Web Hosting Forum | Lunarpages

Author Topic: Let's Encrypt  (Read 43085 times)

Offline mbchb

  • Trekkie
  • **
  • Posts: 16
Re: Let's Encrypt
« Reply #15 on: December 14, 2017, 10:22:48 AM »
It seems to be working fine for my sites, but I tried to setup a http to https 301 redirect and it does not work.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6246
Re: Let's Encrypt
« Reply #16 on: December 14, 2017, 11:02:25 AM »
If you show your .htaccess code to do the redirect, maybe someone can figure it out. And is this in the root (/) .htaccess? Does giving https: in the address work -- it's just http: doesn't get changed to https:? Does it fail for files in both the root and in deeper directories?
« Last Edit: December 14, 2017, 11:04:15 AM by MrPhil »
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline mbchb

  • Trekkie
  • **
  • Posts: 16
Re: Let's Encrypt
« Reply #17 on: December 15, 2017, 07:13:44 AM »
Yes, the main domain and all addons work fine when using https instead of http. I used the Control Panel 301 redirect to generate the .htaccess code. I was experimenting with a single primary domain, so I selected a single domain, rather than all. The CP redirect generated the code below within the .htaccess, located in the primary domain's public_html directory.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^websitedomainname\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.websitedomainname\.com$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ "https\:\/\/websitedomainname\.com\/$1" [R=301,L]

The code looked OK to me, but it would not allow access to the http or https version of the site. Often giving the too many redirects error.

Thanks

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6246
Re: Let's Encrypt
« Reply #18 on: December 15, 2017, 08:23:28 AM »
The first two lines can be simplified to
Code: [Select]
RewriteCond  %{HTTP_HOST}  ^(www\.)?websitedomain\.com$The last line can be simplified to
Code: [Select]
RewriteRule  ^(.*)$  https://websitedomain.com/$1  [R=301,L]
Now, do you have another rewrite rule (redirect) somewhere that redirects websitedomain.com to www.websitedomain.com? If you do, that will give you a loop ("too many redirects") because you're changing the incoming URL to websitedomain.com, and then changing it to www.websitedomain.com. Furthermore, you want to put a guard RewriteCond on to do this only if it comes in http, not https -- that could also be giving you a loop. If you want to force websitedomain.com (no www):
Code: [Select]
RewriteEngine On
RewriteCond  %{HTTPS}  !on  [OR]
RewriteCond  %{HTTP_HOST}  !^websitedomain\.com$  [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ https://websitedomainname.com/$1 [R=301,L]
If you want to force www (www.websitedomain.com):
Code: [Select]
RewriteEngine On
RewriteCond  %{HTTPS}  !on  [OR]
RewriteCond  %{HTTP_HOST}  !^www\.websitedomain\.com$  [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ https://www.websitedomainname.com/$1 [R=301,L]

Don't forget to remove any other no www -> www (or vice-versa) redirects. Also, if you have add-on domains or subdomains that you do or don't want SSL forced, this will have to be changed a bit. It's not clear to me what you have and what you want done, so I didn't clutter it up with more cases. Basically, for each domain name (or subdomain), you would have a section like that above.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline mbchb

  • Trekkie
  • **
  • Posts: 16
Re: Let's Encrypt
« Reply #19 on: December 15, 2017, 11:07:19 AM »
I appreciate the information. I have checked the root and there are no redirects setup anywhere that I can find.

I was just trying set my primary domain so that all requests to http (including http://www) would be redirected to the https version site. Eventually, I would like to do the same for the sub domains. However, some of the sub domains are hosted on but not registered with Lunarpages.


Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6246
Re: Let's Encrypt
« Reply #20 on: December 15, 2017, 11:30:38 AM »
If you're getting redirect loops, then something is going beyond what you've shown here. Usually, it's something like forcing "www." in one place and then non-www in another, by accident, when trying to do something like forcing https. The "other" place could be in this .htaccess, or in one in another directory.

It should be simple enough to redirect all http (non-SSL) to https (SSL) for a given domain name. I take it you have a primary domain and one or more add-on domains. There remains the possibility that you may not "see" the add-on domain names during .htaccess processing, but already have it changed to primary-domain/add-on-top-directory/. That would be seen as add-ons or subdomains being switched to SSL, even though you only specified the primary domain in the rules. Anyway, something to keep in mind (you might have to specifically exclude the top level directory of the add-on or subdomain in a RewriteCond).

My understanding is that subdomains are strictly local to Lunarpages' internal nameservers, and have nothing to do with a registrar. Add-ons are registered with a registrar, which can be LP (handled by Tucows) or some other registrar service. Both come in to your site under the primary domain, with a specified root directory (public_html/addOnName/ or public_html/subDomainName/), unless something has radically changed since I last played with this. If you attempt to put a subdomain on an add-on domain, I'm not sure what will happen (didn't work years ago).

