Opened 3 years ago

Closed 3 years ago

#12108 closed Bug/Something is broken (fixed)

HTTPS cert gets overridden by peery.mayfirst.org lets encrypt cert

Reported by: US Pirate Party Owned by: Jamie McClelland
Priority: High Component: Tech
Keywords: Cc: jokeefe@…
Sensitive: no

Description

This is really weird.

I followed the instructions to create a key for blog.pirate-party.us. Paid to get it certified. Installed the certificate and updated the config to get it working. I can access it, and when I go to https://www.ssllabs.com/ssltest/analyze.html?d=blog.pirate-party.us after setting it up the site is fine and it uses the correct cert.

However, after a bit, when I go to the https url it fails with the cert is not for this site. When I run https://www.ssllabs.com/ssltest/analyze.html?d=blog.pirate-party.us again, it says that it is using the lets encrypt cert for peery.mayfirst.org.

If I save the https webconfig, then it works, but eventually the peery cert is used. Would appreciate it if someone looked into this issue. Thanks.

Change History (8)

comment:1 Changed 3 years ago by US Pirate Party

Cc: jokeefe@… added

comment:2 Changed 3 years ago by JaimeV

Owner: set to Jamie McClelland
Status: newassigned

This is strange. When I just tried I could see the https version of your site loading fine with the correct certificate but the http version did not. Apache directs to the default web config for peery when it cannot find the config. Looking at the apache config files the control panel has produced I saw that only the https version had been created. I edited and saved the http config from the control panel and saw that it was successfully created but now the the https version was deleted. Then I edited and saved the https version again and the opposite happened. I think we need jamie to look at this case.

comment:3 Changed 3 years ago by US Pirate Party

Thanks. On one browser http redirected to https as I set it up, but later on another browser it redirects to the stock Apache page. Https seems to be good for the moment, but who knows if that will change.

comment:4 Changed 3 years ago by JaimeV

It shouldn't change at all. You might have had one browser configured to automatically forward http requests to https but for the time being you only have a working https config. This is not correct and we will get to the bottom of this but it won't change randomly for now

comment:5 Changed 3 years ago by Jamie McClelland

Resolution: fixed
Status: assignedfeedback

Oh no!! I'm so sorry for the screw up. This bug is related to our move to using Lets Encrypt, so everyone can have free certificates.

I found the bug and fixed it (on peery). You should now be able to edit the web configurations as you need without having them deleted on the server.

Jaimev: I'm going to sign a tag with this change now.

comment:6 Changed 3 years ago by US Pirate Party

Resolution: fixed
Status: feedbackassigned

Thanks. It seems to be fixed from what I can see. https works. http was still directing the site to an Apache2 page so something isn't completely right, but I added http redirection to deal with that.

Is there a doc on using Lets Encrypt at mayfirst? I would like to setup certs for other sites.

comment:7 Changed 3 years ago by JaimeV

Resolution: fixed
Status: assignedfeedback

Well actually I can see that now both web configurations exist both for the http and https version of the site so I think jamie's fix was an improvement. Redirecting the http version to https seems like a good idea anyway.

You can setup LetsEncrypt certs for sites at mayfirst very easily now. This guide should get you started.

https://support.mayfirst.org/wiki/faq/security/setup-certificate

comment:8 Changed 3 years ago by US Pirate Party

Status: feedbackclosed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.