Writefreely -> use certbot certificates (or use keygen for multi-domain TLS?)

Its entirely possible ths will sound like gibberish to an expert but here goes:

I made a hash of it when I configured WriteFreely when I first started it up and misconfigured it to respond to www.awadwatt.com instead of just awadwatt.com. Then - after a bunch of posts - I reconfigured it properly to just awadwatt.com and since then, using WF’s autocert its been fine.

Problem is I still get the odd request for www.awadwatt.com. DNS wise, I’ve redirected www.awadwatt.com → awadwatt.com, but the TLS info is bork and requesting the www subdomain rightfully returns an SSL error since the autocert doesn’t reference or include that subdomain.

I’d like to get writefreely to respond to HTTPS for BOTH (domain + www.domain)

If I read the docs correctly (User Guide — Certbot 2.6.0 documentation) certbot can modify a cert to include additional sub/domains, and I’ve done that (using a standalone snapd certbot install from [Certbot Instructions | Certbot].

so I have new? improved certs from certbot, but if I configure WriteFreely to use that, it just sits there and refuses all connections (nothing relevant spit into the log - thought it doesn’t complain about the cert or key file specified). Here’s the config.ini:

hidden_host          =
port                 = 443
bind                 = localhost
#tls_cert_path        = certs
#tls_key_path         = certs
#autocert             = true
tls_cert_path        = /etc/letsencrypt/live/awadwatt.com/fullchain.pem
tls_key_path         = /etc/letsencrypt/live/awadwatt.com/privkey.pem
autocert             = false
templates_parent_dir = /usr/local/bin/writefreely
static_parent_dir    = /usr/local/bin/writefreely
pages_parent_dir     = /usr/local/bin/writefreely
keys_parent_dir      = /usr/local/bin/writefreely
hash_seed            =
gopher_port          = 0

What, if anything, am I missing?

Hmm, configuration seems fine but this must be something at a different part of the stack. Does WriteFreely start up fine (the logs say “Serving…”)? What exactly is the error message in your browser when trying to access it?

If I restart WF with the letsencrypt manual certbot setup as above, it starts up just fine:

2023/07/14 19:15:16 Starting WriteFreely 0.13.2...
2023/07/14 19:15:16 Loading /usr/local/bin/config.ini configuration...
2023/07/14 19:15:16 Loading templates...
2023/07/14 19:15:16 Loading pages...
2023/07/14 19:15:16 Loading user pages...
2023/07/14 19:15:16 Loading encryption keys...
2023/07/14 19:15:16 Connecting to mysql database...
2023/07/14 19:15:16 Initializing local timeline...
2023/07/14 19:15:16 Adding awadwatt.com routes (multi-user)...
2023/07/14 19:15:16 Going to serve...
2023/07/14 19:15:16 Serving on https://localhost:443
2023/07/14 19:15:16 Using manual certificates
2023/07/14 19:15:16 ---
2023/07/14 19:15:16 Serving redirects on http://localhost:80

But then just sits there. Every request to either http or https is refused and no log entry is made, its like WF is just ignoring all inbounds.

I’ll try recreating the certbot certificate maybe I screwed that up.

Do you have a firewall on this server? What is the output when you run this command from a different machine?

curl -I http://your-domain.com

There IS a firewall (whatever is default with OpenSUSE) but pts 80 and 443 are open and serve fine. The only thing between the WF host and the internets is my home wifi router but it just port forwards 80,443 and a few others to the WF host.

When running with the certbot cert, I just get connection refused.

