I found that I have trouble on most virtualmin installations with getting letsencrypt to run, if I do e default-redirect to https.
I’ve tried a lots of things, but want to know, what is your way to create a rock solid letsencrypt configuration once, and use it all the time without additional adjustments?
My Idea is, to setup the Server in this way, that all letsencrypt certificates are placed in /var/www/letsencrypt.
Then create a nginx-rule that all .well-known/acme-challange request have the above directory as root.
BUT I can’t figure out. how (in the background) letsencrypt do create those “acme-challenge”-Files, and how I can configure it, so that he will place it in this global directory.
If not post problems here in forum or github whatever isseu… ?
I i didn’t read hmm or i didn’t found you posted your problems here where there where no solutions yet.
Meaning did you shared your problems with Virtualmin team , Support or here some experienced Admins. ? ( not me ofcousre but only pointing out first things first.)
I expect myself you have if you go away from virtualmin way to go to things like certbot or such.
Do not be offended, it’s no offense, but if you don’t have an answer, please don’t answer.
Let other ones answer, who have and want to share their experiences.
That’s what this thread is about… get experiences with letsencrypt configuring and founding a rock-solid solution.
Only TIP advice , knowing it is not the answer you’re looking for.
For others looking for help and support it could be handy if you shared your problems and what parts didn’t worked out though?
While this is for virtualmin support, and the virtualmin way itself should be as rock solid as it can , and on more places and panels there where problems with LE after the changes from the certs expired in September. Only one example.
@jotst Only “written words” sometimes leave room for misunderstanding, so it’s nice to hear that we get along well.
@tpnsolutions In my current case, which give me some trouble, I do have an subdomain (api.xxx.tld), which should get a letsencrypt certificate.
But it also should work with proxy_pass.
How can I archive, that letsencrypt can do the challange, but the proxy_pass also work as expected?
But this returns always an 404 error. If I remove the proxy-settings, it works like expected in dry-run.
What is the way to only allow the acme-challenge for http, and redirect anything else via proxy_pass?
BTW:
If I do certbot --version on bash, I got 0.40.0. This seems to be pretty old? Do I need to upgrade certbot manually, or is this the current version which webmin do use?
And if I create a file which only contain hi in the document-root of the subdomain, I can open it via Browser and see in Response-Headers that the flag is set.
BUT if I try to create an letsencrypt-certificate via CLI dry-run, I got this 404 Page error:
Domain: api.xxx.com
Type: unauthorized
Detail: Invalid response from
http://api.xxx.com/.well-known/acme-challenge/RlTaP8KgDhZpAXTFeZQmkJDV778pAr4_-teeBpNxYxI
[123.123.123.123]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
So I really wonder, why does the URL-Request in the browser work like expected, but the cli-command with certbot don’t?
Might it be, that webmin / letsencrypt, didn’t place the file in the right directory?
The solution was to create this well-known check for location, but don’t do any redirect there.
This way it works as expected now, and the certificate was created.
Interesting situation, I’m gonna send a quick message over the VM @staff to see if they might be able to shed some insight on whether this should be possible, and/or something that might be doable in terms of implementing… Generally if there’s a good argument for a feature or enhancement, they’ll definitely hear you out and either provide a workaround if there is an easy one and/or implement the feature to make life easier for the masses.
May I ask what you are proxying to? Is it a custom app running on port 7889?
So Virtualmin should already be adding a rule that prevents a redirect or proxy under the .well-known path when re-requesting a Let’s Encrypt cert. However, this only happens when the renewal is triggered by Virtualmin, not if the certbot tool is used.
@Jamie in my case, both didn’t work as expected. That’s why I was searching for the issue and an solution for this problem.
I’ve added the proxy_pass straight in the config-file… might this be the issue, that vm doesn’t recognize it in the right way? Might I need to create this proxy_pass via vm-gui only?
I have a similar setup but with Apache. When setting the proxy via ‘Edit Proxy Website’ I still have to manually add the following to allow Let’s Encrpt to work:
This won’t work, if you still need proxy_pass to redirect to another url.
I try’d it, and it’s not possible to have more then one proxy_pass directive.
Failed to save configuration file : Configuration is invalid : nginx: [emerg] invalid number of arguments in “proxy_pass” directive in /etc/nginx/sites-enabled/test.domain.conf:34 nginx: configuration file /etc/nginx/nginx.conf test failed
BTW: You mean proxy_pass and not ProxyPass, right… or did you mean this at apache-config setting? (My request was about nginx-config)
Yes, my instructions were for Apache - sorry to hi-jack your question.
I thought it might be useful to post the equivalent Apache configuration and also raise the point that if it was intended for this to be done automatically, it doesn’t appear to be being done for both nginx and Apache.