Issue ID,URL,Title,State,Description,Author,Author Username,Assignee,Assignee Username,Confidential,Due Date,Created At (UTC),Updated At (UTC),Closed At (UTC),Milestone,Labels,Time Estimate,Time Spent 1,https://gitlab.com/aegir/hosting_https/issues/1,Error when enabling Letsencrypt feature,Closed,"Upon enabling the hosting_letsencrypt feature, I see the following in the hostmaster site verify task log: >[...] >Returned from hook drush_provision_verify >Calling hook drush_certificate_provision_verify >Undefined index: Certificate server.php:121 >Drush command terminated abnormally due to an unrecoverable error. Error: Call to a member function setContext() on a non-object in /var/aegir/.drush/provision/Provision/Context/server.php, line 121 >The external command could not be executed due to an application error. >[...] ",Christopher Gervais,ergonlogic,"","",No,,2016-06-17 17:45:37,2017-04-10 23:06:47,,,,0,0 2,https://gitlab.com/aegir/hosting_https/issues/2,Fork hosting_ssl,Closed,"We ran into some limitations in hosting_ssl that mean that we'd need to implement various workarounds and hacks to get Let's Encrypt working properly. We decided to modernize hosting_ssl (renaming it to hosting_https, in the process). This should allow us to both use it in Aegir 3, and then have a drop-in replacement for Aegir 4. We're renaming this project to hosting_https, and moving hosting_certificate to be a module within it. For the meta issue, see [[meta] Let's encrypt support](https://www.drupal.org/node/2629560).",Christopher Gervais,ergonlogic,"","",No,,2016-06-19 15:47:55,2017-04-10 23:06:47,,,,0,0 3,https://gitlab.com/aegir/hosting_https/issues/3,Stop assuming PHP is always at version 5,Closed,"Use the same solution derived at [Nginx: PHP FPM fails to detect socket mode on PHP 7](https://www.drupal.org/node/2769587) once it's completed. To find what needs to be changed, run this command at root of the project tree: * `grep -rn php5 .`",Colan Schwartz,colan,"","",No,,2016-07-20 16:48:42,2017-04-10 23:06:47,,,,0,0 4,https://gitlab.com/aegir/hosting_https/issues/4,Require services to be disabled before allowing modules to be disabled/uninstalled,Open,"If a module that exposes a service is disabled, while its services remain active on a server, an un-recoverable situation could arise. Basically, the service's context variables remain, as does one or more front-end DB entries. As a result, server verify tasks start failing, and does the hostmaster verify to build the links to the back-ends for the active Hosting Features. Disabling the services on the server(s) first should resolve this issue, as it triggers a verify task, which will remove the context variables. Saving the server node itself, cleans up any service DB entries. I think the easiest solution here is to block a module from being disabled, so long as any servers are running services it exposes.",Christopher Gervais,ergonlogic,"","",No,,2016-07-23 17:34:09,2017-12-28 20:18:20,,,Feature request,0,0 5,https://gitlab.com/aegir/hosting_https/issues/5,Error registering new Let's Encrypt key,Closed,"Got the following error when trying to install a new site with Let's Encrypt: ``` > Generating Let's Encrypt certificates. > 2 s. > # INFO: Using main config file /var/aegir/config/letsencrypt/config > - > + Generating account key... > - > + Registering account key with letsencrypt... > - > + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400) > - > - > Details: > - > { > - > ""type"": ""urn:acme:error:malformed"", > - > ""detail"": ""Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]"", > - > ""status"": 400 > - > }rm: cannot remove '/var/aegir/config/letsencrypt/domains.txt': No such file or directory > - > - > - > Error registering account key. See message above for more information. > - > Failed to generate Let's Encrypt certificates. ``` It's possible that the URL for the site wasn't resolving, or something else banal. But we should perhaps check for that before trying to proceed with a certificate generation.",Christopher Gervais,ergonlogic,"","",No,,2016-08-09 16:31:51,2017-04-10 23:06:47,,,,0,0 6,https://gitlab.com/aegir/hosting_https/issues/6,Per site certificate service on a server,Open,"The current choice of cert service is per server. I can imagine having lets encrypt as default ... but what if a client comes along who want something else... EV? It might be good to have certificates from