Search a rock-solid configuration for letsencrypt

SYSTEM INFORMATION
OS type and version: Ubuntu 20.02
Webmin version: 1.981
Virtualmin version: 6.17

I found that I have trouble on most virtualmin installations with getting letsencrypt to run, if I do e default-redirect to https.

I’ve tried a lots of things, but want to know, what is your way to create a rock solid letsencrypt configuration once, and use it all the time without additional adjustments?

My Idea is, to setup the Server in this way, that all letsencrypt certificates are placed in /var/www/letsencrypt.
Then create a nginx-rule that all .well-known/acme-challange request have the above directory as root.

BUT I can’t figure out. how (in the background) letsencrypt do create those “acme-challenge”-Files, and how I can configure it, so that he will place it in this global directory.

Any suggestions for this?

Can’t help

But first look all you can find about letsencypt virtualmin way.
And the not virtualmin way example certbot.

Advice should be if you do all things right the virtualmin way should be ok and working.

If not post problems here in forum or github whatever isseu… ? :wink:

Merry Christmas :wink:

Funny answer.
Sorry, but this answer doesn’t helps in any way!

I think you not yet really read my request. I’ve still searched and tried a lot, that’s why I came here and ask for other experiences with it.

Funny answer. Same to while .

Can’t help

and

If not post problems here in forum or github whatever isseu… ? :wink:

I i didn’t read hmm or i didn’t found you posted your problems here where there where no solutions yet. :wink:

Meaning did you shared your problems with Virtualmin team , Support or here some experienced Admins. ? ( not me ofcousre but only pointing out first things first.)

I expect myself you have if you go away from virtualmin way to go to things like certbot or such.

Do not be offended, it’s no offense, but if you don’t have an answer, please don’t answer.

Let other ones answer, who have and want to share their experiences.
That’s what this thread is about… get experiences with letsencrypt configuring and founding a rock-solid solution.

I am not all is ok here :wink:

Only TIP advice , knowing it is not the answer you’re looking for.

For others looking for help and support it could be handy if you shared your problems and what parts didn’t worked out though?

While this is for virtualmin support, and the virtualmin way itself should be as rock solid as it can , and on more places and panels there where problems with LE after the changes from the certs expired in September. Only one example.

@suther,

Let’s Encrypt support within Virtualmin generally works fine, and also works well with certbot.

If you are having particular issues with the way it works, I’d be happy to see what can be done to address the matter.

I’d simply suggest that you don’t go out of your way to reinvent things unless it’s absolutely necessary.

If there’s a bug, the VM team will be happy to address, if it’s a misunderstanding I’d be happy to as would others work with you to clear up.

Happy holidays!

4 Likes

@jotst Only “written words” sometimes leave room for misunderstanding, so it’s nice to hear that we get along well. :+1:t3:

@tpnsolutions In my current case, which give me some trouble, I do have an subdomain (api.xxx.tld), which should get a letsencrypt certificate.
But it also should work with proxy_pass.

How can I archive, that letsencrypt can do the challange, but the proxy_pass also work as expected?

What I’ve tried is this:

	location / {
		if ($scheme = http) {
        	rewrite ^/(?!.well-known)/acme-challenge/(.*) https://$host/$1 break;
    	}	
		proxy_set_header	Host $host;
		proxy_set_header	X-Real-IP $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto $scheme;
		proxy_pass http://localhost:7899/;
	}

But this returns always an 404 error. If I remove the proxy-settings, it works like expected in dry-run.

What is the way to only allow the acme-challenge for http, and redirect anything else via proxy_pass?

BTW:
If I do certbot --version on bash, I got 0.40.0. This seems to be pretty old? Do I need to upgrade certbot manually, or is this the current version which webmin do use?

1 Like

I have additional info on the issue above:

I’ve set now an own header like this:

	location ^~ /.well-known/acme-challenge/ {
		default_type "text/plain";
		add_header X-sasu-header "jo"; 
	    rewrite /.well-known/acme-challenge/(.*) /$1 break;
	}

And if I create a file which only contain hi in the document-root of the subdomain, I can open it via Browser and see in Response-Headers that the flag is set.

