Installing SSL Cert on Linode server for subdomain

Why don't you hit that iframe url on your browser, to see what happens? Obviously it has to be an HTTPS request, otherwise it won't work as an iframe of another HTTPS page, mixed content pages (as they are called) are blocked by all serious browsers (Firefox, Opera, Chrome, etc). Look at the debug console, it should say the error that prevents the iframe from loading.

As a side note, why pay for a certificate? that fiasco ended a long time ago and now certificates are free! Take a look here as an example.

Originally when it was HTTP it was blocked as being a mixed content request.

Now that the URL is https nothing shows up in console, the iframe just shows up as Unable to Connect (Firefox), and Refused to Connect (Chrome).

If I put in the url, http://share.majestydiamonds.com/tell.php it works. If I try it with HTTPS it doesn't connect.

I just assumed based on experience you pay for certs for business websites; would a free one work?

You need a valid and matching certificate, just replacing http with https won't work if the certificate is not there or if its not correct.

Yes, free certificates will work fine, there are no certificates for "business" or anything like that, they are all the same effectively. The reason we had to pay for them up until recently, was because of a marketing scam and finally that is over. Essentially the certificates use the same cryptography, all that mattered was browser acceptance.

What we've seen recently, is those selling certificates have come up with various scare tactics, to lure unsuspecting people into buying what essentially is free.

So basically all I have to do is install dehydrated to create a cert for the linode side of the server and then it should work or does there need to be a patching cert on BigCommerce's end? There's a cert already for our site on that end but it isn't wild card.

The certificate must be installed on the web server that hosts the domain, so I'd guest in your case that would be the linode server. So once you setup dehydrated (or similar Let's Encrypt client) your iframe should work, in theory at least since I don't know any details about your setup.

@IfThenElse:

The certificate must be installed on the web server that hosts the domain, so I'd guest in your case that would be the linode server. So once you setup dehydrated (or similar Let's Encrypt client) your iframe should work, in theory at least since I don't know any details about your setup.

I'm not really sure what our setup is either.

Our domain, storename.com is from godaddy.

The CNAME dns listing named www points to our store over at BigCommerce.

But our store has a page that calls to share.storename.com

According to the DNS, the share subdomain is on Linode at the server ip.

By 'hosts the domain', it's hosting the subdomain in this case right? The share.storename.com domain?

I'm trying to set up Dehydrate but I'm a little confused as it seems to assume a regular linux user and I haven't used it in years. I tried to run the ./dehydrated command and it claims the WELLKNOWN directory doesn't exist and wants me to set permissions?

I uploaded all the files via ftp to /root/dehydrated.

I created a dehydrated folder in etc/pki/

I created the domains.txt and sorta just put in www.storename.com storename.com and share.storename.com I don't know which ones I need.

I edited config to add in my email (Does the email matter?) I kept 'wellknown'/basedir default since I assumed that if I passed it the config file and it's location then it would use the location of the config file automatically? I think this part I messed up.

Basedir is the directory of dehydrated script, but the instructions didn't say to move it to the pki/dehydrated folder, only the config file, which I did.

I'm a little confused; you can basically assume I haven't touched linux in a long time and thus a newb all over again.

Ok lets take the steps from the start,

make sure the directory /root/dehydrated exists (we put the script here, to run as root)

make sure the directory /etc/pki/letsencrypt exists (we put the certificates here, must be accessible by the apache web server)

put the dehydrated script under /root/dehydrated

create the file /etc/pki/letsencrypt/domains.txt

edit this file and ONLY write the domain you host, in your case that would be: share.storename.com

copy the config file from /root/dehydrated/docs/examples to /root/dehydrated

edit this file and change:

BASEDIR="/etc/pki/letsencrypt"

CONTACT_EMAIL="your email here"

WELLKNOWN="/home/myuser/public_html/.well-known/acme-challenge"

The above WELLKNOWN path is just an example, you need to know the exact directory your webserver uses, also create the directories .well-known and .well-known/acme-challenge.

The command that executes dehydrated is:

/root/dehydrated/dehydrated --cron --config /root/dehydrated/config --keep-going --challenge http-01

The certificates will be generated under /etc/pki/letsencrypt/certs/share.storename.com/ you then need to modify your Apache configuration to point to the certificate files.

I must be doing something dumb or there's something about the server that isn't obvious to me.

There's two www directories. One under /var/ and another at the root level /www/

The one that's /www/ has a folder in it that's accessed through that iframe; the src goes to share.storename.com/tell.php and tell.php is located under /www/stories/htdocs/

But only the /var/www/ has an index.html, if I type in the ip for the server that I use to log in it goes to the store page.

I tried putting "public_html/.well-known/acme-challenge" in both /www/'s, as well as /home/username/ there is only one non-root user and root didn't have a home folder. None of these options appear to be working and I keep getting the error: "ERROR: WELLKNOWN directory doesn't exist, please create /var/www/dehydrated and set appropriate permissions.