multiple services on one server. Just a though, feature request?",Herman van Rink,helmo42,"","",No,,2016-08-15 11:24:14,2017-12-28 20:49:11,,,Feature request,0,0 7,https://gitlab.com/aegir/hosting_https/issues/7,hosting_certificate_prevent_orphaned_services() causing recursive/loop cache rebuild,Closed,"I'm not very sure how to explain this issue, and we can close if no one else runs into this, but on a server with hosting_https installed, I can into weird infinite loops of cache rebuilds during the Agir 3.6 -> 3.7 upgrade. After some debugging, I found that commenting these lines fixed it: ``` submodules/letsencrypt/hosting_letsencrypt.module hosting_letsencrypt_system_info_alter() hosting_certificate_prevent_orphaned_services($info, 'Certificate', 'LetsEncrypt'); ``` ``` submodules/apache_https/hosting_apache_https.module hosting_apache_https_system_info_alter() hosting_certificate_prevent_orphaned_services($info, 'http', 'https_apache'); ``` Logging here in case someone bumps into a similar issue. I only upgraded one server so far, so will see if it happens on other servers too.",mlutfy,mlutfy,"","",No,,2016-08-19 02:11:38,2017-05-25 19:17:34,,,"Needs upstream patch,Postponed",0,0 8,https://gitlab.com/aegir/hosting_https/issues/8,Replace all references to upstream project letsencrypt.sh with 'dehydrated',Closed,"Trademark issues. * Old: https://github.com/lukas2511/letsencrypt.sh * New: https://github.com/lukas2511/dehydrated",mlutfy,mlutfy,Colan Schwartz,colan,No,,2016-10-05 02:18:10,2017-04-10 23:06:47,,,,0,0 9,https://gitlab.com/aegir/hosting_https/issues/9,Switch to official certbot client instead of letsencrypt.sh/dehydrated?,Closed,"How would folks feel about switching to the official [Certbot](https://certbot.eff.org/) client at some point? I've been playing with it lately, and am quite impressed with it. It's in recent Debian and Ubuntu repositories (including backports), and is quite easy to work with. Please check out the link above for more info. You can play with the OS & server options to alter the instructions. In my opinion, looks good for Nginx & Apache on Debian & Ubuntu. But I'd like to hear what other folks think.",Colan Schwartz,colan,"","",No,,2016-11-09 21:29:20,2017-04-10 23:06:47,,,,0,0 10,https://gitlab.com/aegir/hosting_https/issues/10,Add a 'manual' Certificate implementation,Open,"We should add the ability to paste a CA certificate into the front-end. It should presumably look something like: ![AWS_SSLCertificate](/uploads/3f1f335489f48c62bace7c2c60cf7181/AWS_SSLCertificate.png) Ideally we'd also: 1. Generate the key/CSR. 1. Validate the certs(s) in the front-end. 1. Expunge the key from the front-end DB. 1. Notify when a certificate is coming due for renewal (this could be implemented as a hosting_probe) For background, see #2.",Christopher Gervais,ergonlogic,"","",No,,2016-11-18 21:43:22,2017-12-28 19:26:35,,,Feature request,0,0 11,https://gitlab.com/aegir/hosting_https/issues/11,Add tests,Open,"It'd be nice to get some CI testing. I'm not sure how feasible that'd be, considering CI VMs/containers aren't likely to be accessible externally.",Christopher Gervais,ergonlogic,"","",No,,2016-11-18 21:48:00,2017-07-01 08:45:58,,,,0,0 12,https://gitlab.com/aegir/hosting_https/issues/12,Provide sane packaging along with installation instructions,Closed,"Currently, the README defines a process by which the upstream library Dehydrated is committed directly to the project, but it is also part of the project as a git submodule. We need to nail this down and figure out how to package it. Which one do we choose? There's also the [Libraries](https://www.drupal.org/project/libraries) module, Drush makefiles, and .. Also: > 12:04 < ergonlog1c> subtree merge should work, and provide an easy (enough) way to stay up-to-date with upstream, fwiw",Colan Schwartz,colan,"","",No,,2016-11-22 17:12:28,2017-12-29 17:24:36,2017-12-29 17:24:36,,"Release blocker,To do",0,0 13,https://gitlab.com/aegir/hosting_https/issues/13,Alias definition for well known directory crashing Nginx,Closed,A semicolon and encapsulating server clause are missing. This is preventing Nginx from being reloaded.,Colan Schwartz,colan,"","",No,,2016-11-22 21:00:06,2017-04-10 23:06:47,,,,0,0 14,https://gitlab.com/aegir/hosting_https/issues/14,Well known directory cannot be accessed by Let's Encrypt CA,Closed,"Access to the well known directory is necessary for the