See the closed discussion : Lets Encrypt/Proxy website
It’s annoying that such a basic feature is still not fixed.
See the closed discussion : Lets Encrypt/Proxy website
It’s annoying that such a basic feature is still not fixed.
Hello,
Can you please describe what is your configuration and/or how could we reproduce an issue. We would like to have it fixed!
Sure.
System :
To reproduce via Virtualmin panel
If you don’t wait, the renewal is going fine, i assume there is a sort of cache somewhere.
It failed when i was on vacation, i got mailed spam every hour during two weeks …
Not sure if this is 100% the case for you, thoiugh i have this happening on a “customized” virtualmin server too.
It happens due to the external host that proxies the requests to the internal host. For the renewal of letsencrypt certs, it uses a path on the “webroot” being “/.well-known/acme-challenge/” and then some random file.
Exclude the above path from the reverse proxy path and renewal should work. ( aka the bath above should not be forwarded, though be served by the proxy itself from the default location.
Hi, thanks for your reply. My configuration is 100% made from Virtualmin UI, no custom modification from conf file edition.
I can manage to avoid the renewal bug by editing conf file and excluding “.well-known” from the reverse proxy but next time i would create a virtualhost it will be forgotten.
Can you also post a complete virtual server Apache config file for that domain in question?
Here is it :
<VirtualHost 192.168.0.200:80>
SuexecUserGroup "#1007" "#1023"
ServerName sub.domain.tld
ServerAlias www.sub.domain.tld
ServerAlias mail.sub.domain.tld
ServerAlias webmail.sub.domain.tld
ServerAlias admin.sub.domain.tld
DocumentRoot /home/sub.domain.tld/public_html
ErrorLog /var/log/virtualmin/sub.domain.tld_error_log
CustomLog /var/log/virtualmin/sub.domain.tld_access_log combined
ScriptAlias /cgi-bin/ /home/sub.domain.tld/cgi-bin/
DirectoryIndex index.php index.php4 index.php5 index.htm index.html
<Directory /home/sub.domain.tld/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.4
FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php
FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php7.4
</Directory>
<Directory /home/sub.domain.tld/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.sub.domain.tld
RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.sub.domain.tld
RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.4
FcgidMaxRequestLen 1073741824
RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Proxy *>
allow from all
</Proxy>
</VirtualHost>
<VirtualHost 192.168.0.200:443>
SuexecUserGroup "#1007" "#1023"
ServerName sub.domain.tld
ServerAlias www.sub.domain.tld
ServerAlias mail.sub.domain.tld
ServerAlias webmail.sub.domain.tld
ServerAlias admin.sub.domain.tld
DocumentRoot /home/sub.domain.tld/public_html
ErrorLog /var/log/virtualmin/sub.domain.tld_error_log
CustomLog /var/log/virtualmin/sub.domain.tld_access_log combined
ScriptAlias /cgi-bin/ /home/sub.domain.tld/cgi-bin/
DirectoryIndex index.php index.php4 index.php5 index.htm index.html
<Directory /home/sub.domain.tld/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.4
FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php
FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php7.4
</Directory>
<Directory /home/sub.domain.tld/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.sub.domain.tld
RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.sub.domain.tld
RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.4
FcgidMaxRequestLen 1073741824
RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Proxy *>
allow from all
</Proxy>
SSLEngine on
SSLCertificateFile /home/sub.domain.tld/ssl.combined
SSLCertificateKeyFile /home/sub.domain.tld/ssl.key
SSLCACertificateFile /home/sub.domain.tld/ssl.ca
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>
I think the problem is on the:
RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1
It should be instead:
ProxyPass /.well-known/acme-challenge !
ProxyPass /.wellknown !
It must be easy to fix. Although, why adding the second line in the example above? Isn’t it enough to just use:
ProxyPass /.well-known/acme-challenge !
I think the problem is on the: RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1
No, this is all correct and works for regular requests.
Upcoming Virtualmin 7.2 release will exclude all /.well-known
paths from proxy pass for both Apache and Nginx configurations.
I don’t remember why i was using those two lines instead of the first one only.
I tried another vhost this morning and i can assure you that the RedirectMatch is not sufficient.
Does you have a release date scheduled for the 7.2 version ?
Yes, but it is needed for regular, non-proxied requests.
Does you have a release date scheduled for the 7.2 version ?
No, but as long as Webmin 1.998 and Usermin 1.853 reaches Virtualmin repos, we are freed to focus completely on Virtualmin, and make its release happen as soon as possible.
Does it will apply to newly created vhost or it will update to already running vhosts ?
It will only be applied to a newly created virtual servers (domains). It will not update existing hosts automatically.
You can easily automate this (somehow) to insert that line to existing VirtualHosts
or go through Apache configs manually using Webmin / Servers ⇾ Apache Webserver: Edit Config Files
page.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.