HOWTO migrate all of your SSL certificates from WebFaction

sean

‼️ If your WebFaction account is now closed then the automatic migration procedures below are not going to work for you. You'll need to add your certificates manually via your Opalstack dashboard.

When you migrate a site from WebFaction to Opalstack your SSL certificates are not migrated with it.

Opalstack can't issue a new certificate for you until your domains are pointed at us, so you'll need your old certificates to ensure that you have no initial HTTPS problems when you do point your domains.

You can add certificates manually but if you have a lot of them and would like to migrate them automatically then here's how:

Create an Opalstack API token if you don't have one already.
Log in to a SSH session on your Opalstack server.

Download migrate_wf_certs.py to your server:

wget https://gist.githubusercontent.com/defulmere/bc89af42f9ff82836fbb96789b208946/raw/39d954e51ac2f51b95de1e3bc642e1a317e42970/migrate_wf_certs.py

Edit the script to set the WF_USER, WF_PASS, WF_SERVER, and OPAL_TOKEN variables as directed by the comments in the script.

Save and run the script:

python3 migrate_wf_certs.py

The script will query WebFaction's API for your certificate and then add them to your Opalstack dashboard via the Opalstack API.

Once it's done, you can then assign the migrated certificates to your sites.

Note that this will not migrate managed Let's Encrypt certificates from WebFaction - you can still duplicate those on Opalstack as manual certificates by getting the certificate and key values from your ~/certificates directory at WebFaction.

Now go forth, migrate your certificates, and secure all the things!

john-asl

sean I just tried the SSL migration script and got the following error:

Traceback (most recent call last):
  File "migrate_wf_certs.py", line 20, in <module>
    wf_session, wf_account = wf.login(WF_USER,WF_PASS,WF_SERVER,2)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1112, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1452, in __request
    verbose=self.__verbose
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1154, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1170, in single_request
    return self.parse_response(resp)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1342, in parse_response
    return u.close()
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 656, in close
    raise Fault(**self._stack[0])
xmlrpc.client.Fault: <Fault 1: 'Not allowed to login to machine "web592"'>

Just in case, I tried swapping my WF panel PW out for my shell user password. That produced this error:

Traceback (most recent call last):
  File "migrate_wf_certs.py", line 20, in <module>
    wf_session, wf_account = wf.login(WF_USER,WF_PASS,WF_SERVER,2)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1112, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1452, in __request
    verbose=self.__verbose
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1154, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1170, in single_request
    return self.parse_response(resp)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1342, in parse_response
    return u.close()
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 656, in close
    raise Fault(**self._stack[0])
xmlrpc.client.Fault: <Fault 1: 'LoginError'>

Any idea what I'm doing wrong?

sean

john-asl using your shell user won't work.

Please try capitalizing the WF server name, ie use "Web592" instead of "web592" and let me know if that works.

abunur

sean I had the exact same issue, I tried capitalizing as per your suggestion and that did indeed work.
thanks!

abunur

So, before running this migration, some of my sites were loading fine, because I think they were using OpalStack's automatic LetsEncrypt certificate setup. Some, however, were getting the "this site is not private" error, for those on WebFaction the sites were using LetsEncrypt but the certificates had been manually generated and uploaded there.

After running the migration, the sites that were previously working, no get the "this site is not private" error, and the ones that weren't working before, are still not working. How can we enable the automatic LetsEncrypt certificates for all sites?

I did see that after the migration, three new certificates were added to my OpalStack dashboard, whereas before there were no certificates shown there. All of them however, are expired it seems. I deleted the certificates but the web sites still show this error. There must be some setting to change somewhere to enable the automatic certificates?

Also, entering "http://..." instead of "https://" shows a place holder page, "this site is hosted by OpalStack". How do we configure both URLs to redirect through SSL? Ah never mind, actually if I allow the ssl connection in the browser, I see both URLs lead to the placeholder page. Why aren't my migrated applications / web sites showing up instead?

sean

abunur this script migrates your manual certificates over but it does not attach them to your sites and it does not check to see if the certificates are expired. It just pulls over what you've got.

It doesn't migrate your LE certificates from WebFaction because they (inexplicably) hide the LE cert key from you there.

If you want to enable automatic LE for your sites, then go to https://my.opalstack.com/domains/, click edit for whatever site there, and then enable it. It will take a few minutes for the certificate to be generated, possibly longer if there are a lot of new certificates being generated.

abunur

sean so, I guess the migration also doesn't create the sites for you, just creates the domains. I created a site and selected to use the automatic LetsEncrypt certs, but after that all I get is a blank page when I try to load the site. If I view source of the blank page I see this:

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';

For the other sites, rather than a blank page, after I add a site in the admin panel for them I get an OpalStack placeholder page

sean

abunur The SSL certificate migration script described on this page does not migrate websites.

The problem with your site is that you've got an invalid PHP handler in your .htaccess, please see: Why is my site serving PHP source instead of my site?

For the other sites, if you're seeing the Opalstack page then you're probably visiting the sites before the certificates are ready.

If you email support @ opalstack.com and let us know exactly which sites are having problems then we can look into it for you.

abunur

sean great, thanks!