BUT if I try to create an letsencrypt-certificate via CLI dry-run, I got this 404 Page error:

   Domain: api.xxx.com
   Type:   unauthorized
   Detail: Invalid response from
   http://api.xxx.com/.well-known/acme-challenge/RlTaP8KgDhZpAXTFeZQmkJDV778pAr4_-teeBpNxYxI
   [123.123.123.123]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

So I really wonder, why does the URL-Request in the browser work like expected, but the cli-command with certbot don’t?

Might it be, that webmin / letsencrypt, didn’t place the file in the right directory?

I got it. :partying_face:

Made it now as follows:

	location ~* /.well-known/acme-challenge/ {
		default_type "text/plain";
	    #rewrite /.well-known/acme-challenge/(.*) /$1 break;
	}
	
	listen 123.123.123.123:443 ssl;
	location / {
		proxy_set_header	Host $host;
		proxy_set_header	X-Real-IP $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto $scheme;
		proxy_pass http://localhost:7889/;
	}

The solution was to create this well-known check for location, but don’t do any redirect there.
This way it works as expected now, and the certificate was created.

@suther,

Interesting situation, I’m gonna send a quick message over the VM @staff to see if they might be able to shed some insight on whether this should be possible, and/or something that might be doable in terms of implementing… Generally if there’s a good argument for a feature or enhancement, they’ll definitely hear you out and either provide a workaround if there is an easy one and/or implement the feature to make life easier for the masses.

May I ask what you are proxying to? Is it a custom app running on port 7889?

So Virtualmin should already be adding a rule that prevents a redirect or proxy under the .well-known path when re-requesting a Let’s Encrypt cert. However, this only happens when the renewal is triggered by Virtualmin, not if the certbot tool is used.

1 Like

@tpnsolutions yep, it’s our node-based backend which provides an api-endpoint

@Jamie in my case, both didn’t work as expected. That’s why I was searching for the issue and an solution for this problem.
I’ve added the proxy_pass straight in the config-file… might this be the issue, that vm doesn’t recognize it in the right way? Might I need to create this proxy_pass via vm-gui only?

Yes, I would recommend creating the proxy_pass using Virtualmin, so that it gets added using the directives Virtualmin expects.

I have a similar setup but with Apache. When setting the proxy via ‘Edit Proxy Website’ I still have to manually add the following to allow Let’s Encrpt to work:

ProxyPass /.well-known/acme-challenge/ !
ProxyPassReverse /.well-known/acme-challenge/ !

If this could be done automatically that would be helpful.

Or perhaps it’s because I’m setting the proxy website setting before enabling Let’s Encrypt?

This won’t work, if you still need proxy_pass to redirect to another url.
I try’d it, and it’s not possible to have more then one proxy_pass directive.

		proxy_set_header	Host $host;
		proxy_set_header	X-Real-IP $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto $scheme;
		proxy_pass /.well-known/acme-challenge/ !
		proxy_passReverse /.well-known/acme-challenge/ !
		proxy_pass http://localhost:1234/;
		
	}	

Throwed error:

Failed to save configuration file : Configuration is invalid : nginx: [emerg] invalid number of arguments in “proxy_pass” directive in /etc/nginx/sites-enabled/test.domain.conf:34 nginx: configuration file /etc/nginx/nginx.conf test failed

BTW: You mean proxy_pass and not ProxyPass, right… or did you mean this at apache-config setting? (My request was about nginx-config)

Hi Suther,

Yes, my instructions were for Apache - sorry to hi-jack your question.

I thought it might be useful to post the equivalent Apache configuration and also raise the point that if it was intended for this to be done automatically, it doesn’t appear to be being done for both nginx and Apache.

Can you describe how exactly this would work via Virtualmin? Is it this Proxy-Setting menu?

Unfortunately the “help”-icons are missing here, to see what and how to enter.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.