Opened 2 years ago

Closed 2 years ago

#12108 closed Bug/Something is broken (fixed)

HTTPS cert gets overridden by peery.mayfirst.org lets encrypt cert

Reported by: https://id.mayfirst.org/uspirateparty Owned by: https://id.mayfirst.org/jamie
Priority: High Component: Tech
Keywords: Cc: jokeefe@…
Sensitive: no

Description

This is really weird.

I followed the instructions to create a key for blog.pirate-party.us. Paid to get it certified. Installed the certificate and updated the config to get it working. I can access it, and when I go to https://www.ssllabs.com/ssltest/analyze.html?d=blog.pirate-party.us after setting it up the site is fine and it uses the correct cert.

However, after a bit, when I go to the https url it fails with the cert is not for this site. When I run https://www.ssllabs.com/ssltest/analyze.html?d=blog.pirate-party.us again, it says that it is using the lets encrypt cert for peery.mayfirst.org.

If I save the https webconfig, then it works, but eventually the peery cert is used. Would appreciate it if someone looked into this issue. Thanks.

Change History (8)

comment:1 Changed 2 years ago by https://id.mayfirst.org/uspirateparty

  • Cc jokeefe@… added

comment:2 Changed 2 years ago by https://id.mayfirst.org/jaimev

  • Owner set to https://id.mayfirst.org/jamie
  • Status changed from new to assigned

This is strange. When I just tried I could see the https version of your site loading fine with the correct certificate but the http version did not. Apache directs to the default web config for peery when it cannot find the config. Looking at the apache config files the control panel has produced I saw that only the https version had been created. I edited and saved the http config from the control panel and saw that it was successfully created but now the the https version was deleted. Then I edited and saved the https version again and the opposite happened. I think we need jamie to look at this case.

comment:3 Changed 2 years ago by https://id.mayfirst.org/uspirateparty

Thanks. On one browser http redirected to https as I set it up, but later on another browser it redirects to the stock Apache page. Https seems to be good for the moment, but who knows if that will change.

comment:4 Changed 2 years ago by https://id.mayfirst.org/jaimev

It shouldn't change at all. You might have had one browser configured to automatically forward http requests to https but for the time being you only have a working https config. This is not correct and we will get to the bottom of this but it won't change randomly for now

comment:5 Changed 2 years ago by https://id.mayfirst.org/jamie

  • Resolution set to fixed
  • Status changed from assigned to feedback

Oh no!! I'm so sorry for the screw up. This bug is related to our move to using Lets Encrypt, so everyone can have free certificates.

I found the bug and fixed it (on peery). You should now be able to edit the web configurations as you need without having them deleted on the server.

Jaimev: I'm going to sign a tag with this change now.

comment:6 Changed 2 years ago by https://id.mayfirst.org/uspirateparty

  • Resolution fixed deleted
  • Status changed from feedback to assigned

Thanks. It seems to be fixed from what I can see. https works. http was still directing the site to an Apache2 page so something isn't completely right, but I added http redirection to deal with that.

Is there a doc on using Lets Encrypt at mayfirst? I would like to setup certs for other sites.

comment:7 Changed 2 years ago by https://id.mayfirst.org/jaimev

  • Resolution set to fixed
  • Status changed from assigned to feedback

Well actually I can see that now both web configurations exist both for the http and https version of the site so I think jamie's fix was an improvement. Redirecting the http version to https seems like a good idea anyway.

You can setup LetsEncrypt certs for sites at mayfirst very easily now. This guide should get you started.

https://support.mayfirst.org/wiki/faq/security/setup-certificate

comment:8 Changed 2 years ago by https://id.mayfirst.org/uspirateparty

  • Status changed from feedback to closed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.