I see apache2 in /etc/ exists, but not /etc/httpd/conf/httpd.conf, there is not httpd folder under etc. Is there a way to check? AFAIK it should've been /www/.

edit: the tell.php file / the /www/stories/htdocs is definately public facing as I changed tell.php to print hello world and it worked.

Okay I found the virtual hosts file if this helps:

ServerName stories.majestydiamonds.com

ServerAlias www.stories.storename.com stories.storename.com OURSERVERIP

ServerAdmin Someone@storename.com

DocumentRoot /www/stories/htdocs/

CustomLog /var/log/apache2/access_stories.log combined

ErrorLog /var/log/apache2/error_stories.log

Is the document root where I point wellknown to or does that still not explain the error?

edit 2: I think I understand what's happening, the new path for WELLKNOWN isn't actually being passed in. As it keeps saying '/var/www/dehydrated' when it should be saying something else.

edit 3: Supposedly it is using the config file, but the variables aren't being used. Am I supposed to remove the comment hashtags?

edit 4: APPARENTLY YES.

edit 5: Still claims the directory doesn't exist. Are the permissions needed to be set a certain way? They're 755 atm.

edit 6: I am still dumb, forgot a level in the path, the cert is made now I just need to figure how to get apache to point to it!

edit 7: The prompts say I am successful, 'creating fullchaiin.pem', 'walking chain', 'done!'; but I cannot seem to find the certs folder.

edit 8: For some reason I am still stupid and had to right click and refresh in filezilla.

You need to get in touch with whoever setup the server in the first place.

Based on the virtualhost you posted, I'm guessing the wellknown variable should point to:

WELLKNOWN="/www/stories/htdocs/.well-known/acme-challenge"

Make sure to create the above directory structure with proper ownership permissions (probably the same as htdocs).

@IfThenElse:

You need to get in touch with whoever setup the server in the first place.

Based on the virtualhost you posted, I'm guessing the wellknown variable should point to:

WELLKNOWN="/www/stories/htdocs/.well-known/acme-challenge"

Make sure to create the above directory structure with proper ownership permissions (probably the same as htdocs).

He's dead. Hence why I'm doing this. :D

But I appear to have managed to create the certs, now my problem is the tutorials I've googled are different from what's generated:

SSLEngine on
SSLCertificateFile /etc/ssl/crt/primary.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt

Supposedly I need to add these lines to the VirtualHost entry, but whats generated looks like:

cert-number.csr
cert-number.pem
chain-number.pem
fullchain-number.pem
privkey-num.pom

I ended up running the command twice after uncommenting my email address, so I don't know if that affected anything.

There are also another 5 files of the same first word and extension, 'cert.csr' etc; but no .crt file or .key file.

Dead? May the digital pathways of the eternal fiber optic ethernet rest his binary soul.

Try this:

SSLCertificateFile /etc/pki/letsencrypt/certs/stories.storename.com/cert.pem
SSLCertificateKeyFile /etc/pki/letsencrypt/certs/stories.storename.com/privkey.pem
SSLCertificateChainFile /etc/pki/letsencrypt/certs/stories.storename.com/chain.pem

(ignore the files with numbers, the above files should be symbolic links to the newest and valid certificates)

@IfThenElse:

Dead? May the digital pathways of the eternal fiber optic ethernet rest his binary soul.

Try this:

SSLCertificateFile /etc/pki/letsencrypt/certs/stories.storename.com/cert.pem
SSLCertificateKeyFile /etc/pki/letsencrypt/certs/stories.storename.com/privkey.pem
SSLCertificateChainFile /etc/pki/letsencrypt/certs/stories.storename.com/chain.pem

(ignore the files with numbers, the above files should be symbolic links to the newest and valid certificates)

I restarted apache and got this error (On trying to reload the iframe):

> An error occurred during a connection to share.storename.com. SSL received a record that exceeded the maximum permissible length. Error code: SSLERRORRXRECORDTOO_LONG

Is the VirtualHost supposed to stay on port 80 or change it to 443?

You are not supposed to touch the http entry (), you should create a new one, same parameters but added the new SSL lines, that points to 443.

Sometimes the default configuration already has such an entry defined, no need to create a new one.

But, the WELLKNOWN directory must be accessible via port 80, so that Let's Encrypt and Dehydrated can work.

Yes all SSL/TLS connections go through 443.

So I'm working on that and it seemed to have worked and connected to the page for about 5 minutes and then now I only get blank and a 500 error.

edit: Still dumb, I uploaded a php file with a syntax error.

Alright so the only issue that remains is that our PHP script to then log into our editor panel to approve the submissions in the iframe now seems to get rejected on a correct sign in, but I suspect the problem is utils::HTTPAuthentication(…) and making this work over https will probably fix it.

Thanks for all of your help, all of this was extremely new for me thank you for your patience!

Hey it's been a while and I have a follow up question, for securing with SSL multiple subdomains is there something I am supposed to do differently?

Particularly this one: "WELLKNOWN="/home/myuser/public_html/.well-known/acme-challenge""

Right now I managed to get it to work with with subdomains (finance.mydomain.com and baseball.mydomain.com) by just changing well known to the latest newest subdomain, and then dumping my virtualhost information all into one file.