ACME challenge to succeed for certificate generation. However, it is being blocked at the moment. Set-up is happening in the server configuration, not the site configuration, so it's not possible to allow access to the URL if we don't know the site in question. Let's move injection of the well-known directory settings to the site configuration [as is being done for hosting_le](https://github.com/omega8cc/hosting_le/blob/7.x-3.x/hosting_le_vhost/drush/hosting_le_vhost.drush.inc).",Colan Schwartz,colan,"","",No,,2016-11-24 16:49:12,2017-04-10 23:06:47,,,,0,0 15,https://gitlab.com/aegir/hosting_https/issues/15,Certificates only get (re)generated if they don't exist,Closed,"At present, certificates don't get updated on site verify tasks when the files are present. This doesn't handle the case where the files exist, but the certificate is expired. We should always attempt to generate new certificates. The upstream Dehydrated script will bail if we're not close to the expiry date, and just keep the existing files, which is what we want.",Colan Schwartz,colan,"","",No,,2016-11-24 20:31:49,2017-04-10 23:06:47,,,,0,0 16,https://gitlab.com/aegir/hosting_https/issues/16,Update installation documentation,Closed,"",Colan Schwartz,colan,"","",No,,2016-11-24 20:37:43,2017-04-10 23:06:47,,,,0,0 17,https://gitlab.com/aegir/hosting_https/issues/17,Add cron job to ensure Let's Encrypt certificates don't expire,Closed,"Certificates normally get updated on site verify tasks, but these don't normally run periodically. We need to set up a cron job to run site verifies on sites will HTTPS enabled.",Colan Schwartz,colan,"","",No,,2016-11-24 20:39:31,2017-04-10 23:06:46,,,,0,0 18,https://gitlab.com/aegir/hosting_https/issues/18,Certificate generation failure on Clone leads to warning,Closed,"When a site Clone task is running, certificate generation is attempted 4 times: 1. The source site: No problems. 1. **The destination site: Failure warning issued as site has not been configured yet.** 1. The destination site: No problems; Initial certificate is generated. 1. The source site: No problems. This seems a bit wasteful. Only the third step needs to run, but not really, as this will happen on the forthcoming destination site's Verify task. In any case, we should somehow block the second step from running, as it's causing an unnecessary warning.",Colan Schwartz,colan,"","",No,,2016-11-24 22:04:31,2017-04-10 23:06:46,,,Duplicate,0,0 19,https://gitlab.com/aegir/hosting_https/issues/19,Let's Encrypt HTTPS cannot be enabled during site creation,Closed,"'Sites must first be created (Install tasks) without encryption enabled. Then, once the site has been created, encryption can be enabled. This is most likely because the well-known directory isn't set up until after certificate generation. We'll need to switch these around. ``` Failed to generate Let's Encrypt certificates. Injecting Let's Encrypt 'well-known' ACME challenge directory '/var/aegir/config/letsencrypt.d/well-known/acme-challenge' into Nginx vhost entry. ``` Attempting to enable encryption on site creation yields a 403 (Forbidden) by the CA as it can't access the challenge response. This leads to the warning: > Failed to generate Let's Encrypt certificates. --- This issue is completely solved by #28, but it doesn't support all Web servers just yet: * [x] Nginx * [x] Apache",Colan Schwartz,colan,"","",No,,2016-11-28 22:32:33,2017-12-22 20:45:31,2017-12-22 20:45:31,,"Postponed,Release blocker,To do",0,0 20,https://gitlab.com/aegir/hosting_https/issues/20,Provide option for automatically enabling/requiring encryption on new sites,Open,"If we have any of these options enabled on the server, then sites can automatically enable/require encryption after they're created. Given #19, this would have to be done afterwards, and not during, site creation.",Colan Schwartz,colan,"","",No,,2016-11-30 17:01:18,2017-12-29 17:50:04,,,Feature request,0,0 21,https://gitlab.com/aegir/hosting_https/issues/21,Upgrade production from legacy ssl modules.,Closed,"If we want to make this the new default ssl implementation for Aegir 3 then it should be 'easy' to upgrade. The README already lists a few steps for this ... but lets make em super safe for production use.",Herman van Rink,helmo42,"","",No,,2016-12-02 13:00:24,2017-09-26 15:39:38,,,Release blocker,0,0 22,https://gitlab.com/aegir/hosting_https/issues/22,Warning: failed to open