C:\Users\user>curl -I http://awadwatt.com
curl: (7) Failed to connect to awadwatt.com port 80 after 2193 ms: Couldn't connect to server

C:\Users\user>curl -I http://www.awadwatt.com
curl: (7) Failed to connect to www.awadwatt.com port 80 after 2167 ms: Couldn't connect to serverC:\Users\user>curl -I http://awadwatt.com
curl: (7) Failed to connect to awadwatt.com port 80 after 2193 ms: Couldn't connect to server

C:\Users\user>curl -I http://www.awadwatt.com
curl: (7) Failed to connect to www.awadwatt.com port 80 after 2167 ms: Couldn't connect to server

this is the wf log while its doing this

2023/07/21 13:19:32 Starting WriteFreely 0.13.2...
2023/07/21 13:19:32 Loading /usr/local/bin/config.ini configuration...
2023/07/21 13:19:32 Loading templates...
2023/07/21 13:19:32 Loading pages...
2023/07/21 13:19:32 Loading user pages...
2023/07/21 13:19:32 Loading encryption keys...
2023/07/21 13:19:32 Connecting to mysql database...
2023/07/21 13:19:32 Initializing local timeline...
2023/07/21 13:19:32 Adding awadwatt.com routes (multi-user)...
2023/07/21 13:19:32 Going to serve...
2023/07/21 13:19:32 Serving on https://localhost:443
2023/07/21 13:19:32 Using manual certificates
2023/07/21 13:19:32 ---
2023/07/21 13:19:32 Serving redirects on http://localhost:80
<and nothing else>

If I reconfig to use WF’s built in autocert and restart, it works fine. DNS is mapped correctly, ports 80 and 443 are being fwd through my router just fine. If I configure to use the certbot certs WF just sits there and refuses all connections, no hint in the log.

Thinking that I had bodged the certbot certificate, I just redid it:

famine:/etc/letsencrypt/archive/awadwatt.com # certbot certonly --standalone -d www.awadwatt.com -d awadwatt.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Invalid OCSP response for /etc/letsencrypt/archive/awadwatt.com/cert1.pem: param thisUpdate is in the future..
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/awadwatt.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for www.awadwatt.com and awadwatt.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/awadwatt.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/awadwatt.com/privkey.pem
This certificate expires on 2023-10-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
famine:/etc/letsencrypt/archive/awadwatt.com # ls -lat
total 40
drwxr-xr-x 1 root root  180 Jul 21 13:18 .
-rw-r--r-- 1 root root 1513 Jul 21 13:18 cert2.pem
-rw-r--r-- 1 root root 3749 Jul 21 13:18 chain2.pem
-rw-r--r-- 1 root root 5262 Jul 21 13:18 fullchain2.pem
-rw------- 1 root root  241 Jul 21 13:18 privkey2.pem
-rw-r--r-- 1 root root 1509 Jul  9 10:31 cert1.pem
-rw-r--r-- 1 root root 3749 Jul  9 10:31 chain1.pem
-rw-r--r-- 1 root root 5258 Jul  9 10:31 fullchain1.pem
-rw------- 1 root root  241 Jul  9 10:31 privkey1.pem
drwx------ 1 root root   24 Jul  9 10:31 ..
famine:/etc/letsencrypt/archive/awadwatt.com #

(the “live” certbot shortcuts are redirects to …/archive/).

And using the WF autocert (which is only for the one domain, it quite happily serves the one, but not the other:

2023/07/21 13:29:13 Loading user pages...
2023/07/21 13:29:13 Loading encryption keys...
2023/07/21 13:29:13 Connecting to mysql database...
2023/07/21 13:29:13 Initializing local timeline...
2023/07/21 13:29:13 Adding awadwatt.com routes (multi-user)...
2023/07/21 13:29:13 Going to serve...
2023/07/21 13:29:13 Using autocert on host awadwatt.com
2023/07/21 13:29:13 Serving on https://localhost:443
2023/07/21 13:29:13 ---
2023/07/21 13:29:13 Serving redirects on http://localhost:80
2023/07/21 13:30:56 "POST /api/collections/tezoatlipoca/inbox" 200 2.385302ms "http.rb/5.1.1 (Mastodon/4.1.4+nightly-20230718; +https://mastodon.social/)"
2023/07/21 13:30:59 http: TLS handshake error from 10.0.0.86:2217: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:30:59 http: TLS handshake error from 10.0.0.86:2218: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:30:59 http: TLS handshake error from 10.0.0.86:2219: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:00 http: TLS handshake error from 10.0.0.86:2225: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2231: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2232: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2233: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2235: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2236: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2237: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2238: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:04 http: TLS handshake error from 10.0.0.86:2239: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist
2023/07/21 13:31:05 "POST /api/collections/metalsamurai/inbox" 200 3.079651ms "http.rb/5.1.1 (Mastodon/4.1.4+nightly-20230718; +https://mastodon.social/)"
2023/07/21 13:31:15 "GET /" 200 3.672292ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
2023/07/21 13:31:15 "GET /favicon.ico" 200 10.476545ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
2023/07/21 13:31:17 "GET /me/c/" 200 5.171141ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
2023/07/21 13:31:19 "GET /me/c/tezoatlipoca/stats" 200 7.202784ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
2023/07/21 13:31:51 "POST /api/collections/metalsamurai/inbox" 200 2.998471ms "http.rb/5.1.1 (Mastodon/4.1.4+nightly-20230718; +https://mastodon.social/)"
2023/07/21 13:32:09 "POST /api/collections/tezoatlipoca/inbox" 200 3.211894ms "http.rb/5.1.1 (Mastodon/4.1.4+nightly-20230718; +https://mastodon.social/)"
2023/07/21 13:33:38 "POST /api/collections/metalsamurai/inbox" 200 3.142151ms "http.rb/5.1.1 (Mastodon/4.1.4+nightly-20230718; +https://mastodon.social/)"
2023/07/21 13:34:13 "POST /api/collections/tezoatlipoca/inbox" 200 3.190279ms "http.rb/5.1.1 (Mastodon/4.1.4+nightly-20230718; +https://mastodon.social/)"
2023/07/21 13:34:25 "POST /api/collections/metalsamurai/inbox" 200 3.080844ms "http.rb/5.1.1 (Mastodon/4.1.4+nightly-20230718; +https://mastodon.social/)"
2023/07/21 13:34:30 http: TLS handshake error from 87.120.88.251:60736: acme/autocert: missing server name
2023/07/21 13:34:33 http: TLS handshake error from 23.251.102.74:54212: acme/autocert: missing server name
2023/07/21 13:34:46 http: TLS handshake error from 37.187.142.36:42226: acme/autocert: host "www.awadwatt.com" not configured in HostWhitelist

Just an update on this. I was never able to get WriteFreely to use the LetsEncrypt certbot certificates directly - but I’d chalk that up to just not knowing what I was doing w.r.t certbot and dns and… oh it was a lot of floundering and flailing (then combine that with LE/certbot rate limiting oh it was fun.)

What I have found much easier (and how I got it to work) was putting WriteFreely behind Nginx. Which, was what I wanted to do anyway - that way NGinx (which is already quite friendly to Certbot) gets to worry about handling the certs, just configured WF to worry about itself.

• WF gets moved to a different port freeing up 80/443 for something else that cant run a dynamic port
• nginx worries about redirecting AND www. to the same WF:
• nginx worries about the certs

That is what I do for another domain; nginx points www to the root domain, and certbot sorts out both certs. It also serves WF for me.

I just had a thought that you might have had issues because WF was still running and using the port, causing certbot to not connect over 80. I have had the same issue when running certbot --standalone and forgot to stop nginx in the past.

edit: after checking your blog… don’t mind me, you seem to know what you’re doing

don’t mind me, you seem to know what you’re doing

eh, not sure that was the case back then. I’ve learned a lot int eh last 9 months. But… back when I was flailing around and it wasn’t working I didn’t have NGINX in place so who knows.

So technically this bug may still exist. I’ve corrected my certs so they properly cover awadwatt.com and *.awadwatt.com. NGINX can sling that just fine. Im curious to see if I revert back to my old WF config with the manual certs and use my cert directly (and drop NGINX) if I can reproduce the issue - where WF starts, but justs sits there and refuses to respond to any inbound connection.