determine the code you need for your cron schedule.

As you will have seen on your issue thread on GitHub, the will-in-wi author suggests running the script much more often – like every few days. Apparently the script will not renew certificates more than 30 days prior to expiry, so it’s better to let it run more often so that you don’t get left high and dry should the certificate update happen to fail. I will update mine accordingly.

An attempt at an explanation

This is my interpretation of why things need to be set up this way. As far as I have understood this, this rather convoluted-looking setup has two reasons:

  • Webfaction allows you to setup up website entries in its admin area that receive requests via http or via https but not both.
  • Browsers will only accept https requests to a website if the site has an SSL certificate (or if you actively override that requirement). I presume the server does the same. As the LetsEncrypt validation procedure (the so-called acme-challenge) can’t assume there is already a certificate in place, it sends a regular http: request.

For this reason, you need:

  • an extra webapp and website entry in webfaction for accepting http:// requests and redirecting incoming http: requests to https:. Those redirected requests are then handled by the other webapp with your site installation.
  • a line in your .htaccess file that exempts the LetsEncrypt validation procedure request from being redirected to https.

If you have other areas/subdirectories of your site that need regular http:// access, you need to add those as further RewritCond entries to your htaccess.

I hope that’s some help!!


TXP Builders – finely-crafted code, design and txp

Offline

Board footer

Powered by FluxBB