I need to set up a subdomain to test Flutter and Plone restAPI.
I already use LetsEncrypt for my domain ( www.medialog.no), but when I try to set up another for https://api.medialog.no, I end up with a site that sometimes shows the Plone site, and sometimes shows 'the default Apache page'.
Is there something I need to know when setting up two Plone LetsEncrypt sites for the same domain ?
From the Flutter App, I get an error about 50% of the time:
20171018 - New "easy config" system for Let's Encrypt
Following on a hint from the Plone forum, after noticing that LE verification
filenames may conflict with what is allowed by Zope/Plone, we let Apache serve these files directly.
To make it even easier, we store all verification files in the same folder
/var/www/html/.well-known/acme-challenge
In Apache's alias.conf we include this directive (gleaned from the FancyIcons directive)
Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/.well-known/acme-challenge">
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>
For our virtualhosts which are served over https, or proxied to Plone, we insert
an exception to the redirect in the HTTP (80) virtualhost directive:
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme-challenge/
RewriteRule ^(.*)$ https://api.example.com$1 [R=301,L]
You will need separate certificates for youw www. and api. subdomains
Edit: to make sure your relevant virtualhosts are always processed in the same order, keep those together. In my case, I use a single configuration file
In apache2.conf
# Include the virtual host configurations:
IncludeOptional virtualhosts.conf
We do not recommend using an „api“ subdomain for a rest api setup. The browser treats that as a separate domain and this will require you to set up CORS properly, which is very complex. I’d recommend using /api instead for the backend.
Then good luck with CORS. We tried hard to make CORS work for us but we never succeeded putting anything stable into prod. Just for the record, this has nothing to do with plone.restapi itself, just with the sorry state of CORS that nobody seems to use in real life. If you succeed please make sure to share your findings.
So basically, to have two 'Plone Lets Encrypt sites' with same (main) domain on the same server is not a good idea (?) I will see if I can use another domain.