stream: No such file or directory FileSystem.php:19,Closed,"Using latest Aegir 3.8 I get the following warning when attempting to require encryption on a site: >>> copy(/var/aegir/config/letsencrypt.d/example.com/cert.pem): failed to open stream: No such file or directory FileSystem.php:19 copy(/var/aegir/config/letsencrypt.d/example.com/privkey.pem): failed to open stream: No such file or directory FileSystem.php:19 copy(/var/aegir/config/letsencrypt.d/example.com/fullchain.pem): failed to open stream: No such file or directory FileSystem.php:19 apache on aegir could not be restarted. Changes might not be available until this has been done. (error: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/conf-enabled/aegir.conf:4 AH00526: Syntax error on line 17 of /var/aegir/config/server_master/apache/vhost.d/example.com: SSLCertificateFile: file '/var/aegir/config/server_master/ssl.d/example.com/openssl.crt' does not exist or is empty Action 'graceful' failed. The Apache error log may have more information.) >>>",Virtual Realms,virtualrealms,"","",No,,2016-12-10 04:51:25,2017-12-03 21:31:22,,,Needs info,0,0 23,https://gitlab.com/aegir/hosting_https/issues/23,HTTPS working for site primary domain but not redirected domains,Closed,"If the site primary domain is example.com and there's redirections in place for: * www.example.com * example.com.au * www.example.com.au Then https works for the primary domain of example.com BUT is broken when visiting the redirected domains.",Virtual Realms,virtualrealms,"","",No,,2016-12-11 22:43:10,2017-04-10 23:06:46,,,,0,0 24,https://gitlab.com/aegir/hosting_https/issues/24,Aegir views go missing after clearing all caches,Closed,"After successfully applying HTTPS to my various sites, I thought I'd try also applying it to Aegir itself. First I enabled encryption and that verified OK, then I required encryption. I had to log back in, but no content was being displayed in any Aegir tab. See the attached screenshot for the Sites listing page. ![aegir-https-issue](/uploads/8592d787718ff76f97afa88ef27b6e5b/aegir-https-issue.png) Clearing all caches didn't resolve the issue. When I dropped back to Bartik theme all the content was there. Switching to Eldir again and the content returned. Not sure why yet, but at least it's working now. ## Workaround Whenever this issue presents itself, it can be fixed by [rebuilding the registry](https://www.drupal.org/project/registry_rebuild) on the hostmaster site, the Aegir site itself. ``` drush @hm rr ```",Virtual Realms,virtualrealms,Colan Schwartz,colan,No,,2016-12-22 23:13:18,2017-11-21 15:06:33,2017-11-21 15:06:33,,"Doing,Release blocker",0,0 25,https://gitlab.com/aegir/hosting_https/issues/25,Provide option to force certificate regeneration,Closed,"I have a site that was set up during testing of this module and thus has a staging certificate. I can't find a good way to tell Aegir to create a new cert and sign it using lets encrypts prod env. Would be nice to have a task for this or something.",Rudi Floren,valkum,"","",No,,2016-12-31 16:46:08,2017-12-28 19:04:47,2017-12-28 19:04:47,,,0,0 26,https://gitlab.com/aegir/hosting_https/issues/26,Enable OCSP stapling,Open,"See [Security Certificate Revocation Awareness: The case for “OCSP Must-Staple”](https://www.grc.com/revocation/ocsp-must-staple.htm) for background. On Nginx at least, this is simply adding a couple of lines to the site config: ``` ssl_stapling on; ssl_stapling_verify on; ```",Colan Schwartz,colan,"","",No,,2017-01-09 16:21:53,2017-12-28 20:27:15,,,Feature request,0,0 27,https://gitlab.com/aegir/hosting_https/issues/27,Remove unused *_feature_(en|dis)able_callback() functions,Closed,"We added these during development, as placeholders, in case we'd need them. Looks like we don't.",Christopher Gervais,ergonlogic,"","",No,,2017-01-16 15:56:04,2017-05-06 19:15:34,,,"Cleanup,Release blocker",0,0 28,https://gitlab.com/aegir/hosting_https/issues/28,Allow access to the well known directory earlier in the process,Closed,"Adding a domain alias after enabling https gives a warning in the first verify ... the second works. I assume it's because the new name is not yet active as vhost alias when we start letsencrypt. Can't we add the .well-known directory alias on some higher level in the config? Or to the default vhost? This related to #18 and #19",Herman van Rink,helmo42,"","",No,,2017-01-26 20:51:04,2017-12-22 20:44:38,2017-12-22 