Let's Encrypt, Drupal, and Dreamhost

Several days ago I let my $15 a year Comodo certificate go and replaced it with a "Let's Encrypt" certificate acquired through my hosting service - Dreamhost.

"I just assumed." Fatal words. I thought my replacement certificate would just show up and everything would continue working.

Not so. There were two gotchas.

Drupal in order to be secure locks down access to . (dot) directories. "Let's Encrypt" uses a directory (.well-known) to hold the certificate. There is a fix in Drupal 8.3 but not in lower versions nor in Drupal 7.

To make your Drupal site work with "Let’s Encrypt" follow these instructions from Cloudway, below are the changes required in the htaccess file.

This line:

<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">

Swapped by this line:

<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">

And, this line:

RewriteRule "(^|/)\." - [F]

Swapped by this line:

RewriteRule "(^|/)\.(?!well-known)" - [F]

While I was reluctant to make changes to .htaccess I have discovered over the years that .htaccess is an easy file to just pull out and reiensert after an upgrade or roll back with git.

Of course you will need to make sure that anybody that comes to http ends up at https and that you accomplish by adding the following code to .htaccess (taken from https://drupal.org/https-information :

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com*
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

The second thing I needed to pay attention to was secure pages module. While it said it was using https:// it wasn't. Disabling it and then re-enabling the module allowed it to pick up the secure pages and automatically redirect to https://.

I headed over to begin writing this article only to discover that I got a weird message from my Firefox browser. A cache flush and log back into the site and not only was I looking at a secure padlock, I was seeing the new "Let's Encrypt" certificate. I have discovered over the years that .htaccess is an easy file to just pull out and reiensert after an upgrade or roll back with git.