Security

Troubleshooting SSL certificates

Overview

If you run into difficulties configuring SSL certificates with Cloud 66, this guide may be able to help.

Configuring Let's Encrypt with Cloudflare

If you route your application traffic through Cloudflare, you will need to add a Page Rule to your Cloudflare configuration in order for the challenge process (see above) to work.

The URL for the page rule should be the challenge URL for your server: http://YOURSITE.com/.well-known/acme-challenge/

To set up your application:

  1. Ensure the challenge file is in the folder
  2. Log into your Cloudflare dashboard and create a new Page Rule
  3. Set the challenge URL as an exact match for the Page
  4. Set SSL to "off"
  5. Set Automatic HTTPS Rewrites to "off"
  6. Set Browser Integrity Check to "off"
  7. Save and deploy the rule (after testing)

The challenge should now succeed. If it does not, read the rest of this guide.

Let's Encrypt certs require updates every 3 months

Let's Encrypt needs to be updated every 3 months, so you should keep all configurations in place to allow for automatic renewal.

Troubleshooting

Non-secure HTTP endpoint required

Let's Encrypt needs a non-secure HTTP endpoint - i.e. <your-application-domain>/.well-known/acme_challenge/* to invoke and reissue certificates.

If you have your application set to redirect from HTTP to HTTPS you will need to deactivate this.

Trouble downloading challenge file

If, while configuring a standard (i.e. NOT wildcard) Let's Encrypt certificate you see an error similar to this:

Wrote file to /etc/cloud66/webroot/FILENAME, but couldn't download http://DNS_NAME/.well-known/acme-challenge/FILENAME 

...you need to go through the following steps:

  1. Delete the SSL certificate (vital)
  2. If you use Cloudflare, ensure you have have Page Rule in place (see above)
  3. There could be some sections missing (or misconfigured) in your Nginx config, probably due to customization or config file not being up to date. The following blocks take care of redirections. Ensure these sections of your own Nginx config match up with the examples below.
http {
    .
    .
    .
    server {
        .
        .
        .
        ## This block gives HTTP access to LetsEncrypts to validate the certificate issuance

        location /.well-known/acme-challenge/ {
            {% if letsencrypt_primary_address == empty %}
            # serve letsencrypt requests from here
            alias /etc/cloud66/webroot/;
            try_files $uri =404;
            {% else %}
            # serve letsencrypt request from another host
            proxy_pass  http://{{ letsencrypt_primary_address }};
            {% endif %}
        }

        ## From here is for taking care of redirections settings for your application
        
        {% if red_http_to_https == true %}
        {% if has_load_balancer %}
        set $http_rewrite 0;
        if ($http_x_forwarded_proto = "http") {
            set $http_rewrite 1;
        }
        if ($http_x_forwarded_proto = "") {
            set $http_rewrite 1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $http_rewrite 0;
        }
        if ($http_rewrite = 1) {
            rewrite ^(.*) https://$host$1 permanent;
        }
        {% else %}
        if ($request_uri !~ ^/.well-known/acme-challenge/.*$) {
            rewrite ^(.*) https://$host$1 permanent;
        }
        {% endif %}
        {% endif %}

        {% if red_www == 0 %}
        server_name             _;
        {% endif %}
        {% if red_www == 2 %}
        set $www_rewrite 0;
        if ($http_host ~ ^(?!www\.)(.*)) {
            set $www_rewrite 1;
            set $www_host $1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $www_rewrite 0;
        }
        if ($www_rewrite = 1) {
            return 301 $scheme://www.$www_host$request_uri;
        }
        {% endif %}
        {% if red_www == 1 %}
        set $www_rewrite 0;
        if ($http_host ~ ^www\.(.*)$) {
            set $www_rewrite 1;
            set $www_host $1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $www_rewrite 0;
        }
        if ($www_rewrite = 1) {
            return 301 $scheme://$www_host$request_uri;
        }
        {% endif %}

        .
        .
        .
        }
    }

Previous
Adding SSL certificates to apps