20:44:38,,"Doing,Needs Apache port,Release blocker",0,0 29,https://gitlab.com/aegir/hosting_https/issues/29,Stable release,Open,"'I'd like to include hosting_https as golden contrib module in a next Aegir release. But for that we'd need a 'stable' release here. A few other boxes to check: - [x] All [release blockers](https://gitlab.com/aegir/hosting_https/issues?label_name%5B%5D=Release+blocker).",Herman van Rink,helmo42,"","",No,,2017-02-02 11:26:30,2017-12-29 22:06:06,,,"Release blocker,To do",0,0 30,https://gitlab.com/aegir/hosting_https/issues/30,sh: 1: /var/aegir/config/letsencrypt/script: Permission denied - Letencrypt not working,Closed,"when using hosting_https with letencrypt I get the following. HTTPS certificate directory for insitehost.socialnicheguru.com [success] path /var/aegir/config/letsencrypt.d/insitehost.socialnicheguru.com is writable. [7.09 sec, 57.9 MB] Generating Let's Encrypt certificates. [7.09 sec, 57.91 MB] [notice] Running: /var/aegir/config/letsencrypt/script --cron --config [notice] /var/aegir/config/letsencrypt/config --out /var/aegir/config/letsencrypt.d --domain mysite.com --domain nodejs.mysite.com --domain www.mysite.com [7.09 sec, 57.91 MB] Executing: /var/aegir/config/letsencrypt/script --cron --config /var/aegir/config/letsencrypt/config --out /var/aegir/config/letsencrypt.d --domain mysite.com --domain nodejs.mysite.com --domain www.mysite.com sh: 1: /var/aegir/config/letsencrypt/script: Permission denied sh: 1: /var/aegir/config/letsencrypt/script: Permission denied [7.1 sec, 57.88 MB] [notice] Failed to generate Let's Encrypt certificates. [7.1 sec, 57.88 MB] I am unclear as to weather I need to install letsencrypt to my system manually or if the module takes care of doing that. Please advise.",Social Niche Guru,socialnicheguru,"","",No,,2017-02-21 07:26:41,2017-04-10 23:06:46,,,,0,0 31,https://gitlab.com/aegir/hosting_https/issues/31,Accepting terms,Closed,"In the 0.4.0 version of dehydrated there is a new command to accept the Letsencrypt terms of service... `/var/aegir/config/letsencrypt/script --register --accept-term` This should probably be added to the docs",Herman van Rink,helmo42,"","",No,,2017-02-21 09:42:53,2017-12-28 19:02:13,2017-12-28 19:02:13,,,0,0 32,https://gitlab.com/aegir/hosting_https/issues/32,How do I access my site through a non standard port using https? https://mysite.com:8443 for example,Closed,"I enabled hosting_letsencrypt and followed the directions I originally had my apache_https port set to 443. My site worked via SSL. Now I want to change what apache listens to for ssl to 8443. I also did sudo ufw allow 8443 to make sure the port is accessible through the firewall But when I goto https://mysite.com:8443 I get ""ERR_CONNECTION_REFUSED"" I do this just to check to see if I can access the site and if SSL is working. With the new port number it doesn't seem to be. Can LetsEncrypt handle non-standard ports? Or am I thinking about this all wrong? https://community.letsencrypt.org/t/using-encrypt-for-non-standard-ports/20164/4",Social Niche Guru,socialnicheguru,"","",No,,2017-02-21 22:55:24,2017-04-10 23:06:46,,,,0,0 33,https://gitlab.com/aegir/hosting_https/issues/33,Requiring https causes redirect error in certain situtations.,Closed,"I select ""enable ssl"" for mysite.com in Aegir. I have pound listening on 443. I redirect traffic to the varnish server listening on port 80. I goto my site https://mysite.com and it redirects perfectly and all is good in the world. I can goto to either http or https just fine. The same setup but I select ""ssl is required"" in Aeigr. I get a redirect error and the page cannot be seen. Is the redirect from http to https when required done in a specific way that I need to account for in Varnish vcl or pound's pound.cfg files?",Social Niche Guru,socialnicheguru,"","",No,,2017-02-22 04:56:17,2017-04-10 23:06:46,,,,0,0 34,https://gitlab.com/aegir/hosting_https/issues/34,How to enable site aliases to be ssl enabled?,Closed,"I have my site, mysite.com I use a origin pull cdn for parallel processing of assets. I have added the following as aliases but I do not redirect to the main site css.mysite.com js.mysite.com img.mysite.com I added a DNS entry for each of the above in addition to mysite.com that all point to the same public IP address. I have enabled ssl for mysite.com. going to https://mysite.com does work. But going to https://css.mysite.com