Example of location bar with lock indicating secure HTTPS connection

I have set up HTTPS on my website (see the closed lock in the address bar?). Webfaction hosts my websites and I set up the TSL certificates I did it using free security certificates from Let's Encrypt. I have done it several times now, but I continue to forget how to do it the next time that I try to set it up. The following are notes to myself that I hope might be helpful to someone else as well. (Note that these instructions work only for websites hosted on Webfaction.)

Step 1: Add the domain. In the Webfaction panel add the domain that you desire to use. I used two for this website: mikebader.net and media.mikebader.net. Webfaction treats subdomains as their own domain.

Step 2: Create applications. I run the website on which I posted this using the Django web framework. I set up that application. I then needed to set up a second "static" application: App category -> Static and App type -> Static/CGI/PHP-*.*

Step 3: Create websites. Now you need to create your websites. Notice the plural there: you will need two websites, even if you only plan to serve one. One website will be served using HTTPS and the other will serve HTTP. For now, we will only be creating the static website. When you create the new website, I would suggest naming it static. Keep the default options, type in the main domain of your website in the Domains row, and click to "Add an application" then "Reuse an existing application" and select your static application that you created in Step 2. Be sure to save the website.

Step 4: Add the .well-known directory. Now SSH to your Webfaction server. Navigate to your static web application (e.g., ~/webapps/static/) and make a directory called .well-known:

cd ~/webapps/static/
mkdir .well-known

Step 5: Download letsencrypt_webfaction. Install the letsencrypt-webfaction utility following the instructions on the letsencrypt-webfaction website.

Step 6: Run a test to create your certificates. Now create your certificates, again following the letsencrypt-webfaction website usage instructions. To keep it in one place, here is the command:

letsencrypt_webfaction --letsencrypt_account_email you@youremail.com --domains yourdomain.com --public ~/webapps/yourapp/wordpress/ --username myusername --password mypassword --endpoint https://acme-staging.api.letsencrypt.org/

Your password is your password for the Webfaction panel, not your shell access password and the --public option will be the directory of the static application that you created in Step 2. The --endpoint option pointing to https://acme-staging.api.letsencrypt.org/ allows you to do a test-run of the process. Let's Encrypt limits the number of domains and number of failed attempts you may have. To avoid these limits, you can use Let's Encrypt's staging environment to set up a dummy certificate if you set the --endpoint option to its staging server.

If everything goes according to plan, you should have received a message like this (except that <name> will be the name of the certificate that LetsEncrypt created):

Your new certificate is now created and installed.
You will need to change your application to use the <name> certificate.

This is not your certificate! This was only the test, which means that we need to move to:

Step 7: Create the certificate. Now run the exact same command in your SSH session without the --endpoint options specified. You should once again get the message:

Your new certificate is now created and installed.
You will need to change your application to use the <name> certificate.

Switch to your Webfaction panel and click on the SSL certificates tab and you should see a name in boldface there that matches <name> from the message above. If so, great job, you're almost there!

Step 8: Associate the SSL certificate with your website. Now click on the Websites tab and click the button Add a new website. After you add a name, click on the button that says "Encrypted website (https)". When you do, a drop-down menu will appear that asks you to "Choose a certificate". You should have only one option in the drop-down, but if you have more select the certificate with the <name> of the certificate from Step 7. Associate the website with your domain (it must be one of the ones you entered using the --domains option in Step 7) and select the application that you would like to use for the content of the site (for me, that was my Django application).

Step 9: Set up .htaccess to redirect to HTTPS from HTTP. Now you have a setup where a visitor that goes to https://yourdomain.com will go to the HTTPS site that serves the content from your main application; but, someone who goes to http://yourdomain.net will get the contents of the static application (which, by default is an index page that says "Hello, world."). That is not what you want. You want someone who goes to http://yourdomain.net/blog, for example, to be seamlessly redirected to https://yourdomain.net/blog. To do that you need to edit the .htaccess file. The contents of the file will look something like:

RewriteEngine On
RewriteRule (\.well-known.*) $1 [L]

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}

The first line of code turns on Apache's rewrite module. The second line allows traffic coming to http://yourdomain.net/.well-known/ to be served as HTTP rather than HTTPS. This allows the LetsEncrypt to set up its challenge without getting stuck in a HTTPS environment.1

The second two lines redirect all HTTP traffic flowing to your site to the equivalent HTTPS site.

Et voilà!

  1. This will make it easier to renew the certificates before they expire in three months (the letsencrypt-webfaction site has instructions on setting up a cron job to do this automatically, but I have not had a chance to perfect that on my own...yet). 


Pingbacks are open.


Comments are closed.