So, Webmin actually is serving this domain. This thread is absolute chaos.
OK, so let me see if I understand this:
nginx is proxying (rather than redirecting) adminserver to localhost:10000
And you’re trying to use Virtualmin’s Let’s Encrypt implementation to fetch a cert for it
That can’t work. It can’t have ever worked. Virtualmin’s Let’s Encrypt implementation assumes it is configuring certs for the regular web server (Apache or nginx). Webmin has the ability to request certs for itself…you might try that, if you only want one address for Webmin access.
Here’s two things that could work within Virtualmin:
Redirect. Don’t proxy. Allow nginx to serve the .well-known directory, but redirect everything else to port 10000. This is automatic, if you set your redirect address in Virtualmin to be adminserver.domain.tld (it’s normally admin.domain.tld). This would be reverting whatever manual stuff you’ve already done with regard to this adminserver domain.
Proxy it, as you’re already doing, but exclude the .well-known directory, so that validation can still work. Validation for Virtualmin requested certs goes through the web server, by default. It can also validate via DNS in some circumstances, if you’re hosting the DNS locally (which doesn’t require the web server, but I don’t know how to tell Virtualmin is has to go this route…it would obviously try to validate the usual way, if you’ve got a domain in Virtualmin for this).
Or, as mentioned, if you only want want admin address for all domains, you can validate within Webmin. You don’t need a domain configured in Virtualmin in this case, and it’s probably simpler not to. Just create an A record for the admin name in your zone. Webmin can validate either web or DNS.
If I type the subdomain address into a browser such as subdomain.ourdomain.com and the subdomain is the webmin/virtualmin server what is answering with the message:
Forbidden
You don’t have permission to access this resource.
I guess its the default server which if I check to OOTB config for apache is /var/www/. That is the crux of this issue and why I could workaround it by creating a symlink from /var/www/html/.well-known to ourdomain/.well-known
I thought I had been clear above as to exactly what is happening. I had this issue and my workaround allowed me to obtain a letsencrypt cert for ourdomain.com and subdomain.ourdomain.com which is the webmin/virtualmin server.
@sparticle, I think yours is a completely different issue? Can you take it to another thread? I’m absolutely lost on this thread already. I can’t possibly wrap my head around another confusing issue that is completely different.
I think they are exactly the same. I believe the other chaps default server is answering it just might work differently to my OOTB LAMP install on Ubuntu.
Was just trying to help as my symptoms were identical.
Are they? Are you proxying subdomain.ourdomain.com to localhost:10000? It’s my understanding that that’s what OP is doing (but, I may be wrong there).
I appreciate that! But, also grouchy because I’m confused and still getting more confused. I’m sorry I got short with you. I should probably take a break from the forums, as I’m getting frustrated at all the topic changes. It’s natural for folks to ramble, I should just step back when I feel grumpy about it.
No I don’t believe anyone is trying to proxy to the webmin web server. I just think its the default web server that is answering for the sub.domain and that is what is causing letsencrypt to fail and not be able to read the challenge back from the domain .well-known challenge directory.
Its the fact that the webmin server is a sub domain of the virtual server that is a use case that was probably not thought of.
Not sure if it’s proxying (given my limited understanding of proxying), atleast I have not manually set it to either proxy or redirect. The only thing I did when setting up virtualmin was to set adminserver.rodningenmarketing.no as the hostname for virtualmin. If I go to adminserver.rodningenmarketing.no:10000 I would land on virtualmin. If I don’t specify the port, I’m proxied to hvalergjestehage.no.
When requesting LE certs for the adminserver subdomain together with the main domain (rodningenmarketing) it has worked in the past.
That’s correct, we could try that! Where do I find that option?
If that alternative doesn’t work, we can check out the other alternatives you suggested.
And @sparticle definitely seems to have dealt with the same type of problem in the past, the only difference seems to be that he had his main domain on Apache. In my case I’m still not sure if it’s “nginx default server” or “webmin default server” that’s serving/proxying hvalergjestehage.no when entering adminserver.rodningenmarketing.no (OOTB).
For some reason my vps on AWS has some problems right now, so I’m waiting for that to be fixed on the AWS-end before I can test suggestions from this thread.
Darn, you’re making this really hard on yourself. Just make it an alias of the main domain. Request a cert for the main domain, check the box to include the alias. You’re done.
But, also did you know that there’s already an automatic redirect of admin.domain.tld to Webmin setup by default? It can’t get a cert that way, so you have to browse to http://admin.domain.tld but then it redirects to https://domain.tld:10000 which can automatically have a cert, so it doesn’t really matter (and no 10000 needed, since it redirects).
I’m not currently having adminserver.rodningenmarketing.no as a subserver, it’s only set as hostname for the webmin vps server.
So I need to make a new virtual server, use my subdomain and set the new server as an alias to the main domain?
What the heck? You’re making this way too complicated. You have rodningenmarketing.no as a domain in Virtualmin, right? So, select it in the dropdown domain list, and make an alias adminserver.rodningenmarketing.no by clicking Create Virtual Server and then click Alias of rodningenmarketing.no.
Now when you generate a certificate for rodningenmarketing.no, your adminserver alias will also be included.
I’m taking a break.
Thanks for the assistance Joe!