does not work. How do I enable ssl for each of the aliases that I created.",Social Niche Guru,socialnicheguru,"","",No,,2017-02-23 21:31:33,2017-04-10 23:06:46,,,,0,0 35,https://gitlab.com/aegir/hosting_https/issues/35,Add Strict Transport Security to HTTPS-only sites,Open,See https://www.drupal.org/node/986312 for the original issue.,Colan Schwartz,colan,"","",No,,2017-03-03 17:30:20,2017-12-28 19:28:21,,,Feature request,0,0 36,https://gitlab.com/aegir/hosting_https/issues/36,Support dual RSA and ECDSA certificates,Open,See https://letsencrypt.org/docs/integration-guide#supported-key-algorithms and https://scotthelme.co.uk/hybrid-rsa-and-ecdsa-certificates-with-nginx/,James Kennedy,jkenn99,"","",No,,2017-03-10 20:06:17,2017-12-28 19:29:17,,,Feature request,0,0 37,https://gitlab.com/aegir/hosting_https/issues/37,Adding site alias does not activate support for multiple subdomains,Closed,"First can someone confirm that the letsencrypt script bundles here provides wildcard certs. I created a site in aegir, mysite.com. I enabled this module and certificate was created. I can goto https://mysite.com just I then added an alias subsite.mysite.com I then verified the site I can still goto https://mysite.com but I cannot goto https://subsite.mysite.com should I be able to reference an alias like the one above?",Social Niche Guru,socialnicheguru,"","",No,,2017-04-07 16:10:07,2017-12-11 12:39:23,2017-12-11 12:39:23,,"Release blocker,To do",0,0 38,https://gitlab.com/aegir/hosting_https/issues/38,Secure Sites do not pass security scanning software.,Open,"I am setting up hosting_https for a client, successfully setup a LetsEncrypt cert, but a security scan by ""IBM Security AppScan"" still throws issues. I'm attaching the full report, but the main issues appear to be the old cipher support (according to my client's security person, this is the main problem.) * Deprecated SSL Version is Supported 1 * RC4 cipher suites were detected 1 * SHA-1 cipher suites were detected 1 * Weak SSL Cipher Suites are Supported 1 [Full Security Report (pdf)](/uploads/b505dcd9ef1f74ea5e8576a94b0e863f/new.prompt_Security_Report.pdf)",Jon Pugh,jonpugh,"","",No,,2017-05-18 14:01:09,2017-12-22 20:40:16,2017-05-26 15:52:33,,To do,0,0 39,https://gitlab.com/aegir/hosting_https/issues/39,hosting_certificate_prevent_orphaned_services using nodes before database updates,Closed,"When running drush updatedb for e.g the new field in !26 you get an error. similar to #7. ``` exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Unknown column 'https_sign_method' in 'field list'' in /includes/database/database.inc:2227 [error] Stack trace: #0 /includes/database/database.inc(2227): PDOStatement->execute(Array) #1 /includes/database/database.inc(697): DatabaseStatementBase->execute(Array, Array) #2 /includes/database/database.inc(2406): DatabaseConnection->query('SELECT https_en...', Array, Array) #3 /sites/aegir.example.com/modules/hosting_https/hosting_https.nodeapi.inc(235): db_query('SELECT https_en...', Array) #4 [internal function]: hosting_https_node_load(Array, Array) #5 /includes/entity.inc(368): call_user_func_array('hosting_https_n...', Array) #6 /modules/node/node.module(4176): DrupalDefaultEntityController->attachLoad(Array, false) #7 /includes/entity.inc(206): NodeController->attachLoad(Array, false) #8 /includes/common.inc(8005): DrupalDefaultEntityController->load(Array, Array) #9 /modules/node/node.module(947): entity_load('node', Array, Array, false) #10 /modules/node/node.module(966): node_load_multiple(Array, Array, false) #11 /sites/opc.initfour.nl/modules/hosting_https/submodules/certificate/hosting_certificate.module(27): node_load(2) #12 /sites/opc.initfour.nl/modules/hosting_https/submodules/letsencrypt/hosting_letsencrypt.module(34): hosting_certificate_prevent_orphaned_services(Array, 'Certificate', 'LetsEncrypt') #13 /includes/module.inc(1163): hosting_letsencrypt_system_info_alter(Array, Object(stdClass), 'module', NULL) #14 /modules/system/system.module(2436): drupal_alter('system_info', Array, Object(stdClass), 'module') #15 /modules/system/system.module(2464): _system_rebuild_module_data() #16 /includes/update.inc(52): system_rebuild_module_data() #17 /includes/update.inc(28): update_check_incompatibility('block', 'module') ``` Should we check in hosting_certificate_prevent_orphaned_services if we're in a database update flow?",Herman van