Webfaction

Let’s Encrypt SSL/TLS certificates on Webfaction

You may have noticed lately that pages that aren’t secured with HTTPS are starting to show increasingly more concerning browser icons and messages. I think this trend is set to continue until one day HTTP will no longer be supported. The problem (until recently) has been that to get a certificate that keeps web-browsers happy (I mean the software, not the humans) meant purchasing one. For small personal sites this cost was enough to put most off using SSL/TLS. I don’t know know the history of Let’s Encrypt but they look like a not for profit set up to facilitate free SSL/TLS certificates with the aim of securing the whole of the internet. This is a great idea, the only draw back for me being that setting up an HTTPS site with Webfaction and Let’s Encrypt is a serious pain. Luckily a few kind people have developed tools to help things along a bit. This is my setup which works well for the sites I manage (a couple of WP sites and a few Rails and Django apps, and my recently added IoT services).

The basic flow goes something like this:

Make an API call to Let’s Encrypt for a particular domain(s)
Let’s Encrypt sends back a key which you must make publicly available at the HTTP root of the domain
Let’s Encrypt tries to access the key, which proves to them that you are the manager for that domain
Let’s Encrypt sends you back the certificates and private key
You load these into Webfaction (through the UI or API)
Associate the certificate with a secured website in Webfaction
Renew this process every 90 days when the certificates expire.

YIKES!!!

Setup up a static app in the Webfaction web control panel
Create a HTTP website and point it to the static app, add any domains that you wish to have as HTTPS to this app (they will be redirected to the secure site). You only need one app and website for all the domains you want to use with HTTPS.
Access Webfaction via SSH and change to the static app directory.
- Create a .htaccess file with the following lines
- ```
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteCond %{QUERY_STRING} !^/.well-known
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
```
- This is basically forwarding any requests that arrive via HTTP to the same domain with HTTPS
- It is also filtering off any requests with .well-known in them. They are used for the Let’s Encrypt domain validation process.

Install the acme.sh script which is going to help us get a valid Let’s Encrypt SSL certificate.

[[code]]czoxMTM6XCJnaXQgY2xvbmUgaHR0cHM6Ly9naXRodWIuY29tL05laWxwYW5nL2FjbWUuc2guZ2l0DQo8c3BhbiBjbGFzcz1cXFwicGwtY3tbJiomXX0xXFxcIj5jZDwvc3Bhbj4gLi9hY21lLnNoDQouL2FjbWUuc2ggLS1pbnN0YWxsXCI7e1smKiZdfQ==[[/code]]

Download file called load_certs.py in your $HOME directory in Webfaction account
- ```
cd $HOME
wget https://github.com/tmcadam/webfaction-tools/load_certs.py
```
- This script is used to load the newly created certs into Webfaction using it’s API.

Create environment variables.

Open up $HOME/.bashrc and add the following line

export WEBFACTION_USER="username-here"
export WEBFACTION_PASS="password-here"
export WEBFACTION_MACHINE="Web###"

Run acme.sh script to create a certificate. Here is an example
- ```
acme.sh --issue \
-d smartworldbox.com \
-d www.smartworldbox.com \
-d node-red.smartworldbox.com \
-d mqtt.smartworldbox.com \
-w /home/username/webapps/https_redirect/ \
--reloadcmd "bash $HOME/.bashrc &amp;&amp; python2 $HOME/load_certs.py smartworldbox.com $HOME/.acme.sh/smartworldbox.com/"
```
- This is creating a certificate for the listed domains and then loading them into Webfaction using it’s API. The really really cool thing is, this will renew the certificates for us every 60 days. So once you run the command once, you should be able to forget about it.
- Make sure -w is pointing to the static app we created earlier.
- The two parameters for the python script are, domain name (I think it needs to be the first one), and the folder location of the certificates. When the the certificates are loaded to Webfaction they are named with domain name (but the dots are converted to underscores)
- Checkout https://github.com/Neilpang/acme.sh for more info
Final step is to create secure HTTPS website records
- This is done in the Webfaction control panel. Select the certificate that was just created (smartworldbox_com in this instance). Select the application that you want to secure (i.e. node-red).
- Leave the other static app and website in place to handle certificate renewals and redirect HTTP traffic to this new secure site.
- As I said before this whole process is a one off and the certificates should renew automatically every 60 days.
- Goto the browser and you should see a nice little padlock beside your domain name 🙂

Home Automation

Installing Node-RED on Webfaction

This is slightly counter-intuitive so thought I would share how I went about it. The main issue that caught me out was the standard node app in Webfaction doesn’t work with web sockets, and Node-RED uses web-sockets.

This guide assumes that you are pretty comfortable in the Webfaction control panel and using SSH to access your server. Their documentation is good if you need clarification on how any of these steps work.

1. Go into the Webfaction control panel and create two new apps.
  - A node.js app
    - This one is going to run Node-RED and will install Node.js and NPM for us, making it very easy to install Node-RED. Leave port closed to external access.
  - A websockets custom app
    - This is the one that caught me out, and is needed to proxy web-sockets correctly to the node.js app. Make a note of the port number as we will need it later. Leave port closed to external access.
2. In the Webfaction control panel create a new website.
  - Create a HTTP website with your Node-RED domain name and point it to the web-sockets app, not the Node.js app.
3. Stop the default Node.js app from starting.
  - Access your account with SSH and type crontab -e
  - You should see a line restarting the Node.js app every 20 minutes, comment it with a #
  - Change directory to your Node.js app
    - cd ~/webapps/node-red
    - export PATH=$PWD/bin/:$PATH
    - ./bin/stop
    - rm hello-world.js
4. Install Node-RED
  - Presuming you are already in the Node.js app folder and have set the PATH variable (see above), enter the following command to install Node-RED
    - npm install -g --unsafe-perm node-red
    - If you type node-red -p 12345 (where 12345 is the port of the web-sockets application), Node-RED should start up and wait for connections.
    - If you go to your domain in a web browser (http only at this stage) you should see a working but very insecure Node-RED page, YAY!
    - If you want to test if web-sockets are working try the Creating your first flow tutorial from the Node-RED docs, you should see debug messages in the right hand pane when you hit the inject button.

Now we have a working application the next post will look at some basic configuration to secure it.