Enable HTTPS for main site

[mattharris]

Currently, the main jmri.org site is only accessible via HTTP.

More and more browsers flag this as insecure, leading to the potential of confusion for those browsing our site.

Additionally, not serving content over HTTPS has a negative impact on SEO ranking.

This issue is to act as a reminder for the tasks needed to implement this

[mattharris]

• Install certbot on server
• Check crontab for renewal jobs
• Get LetsEncrypt certificate for www.jmri.org and jmri.org
• Redirect all HTTP traffic to HTTPS via Apache
• Sort out mixed content on pages

[mattharris]

When running a crawl, found a problem href that seemed to cause an infinite loop - see JMRI/JMRI#7390

[mattharris]

Updated apache config to redirect all non-https requests to https.

Additionally, made https://www.jmri.org canonical.

[mattharris]

Based upon the jmriusers message https://groups.io/g/jmriusers/topic/34113103#163784 seems like the Check for updates functionality might be broken...

[bobjacobsen]

I get unexpected results trying to access the releaselist file with curl (wget seems fine):

% curl https://jmri.org/releaselist
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.jmri.org/releaselist">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at jmri.org Port 443</address>

% curl http://jmri.org/releaselist
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.jmri.org/releaselist">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at jmri.org Port 80</address>
</body></html>

but access as curl https://www.jmri.org/releaselist is OK. So perhaps the URL in the code needs to be changed to that?

[bobjacobsen]

Fixing it in the code is helpful, but fixing it so that old code can still check for updates would be good too. I didn't think of coding that Action to do a "if this goes wrong, you probably need to update" thing...

[mattharris]

Now fixed by using some rewrite rule magic ;-)

Added the following to the site config file

        # Redirect everything except `releaselist` in root
        RewriteEngine on
        RewriteCond %{REQUEST_URI} !/releaselist [NC]
        RewriteCond %{HTTPS} off
        RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}

[mattharris]

@bobjacobsen can you double-check from your end the result from curl http://jmri.org/releaselist?

This is what I now get with the recently applied server config update:

$ curl http://jmri.org/releaselist
production:
 versions:
  4.16:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.16/JMRI.4.16+R6f9aced.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.16/JMRI.4.16+R6f9aced.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.16/JMRI.4.16+R6f9aced.exe"
  4.14:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.14/JMRI.4.14+Rd060e0b.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.14/JMRI.4.14+Rd060e0b.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.14/JMRI.4.14+Rd060e0b.exe"
  4.12:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.12/JMRI.4.12+Rb6a9bb1.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.12/JMRI.4.12+Rb6a9bb1.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.12/JMRI.4.12+Rb6a9bb1.exe"
test:
 versions:
  4.17.4:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.17.4/JMRI.4.17.4+Rbf0d1af.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.17.4/JMRI.4.17.4+Rbf0d1af.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.17.4/JMRI.4.17.4+Rbf0d1af.exe"
  4.17.3:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.17.3/JMRI.4.17.3+R12d2ded.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.17.3/JMRI.4.17.3+R12d2ded.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.17.3/JMRI.4.17.3+R12d2ded.exe"
  4.15.9:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.15.9/JMRI.4.15.9+Re0a9348.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.15.9/JMRI.4.15.9+Re0a9348.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.15.9/JMRI.4.15.9+Re0a9348.exe"

# This file contains information about the last few JMRI (https://jmri.org) releases.
# JMRI is distributed under license. More information is at https://jmri.org/Copyright.html
#
# Note to maintainers:  The zero, one, two, three space indentations in this file are significant

And this is from curl https://www.jmri.org/releaselist:

$ curl https://www.jmri.org/releaselist
production:
 versions:
  4.16:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.16/JMRI.4.16+R6f9aced.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.16/JMRI.4.16+R6f9aced.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.16/JMRI.4.16+R6f9aced.exe"
  4.14:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.14/JMRI.4.14+Rd060e0b.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.14/JMRI.4.14+Rd060e0b.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.14/JMRI.4.14+Rd060e0b.exe"
  4.12:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.12/JMRI.4.12+Rb6a9bb1.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.12/JMRI.4.12+Rb6a9bb1.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.12/JMRI.4.12+Rb6a9bb1.exe"
test:
 versions:
  4.17.4:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.17.4/JMRI.4.17.4+Rbf0d1af.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.17.4/JMRI.4.17.4+Rbf0d1af.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.17.4/JMRI.4.17.4+Rbf0d1af.exe"
  4.17.3:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.17.3/JMRI.4.17.3+R12d2ded.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.17.3/JMRI.4.17.3+R12d2ded.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.17.3/JMRI.4.17.3+R12d2ded.exe"
  4.15.9:
   tgz: "https://github.com/JMRI/JMRI/releases/download/v4.15.9/JMRI.4.15.9+Re0a9348.tgz"
   dmg: "https://github.com/JMRI/JMRI/releases/download/v4.15.9/JMRI.4.15.9+Re0a9348.dmg"
   exe: "https://github.com/JMRI/JMRI/releases/download/v4.15.9/JMRI.4.15.9+Re0a9348.exe"

# This file contains information about the last few JMRI (https://jmri.org) releases.
# JMRI is distributed under license. More information is at https://jmri.org/Copyright.html
#
# Note to maintainers:  The zero, one, two, three space indentations in this file are significant

So, we should be able to either:

• leave things as-is
• change to use the now canonical form

[mattharris]

Looks like the rewrite rule needs to also consider the problem-report.php file as well in jmri.jmrit.mailreport.ReportPanel

[mattharris]

Fixed that one now also

[bobjacobsen]

can you double-check from your end the result from curl http://jmri.org/releaselist?

Works! it’s getting the right file.

[bobjacobsen]

This all seems to be working really well now. @mattharris Thank you! Can we close this?

[mattharris]

There are still some mixed-content pages, but we can deal with these as-and-when we find them.

Plus it looks like the first automated certificate renewal has run successfully this morning:

So agree that this can be closed now.