Rink,helmo42,"","",No,,2017-05-25 19:17:34,2017-12-05 07:37:53,2017-12-05 07:37:53,,,0,0 40,https://gitlab.com/aegir/hosting_https/issues/40,Can't create lets encrypt certificates on remote server,Closed,"I create a platform and a site on a remote server I enabled ssl using letsnecyrpt on the site The letsencyrpt certificates are not created on the remote site",Social Niche Guru,socialnicheguru,"","",No,,2017-06-29 20:20:55,2017-12-28 19:22:54,2017-12-28 19:22:54,,,0,0 41,https://gitlab.com/aegir/hosting_https/issues/41,The drush command 'letsencrypt' could not be found,Closed,"drush letsencrypt The drush command 'letsencrypt' could not be found I run the above and get the above error. I see that there are 'drush' directories in the sub modules Do I need to rename them and move them to the ~/.drush/provision directory for them to work? Sorry I am not familiar with how to make the drush commands work",Social Niche Guru,socialnicheguru,"","",No,,2017-08-07 16:17:54,2017-12-28 19:06:09,2017-12-28 19:06:09,,,0,0 42,https://gitlab.com/aegir/hosting_https/issues/42,Update dehydrated git submodule,Closed,Should we use 0.4 of master... which has a decent number of changes ...,Herman van Rink,helmo42,"","",No,,2017-08-17 12:50:50,2017-12-28 19:00:22,2017-12-22 16:17:13,,,0,0 43,https://gitlab.com/aegir/hosting_https/issues/43,LetsEncrypt.php cannot find scripts - alpha4 release,Closed,"'While attempting to enable https and generate a certificate, the following error occurs: ``` Running: /script --cron --hook /dehydrated-hooks.sh --config /config --out --domain www.example.com - sh: /script: No such file or directory ``` If I force set those properties in LetsEncrypt.php lines 109-110: ``` $script_path = d()->server->letsencrypt_script_path; $config_path = d()->server->letsencrypt_config_path; $domain_list = $this->getDomainsString(d()); $script_path = ""/var/aegir/config/letsencrypt""; $config_path = ""/var/aegir/config/letsencrypt.d""; ``` It verifies.",Antonio Barrera,antonioG4,"","",No,,2017-09-20 03:15:39,2017-12-28 19:24:03,2017-12-28 19:24:03,,,0,0 44,https://gitlab.com/aegir/hosting_https/issues/44,Can not generate self-signed certificate,Closed,"Platform on Aegir 3.12 (7.x-3.12.0) Enabled modules: * Aegir Certificate Service * Aegir HTTPS * Aegir HTTPS Apache * Aegir Self-signed Service I've followed the installation instructions and server and site set-up in the README file. After enabling encryption, verify site fails. Log messages: ``` generating 2048 bit RSA key in /var/aegir/config/self_signed.d/example.com/ failed to generate signing request for certificate in /var/aegir/config/self_signed.d/example.com/openssl.csr failed to generate self-signed certificate in /var/aegir/config/self_signed.d/example.com/openssl.crt ```",Mischa,mikairos,"","",No,,2017-09-26 16:20:03,2017-12-29 17:30:55,2017-12-29 17:30:55,,,0,0 45,https://gitlab.com/aegir/hosting_https/issues/45,Certificates for multiple domains refer to the same cert,Closed,"While using a host server for Aegir and a remote server for sites, creating certs for multiple sites on the remote causes the additional sites to use the same cert. Example: * Provisioned and enabled SSL for http://superawesomesite.com, SSL works. * Provisioned and enabled SSL for http://semigreatsite.com, SSL warning that it presents the certificate for http://superawesomesite.com. The warning says ""This certificate is not valid (hostname mismatch)""",Antonio Barrera,antonioG4,"","",No,,2017-10-03 02:12:46,2017-10-05 01:32:34,2017-10-05 01:32:24,,,0,0 46,https://gitlab.com/aegir/hosting_https/issues/46,Renew frequency seems to be off by a factor of 6,Closed,"When I set the ""Refresh expiring Let's Encrypt certificates for HTTPS-enabled sites."" frequency to 1 day, each site is verified every 4 hours. Similarly, when I set it to 4 days, they are verified every 16 hours.",Stefan S,stefan11,"","",No,,2017-10-26 11:20:16,2017-12-22 15:03:01,2017-12-22 15:03:01,,,0,0 47,https://gitlab.com/aegir/hosting_https/issues/47,Add support for HTTPS Client Authentication,Closed,"I'm running some sites that require client authentication via [Certificate Login](https://www.drupal.org/project/certificatelogin), where the server must also authenticate the client in addition to the client authenticating the server. To get the necessary configuration injected into the vhost configuration, I believe the best way to handle this would be to add a