Cerbot, Apache, subDomain Plone

espenmn · December 29, 2020, 5:01pm

I need to set up a subdomain to test Flutter and Plone restAPI.

I already use LetsEncrypt for my domain ( www.medialog.no), but when I try to set up another for https://api.medialog.no, I end up with a site that sometimes shows the Plone site, and sometimes shows 'the default Apache page'.

Is there something I need to know when setting up two Plone LetsEncrypt sites for the same domain ?

From the Flutter App, I get an error about 50% of the time:

Unhandled Exception: HandshakeException: Handshake error in client (OS Error: 
CERTIFICATE_VERIFY_FAILED: application verification failure(handshake.cc:354))

mtrebron · December 29, 2020, 5:26pm

From my notes:

20171018 - New "easy config" system for Let's Encrypt

Following on a hint from the Plone forum, after noticing that LE verification
filenames may conflict with what is allowed by Zope/Plone, we let Apache serve these files directly.

To make it even easier, we store all verification files in the same folder
/var/www/html/.well-known/acme-challenge

In Apache's alias.conf we include this directive (gleaned from the FancyIcons directive)

    Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"

    <Directory "/var/www/html/.well-known/acme-challenge">
        Options FollowSymlinks
        AllowOverride None
        Require all granted
    </Directory>

For our virtualhosts which are served over https, or proxied to Plone, we insert
an exception to the redirect in the HTTP (80) virtualhost directive:

     RewriteCond %{REQUEST_URI} !^/\.well\-known/acme-challenge/
     RewriteRule ^(.*)$ https://api.example.com$1 [R=301,L]

You will need separate certificates for youw www. and api. subdomains

./certbot-auto certonly --manual -d api.example.com
./certbot-auto certonly --manual -d example.com www.example.com

Then two separate virtualhosts https directives, first for your api. subdomain, and then your "catchall" directive

<VirtualHost api.example.com:443>
     ServerName api.example.com
     RewriteEngine On
     RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{HTTP_HOST}:443/my_api/VirtualHostRoot/$1 [L,P]
     LogLevel error
     CustomLog /var/log/apache2/api.example.com.access.log "vhost_combined"
     ErrorLog /var/log/apache2/api.example.com.error.log
     ServerAdmin webmaster@example.com
     SSLEngine on
     SSLCertificateChainFile /etc/ssl/private/api.example.com-chain.pem
     SSLCertificateFile /etc/ssl/private/api.example.com-chain.pem
     SSLCertificateKeyFile /etc/ssl/private/api.example.com-key.pem
     SSLCACertificateFile /etc/ssl/private/cacert.pem
</VirtualHost>

<VirtualHost example.com:443>
     ServerName www.example.com
     ServerAlias example.com *.example.com
     RewriteEngine On
     RewriteRule ^(.*)$ https://www.example.com$1 [R=301,L]
     RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [L,P]
     LogLevel error
     CustomLog /var/log/apache2/www.example.com.access.log "vhost_combined"
     ErrorLog /var/log/apache2/www.example.com.error.log
     ServerAdmin webmaster@example.com
     SSLEngine On
     SSLCertificateChainFile /etc/ssl/private/example.com-chain.pem
     SSLCertificateFile /etc/ssl/private/example.com-chain.pem
     SSLCertificateKeyFile /etc/ssl/private/example.com-key.pem
     SSLCACertificateFile /etc/ssl/private/cacert.pem
</VirtualHost>

Edit: to make sure your relevant virtualhosts are always processed in the same order, keep those together. In my case, I use a single configuration file

In apache2.conf

# Include the virtual host configurations:
IncludeOptional virtualhosts.conf

espenmn · December 29, 2020, 5:49pm

Thanks. Will try to look at it tomorrow.

By the way: Did you find any info on why it works 'sometimes' (if I reload the page once or twice it loads)

mtrebron · December 29, 2020, 5:52pm

Possibly, if apache processes the directives in random order. This is why I edited my answer at the bottom.

tisto · December 30, 2020, 7:11am

We do not recommend using an „api“ subdomain for a rest api setup. The browser treats that as a separate domain and this will require you to set up CORS properly, which is very complex. I’d recommend using /api instead for the backend.

tiberiuichim · December 30, 2020, 9:28am

When deploying api under a fake /api path, you'll need to use special vh rules.

See Volto documentation, for example:

RewriteRule     ^/api($|/.*)            balancer://plonebackend/VirtualHostBase/https/www.example.com:443/Plone/VirtualHostRoot/_vh_api$1  [P,L]

espenmn · December 30, 2020, 10:10am

It is actually a separate site.
I need another domain so I can test out Flutter ( mobile app development) with RestApi.

tisto · December 30, 2020, 2:03pm

Then good luck with CORS. We tried hard to make CORS work for us but we never succeeded putting anything stable into prod. Just for the record, this has nothing to do with plone.restapi itself, just with the sorry state of CORS that nobody seems to use in real life. If you succeed please make sure to share your findings.

espenmn · December 30, 2020, 3:45pm

So basically, to have two 'Plone Lets Encrypt sites' with same (main) domain on the same server is not a good idea (?) I will see if I can use another domain.