Anyway, you need to use cPanel/LPCP/other control panel to add or delete add-on domains or subdomains, but be careful about getting tricky with it -- things like subdomains on add-on domains may still break. And there's always the possibility that SSL doesn't yet work on some things.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline mbchb

  • Trekkie
  • **
  • Posts: 16
Re: Let's Encrypt
« Reply #21 on: December 15, 2017, 11:45:17 AM »
I am thinking that the guard condition you mentioned may be the problem:

RewriteCond  %{HTTPS}  !on  [OR]

I will give your last code a try shortly. The CP generated code omitted that line.

Thanks again.

Offline mbchb

  • Trekkie
  • **
  • Posts: 16
Re: Let's Encrypt
« Reply #22 on: December 20, 2017, 08:59:45 AM »
If you're getting redirect loops, then something is going beyond what you've shown here. Usually, it's something like forcing "www." in one place and then non-www in another, by accident, when trying to do something like forcing https. The "other" place could be in this .htaccess, or in one in another directory.

It should be simple enough to redirect all http (non-SSL) to https (SSL) for a given domain name. I take it you have a primary domain and one or more add-on domains. There remains the possibility that you may not "see" the add-on domain names during .htaccess processing, but already have it changed to primary-domain/add-on-top-directory/. That would be seen as add-ons or subdomains being switched to SSL, even though you only specified the primary domain in the rules. Anyway, something to keep in mind (you might have to specifically exclude the top level directory of the add-on or subdomain in a RewriteCond).

My understanding is that subdomains are strictly local to Lunarpages' internal nameservers, and have nothing to do with a registrar. Add-ons are registered with a registrar, which can be LP (handled by Tucows) or some other registrar service. Both come in to your site under the primary domain, with a specified root directory (public_html/addOnName/ or public_html/subDomainName/), unless something has radically changed since I last played with this. If you attempt to put a subdomain on an add-on domain, I'm not sure what will happen (didn't work years ago).

Anyway, you need to use cPanel/LPCP/other control panel to add or delete add-on domains or subdomains, but be careful about getting tricky with it -- things like subdomains on add-on domains may still break. And there's always the possibility that SSL doesn't yet work on some things.

Your redirect code seems to work fine for my primary domain, it causes some issues with the sub domains - not providing access to sub-directories. I think there was a flag in CP that created a wildcard for the sub-directories.

I will play around with it, but I suspect Lunarpages has not fully implemented the free SSL for shared accounts.

Thanks again for the info.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6246
Re: Let's Encrypt
« Reply #23 on: December 20, 2017, 02:41:42 PM »
One thing to keep in mind (at least as of a couple years ago, on a cPanel server) is that LP does weird things with .htaccess. What I found happening is that if an actual directory path was given in the address, that the server skipped over the root and other higher-level .htaccess files, and went directly to that directory and its .htaccess. They denied they were doing that, but I proved they were (and worked around it by never giving actual directory paths deeper than root). So, if you had a redirect in your /.htaccess, it wouldn't be seen if you gave a deeper address. Maybe it's been fixed since then, but if not, it's something to consider if you're getting odd behavior.

Also, it's difficult to tell in advance if your HTTP_HOST is going to be the add-on or subdomain name, or if it's going to be the primary domain with the top level directory. I think it will consistently be one way or the other, but you may need to do some experimenting to see what form to use in your .htaccess.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6246
Re: Let's Encrypt
« Reply #24 on: January 14, 2018, 02:16:23 PM »
I got an email today from "cPanel" telling me that I am the proud owner of a renewed DV certificate for AutoSSL. I guess that means that SSL is formally available. It says that I should go to the SSL/TLS Wizard to upgrade to an EV or OV certificate.
  • What are EV and OV certs, and when would I want to pay (?) for one?
  • Where is this wizard? The link just took me to my normal cPanel page, and I don't see anything mentioning TLS or SSL.
  • The cert is said to expire April 15. Is this thing auto-renewed every 90 days?
  • What is the encryption strength of this SSL cert (bits)? Is it something acceptable to any payment gateway?
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1552
    • http://www.notonebit.com
Re: Let's Encrypt
« Reply #25 on: January 16, 2018, 07:36:15 AM »
I didn't get an email like that. Would be nice if LP sent out updates when they do stuff like this.
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6246
Re: Let's Encrypt
« Reply #26 on: January 16, 2018, 08:45:49 AM »
Hmm. Maybe it was a false alarm, like those missiles approaching Hawaii? I'm still waiting for an announcement from LP itself that the system can be used.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1552
    • http://www.notonebit.com
Re: Let's Encrypt
« Reply #27 on: January 17, 2018, 06:38:07 AM »
Hmm. Maybe it was a false alarm, like those missiles approaching Hawaii?
   :clap:

Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

 

Share |