checkbox to each Site node. If it's checked and HTTPS is enabled or required, inject the configuration. We're going to need storage for each site's flag. I'm planning to add a new boolean column to the `hosting_https_site` table entitled `client_authentication`, both in the `hook_update_N` and via the installation schema. The default value will be zero, with *1* getting set if enabled. If anyone has any issues with this, let me know. As I'm currently only interested in Nginx, I won't be injecting Web server vhost configuration for Apache (at least initially, but patches welcome). The help text for the checkbox will read: > Check this box to allow for server authentication of clients in addition to clients authenticating the server. It should only be enabled if required by the hosted site (e.g. if using the [Certificate Login](https://www.drupal.org/project/certificatelogin) module), or users will needlessly be asked to present identity certificates if they have them. This will only work if HTTPS is enabled or required, and your Web server module for Aegir HTTPS supports it.",Colan Schwartz,colan,"","",No,,2017-10-30 19:19:14,2017-12-29 17:48:26,2017-12-29 17:48:26,,Doing,0,0 48,https://gitlab.com/aegir/hosting_https/issues/48,Default to Letsencrypt's production service,Closed,We should not bother users with the staging CA... when we decide to do intensive testing we can easily select it.,Herman van Rink,helmo42,"","",No,,2017-11-16 19:40:10,2017-11-21 18:43:50,2017-11-21 18:43:50,,"Release blocker,To do",0,0 49,https://gitlab.com/aegir/hosting_https/issues/49,Modify HTTPS settings of a website through a drush command,Open,"In order to fully manage websites from the CLI a drush command to manage the https settings of a website would be great. A command of the type `drush @hostmaster hosting-https @sitename $value` with value = `enable` | `disable` | `required`",Julien Fayad,eweev,"","",No,,2017-11-22 20:53:30,2017-12-28 19:25:57,,,Feature request,0,0 50,https://gitlab.com/aegir/hosting_https/issues/50,Failed to Generate LE,Closed,"Hi, first this is an amazing module that is super appreciated. Thank you for all the hard work! I've previously had good luck using this on aegir, nginx 3.9 and d8 but after having an issue I had to rebuild the server and used Aegir and apache. I'm getting an error similar to #22 (https://gitlab.com/aegir/hosting_https/issues/22) `copy(/var/aegir/config/letsencrypt.d/example.com/cert.pem): failed to open stream: No such file or directory FileSystem.php:19 copy(/var/aegir/config/letsencrypt.d/example.com/privkey.pem): failed to open stream: No such file or directory FileSystem.php:19 copy(/var/aegir/config/letsencrypt.d/example.com/fullchain.pem): failed to open stream: No such file or directory FileSystem.php:19 apache on aegir could not be restarted. Changes might not be available until this has been done. (error: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/conf-enabled/aegir.conf:4 AH00526: Syntax error on line 17 of /var/aegir/config/server_master/apache/vhost.d/example.com: SSLCertificateFile: file '/var/aegir/config/server_master/ssl.d/example.com/openssl.crt' does not exist or is empty Action 'graceful' failed. The Apache error log may have more information.)` The difference is that I knew that you should always build the site on the platform first, then I verify, then I enabled the https using LE production. Nothing in the apache error log except that the graceful restart fails. I've tried: Things I've tried: >> Install via git, but I thought maybe dehydrated error >> Install via makefile >> Rebuild server again >> Install as root >> Install as aegir user >> Install as aegir, via makefile, go to dehydrated and run --register --accept-terms Honestly, I'm stuck, and don't know what to do next. D9 More attempts: Failed on D8, failed with hosting_le. Strangest thing.... Is there any LE error log to view?",Larry Toldan,mgx1020,"","",No,,2017-12-03 21:31:21,2017-12-28 19:36:21,2017-12-28 19:24:51,,,0,0 51,https://gitlab.com/aegir/hosting_https/issues/51,Accounts dir lost when server is verified,Closed,"on server verify we use `drush_copy_dir($source, $this->server->letsencrypt_script_path, FILE_EXISTS_OVERWRITE)` However dehydrated stores an 'accounts' dir in there which is then lost on verify.",Herman van Rink,helmo42,"","",No,,2017-12-11 13:44:34,2017-12-22 20:41:13,2017-12-22 20:41:13,,Release blocker,0,0