Hello HTTPS

Well, that was a bit of a shit-show and is the reason why I’d been putting it off for so long.

Hey look, I got the green padlock!

In summary:

• Grabbed an SSL cert using certbot, that all went smoothly.
• DNS issues are what caused a major headache. I had been using Cloudflare for ‘flexible SSL’ whatever the fuck that means, and the DNS propagations took a long time to flow through from namecheap.

  

  To add additional crap, DNS caches on my local machine seemed particularly hard to clear (Ubuntu 14.04 aka trusty). They even persisted through a reboot. Pesky little things!
  Yes, I used dig which showed me my box was still looking at the old Cloudflare DNS

  ; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> craigamos.rocks ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11160 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;craigamos.rocks. IN A ;; ANSWER SECTION: craigamos.rocks. 9 IN A 104.31.86.60 craigamos.rocks. 9 IN A 104.31.87.60 ;; Query time: 14 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Tue Sep 17 15:54:50 ICT 2019 ;; MSG SIZE rcvd: 76

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

  ; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> craigamos.rocks ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11160 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1   ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;craigamos.rocks.               IN      A   ;; ANSWER SECTION: craigamos.rocks.        9       IN      A       104.31.86.60 craigamos.rocks.        9       IN      A       104.31.87.60   ;; Query time: 14 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Tue Sep 17 15:54:50 ICT 2019 ;; MSG SIZE  rcvd: 76

  So after all the DNS changes propagated, I still couldn’t open the site in my browser. Was it my firewall?

  Firewall was off. Oh shit! Is something listening on port 443?

  Yep.. here’s the gremlin.

  root@server:/etc/h2o# netstat -ntupl | grep :443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 25579/perl

  1 2	root@server:/etc/h2o# netstat -ntupl | grep :443 tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      25579/perl

  But that’s my webserver as I quickly confirmed

  root 25579 0.0 1.0 38336 10588 ? Ss 08:02 0:00 perl -x /usr/share/h2o/start_server --pid-file=/var/run/h2o/pid --log-file=/var/log/h2o/error.log --port=0.0.0.0:443 --port=0.0.0.0:80 -- /usr/sbin/h2o -c /etc/h2o/h2o.conf

  1	root     25579  0.0  1.0  38336 10588 ?        Ss   08:02   0:00 perl -x /usr/share/h2o/start_server --pid-file=/var/run/h2o/pid --log-file=/var/log/h2o/error.log --port=0.0.0.0:443 --port=0.0.0.0:80 -- /usr/sbin/h2o -c /etc/h2o/h2o.conf

  Like a jackrabbit, I enabled the firewall and opened port 443

  Site came up-ish! BUT I DON”T UNDERSTAND WHY IT DIDN”T WORK IN THE FIRST PLACE.

• Finally, all that was left to do was to upload my Deliciously Brainy WP Migrate DB Pro to do a search and replace on my WP DB for http -> https

Anyway – everything seems to be working now.

Did I mention I have 2 ‘A’ records?

Don’t judge me!

Things I learned

• chrome://net-internals/#dns
• https://dns.google.com is very handy! But their cache flush tool didn’t work for me.
• DNS_PROBE_FINISHED_NXDOMAIN is a shitty browser error.