Five years later, the webmin/virtualmin lets-encrypt auto renew with apache reverse proxy is still buggy

Virtualmin
1

See the closed discussion : Lets Encrypt/Proxy website

It’s annoying that such a basic feature is still not fixed.

2

Hello,

Can you please describe what is your configuration and/or how could we reproduce an issue. We would like to have it fixed!

3

Sure.

System :

  • Ubuntu 20.04.4 LTS
  • Webmin 1.994
  • Usermin 1.840
  • Virtualmin 7.1-1
  • Apache 2.4.41

To reproduce via Virtualmin panel

  • Create a top level server
  • Activate SSL with lets-encrypt
  • Setup a reverse proxy (ex: http://localhost:8080/)
  • Wait for the auto-renewal

If you don’t wait, the renewal is going fine, i assume there is a sort of cache somewhere.

It failed when i was on vacation, i got mailed spam every hour during two weeks … :smiling_face_with_tear:

4

Not sure if this is 100% the case for you, thoiugh i have this happening on a “customized” virtualmin server too.

It happens due to the external host that proxies the requests to the internal host. For the renewal of letsencrypt certs, it uses a path on the “webroot” being “/.well-known/acme-challenge/” and then some random file.

Exclude the above path from the reverse proxy path and renewal should work. ( aka the bath above should not be forwarded, though be served by the proxy itself from the default location.

5

Hi, thanks for your reply. My configuration is 100% made from Virtualmin UI, no custom modification from conf file edition.

I can manage to avoid the renewal bug by editing conf file and excluding “.well-known” from the reverse proxy but next time i would create a virtualhost it will be forgotten.

6

Can you also post a complete virtual server Apache config file for that domain in question?

7

Here is it :

<VirtualHost 192.168.0.200:80>
    SuexecUserGroup "#1007" "#1023"
    ServerName sub.domain.tld
    ServerAlias www.sub.domain.tld
    ServerAlias mail.sub.domain.tld
    ServerAlias webmail.sub.domain.tld
    ServerAlias admin.sub.domain.tld
    DocumentRoot /home/sub.domain.tld/public_html
    ErrorLog /var/log/virtualmin/sub.domain.tld_error_log
    CustomLog /var/log/virtualmin/sub.domain.tld_access_log combined
    ScriptAlias /cgi-bin/ /home/sub.domain.tld/cgi-bin/
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/sub.domain.tld/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
        AddType application/x-httpd-php .php
        AddHandler fcgid-script .php
        AddHandler fcgid-script .php7.4
        FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php
        FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php7.4
    </Directory>
    <Directory /home/sub.domain.tld/cgi-bin>
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.sub.domain.tld
    RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.sub.domain.tld
    RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
    FcgidMaxRequestLen 1073741824
    RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Proxy *>
allow from all
</Proxy>
</VirtualHost>
<VirtualHost 192.168.0.200:443>
    SuexecUserGroup "#1007" "#1023"
    ServerName sub.domain.tld
    ServerAlias www.sub.domain.tld
    ServerAlias mail.sub.domain.tld
    ServerAlias webmail.sub.domain.tld
    ServerAlias admin.sub.domain.tld
    DocumentRoot /home/sub.domain.tld/public_html
    ErrorLog /var/log/virtualmin/sub.domain.tld_error_log
    CustomLog /var/log/virtualmin/sub.domain.tld_access_log combined
    ScriptAlias /cgi-bin/ /home/sub.domain.tld/cgi-bin/
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/sub.domain.tld/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
        AddType application/x-httpd-php .php
        AddHandler fcgid-script .php
        AddHandler fcgid-script .php7.4
        FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php
        FCGIWrapper /home/sub.domain.tld/fcgi-bin/php7.4.fcgi .php7.4
    </Directory>
    <Directory /home/sub.domain.tld/cgi-bin>
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.sub.domain.tld
    RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.sub.domain.tld
    RewriteRule ^(?!/.well-known)(.*) https://sub.domain.tld:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
    FcgidMaxRequestLen 1073741824
    RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Proxy *>
allow from all
</Proxy>
SSLEngine on
SSLCertificateFile /home/sub.domain.tld/ssl.combined
SSLCertificateKeyFile /home/sub.domain.tld/ssl.key
SSLCACertificateFile /home/sub.domain.tld/ssl.ca
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>

I think the problem is on the:

RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1

It should be instead:

ProxyPass /.well-known/acme-challenge !
ProxyPass /.wellknown !
8

It must be easy to fix. Although, why adding the second line in the example above? Isn’t it enough to just use:

ProxyPass /.well-known/acme-challenge !

:pen:  

I think the problem is on the: RedirectMatch ^/(?!.well-known)(.*)$ https://sub.domain.tld/$1

No, this is all correct and works for regular requests.

9

Upcoming Virtualmin 7.2 release will exclude all /.well-known paths from proxy pass for both Apache and Nginx configurations.

1 Like
10

I don’t remember why i was using those two lines instead of the first one only.

I tried another vhost this morning and i can assure you that the RedirectMatch is not sufficient.

Does you have a release date scheduled for the 7.2 version ?

11

Yes, but it is needed for regular, non-proxied requests.

Does you have a release date scheduled for the 7.2 version ?

No, but as long as Webmin 1.998 and Usermin 1.853 reaches Virtualmin repos, we are freed to focus completely on Virtualmin, and make its release happen as soon as possible.

12

Does it will apply to newly created vhost or it will update to already running vhosts ?

13

It will only be applied to a newly created virtual servers (domains). It will not update existing hosts automatically.

You can easily automate this (somehow) to insert that line to existing VirtualHosts or go through Apache configs manually using Webmin / Servers ⇾ Apache Webserver: Edit Config Files page.

14

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.