ISPConfig 3.1 and Letsencrypt and SSL Directory/Files

Discussion in 'General' started by DBaeza, Oct 5, 2016.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    And letsencrypt and certbot are installed as well? In this case it must work.

    Check that the file:

    /etc/apache2/sites-available/ispconfig.conf

    contains this:

    Code:
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
                                    Require all granted
                    </Directory>
    it gets added during reconfigure of the services at update time. This is the global alias to redirect the letsencrypt requests to the correct folder.
     
  2. nokia80

    nokia80 Member

    i see now thad when i eneble ssl and letsencrypt and i go to https://xxx.xx its redirect to a other website on thad server i use ip fore al website on that server
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    That's ok and expected as you don't have SSL on that site yet.
     
  4. nokia80

    nokia80 Member

    yes it works thanks till
     
  5. nokia80

    nokia80 Member

    when you have xxx.xx as domein and subdomein sub.xxx.xx whit vhost works this whit letsencrypt?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, all domains, alias domains and subdomains of a website get added to the ssl certificate of that website. But ensure that really all of them are connected and reachable, if one of them does not exist in dns, then the ssl cert creation will fail.
     
  7. DBaeza

    DBaeza New Member

    [email protected]:/etc/apache2/sites-available# cat isp1.tvt-datos.es.vhost
    <Directory /var/www/isp1.tvt-datos.es>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

    <VirtualHost 185.29.68.61:80>

    DocumentRoot /var/www/isp1.tvt-datos.es/web

    ServerName isp1.tvt-datos.es
    ServerAdmin [email protected]-datos.es

    ErrorLog /var/log/ispconfig/httpd/isp1.tvt-datos.es/error.log


    <IfModule mod_ssl.c>
    </IfModule>

    <Directory /var/www/isp1.tvt-datos.es/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    <Files ~ '.php[s3-6]{0,1}$'>
    Order allow,deny
    Deny from all
    Allow from none
    </Files>
    </Directory>
    <Directory /var/www/clients/client2/web28/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    <Files ~ '.php[s3-6]{0,1}$'>
    Order allow,deny
    Deny from all
    Allow from none
    </Files>
    </Directory>







    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web28 client2
    </IfModule>

    <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client2/web28/webdav>
    <ifModule mod_security2.c>
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client2/web28/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>



    </VirtualHost>


    <VirtualHost [2a04:41c0:0:1::61]:80>

    DocumentRoot /var/www/isp1.tvt-datos.es/web

    ServerName isp1.tvt-datos.es
    ServerAdmin [email protected]-datos.es

    ErrorLog /var/log/ispconfig/httpd/isp1.tvt-datos.es/error.log


    <IfModule mod_ssl.c>
    </IfModule>

    <Directory /var/www/isp1.tvt-datos.es/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    <Files ~ '.php[s3-6]{0,1}$'>
    Order allow,deny
    Deny from all
    Allow from none
    </Files>
    </Directory>
    <Directory /var/www/clients/client2/web28/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    <Files ~ '.php[s3-6]{0,1}$'>
    Order allow,deny
    Deny from all
    Allow from none
    </Files>
    </Directory>







    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web28 client2
    </IfModule>

    <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client2/web28/webdav>
    <ifModule mod_security2.c>
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client2/web28/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>
    </VirtualHost>

    Please, correct me if Im wrong, but this is the correct file generated by ispconfig. I did not manually created it!
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The file is correct, but it's probably from ispconfig 3.0.5 and not 3.1 or you use a custom template as the letsencrypt code is missing. Please the letsencrypt FAQ that is linked in this post, it describes the steps that you have to do on an apache 2.2 server.
     
  9. DBaeza

    DBaeza New Member

    I dont have that. LOL.
    How can be this?
     
  10. DBaeza

    DBaeza New Member

    Nooo, I did update. I did USE Letsencrypt with that installation and it worked the firsts times and from one site to other stopped working!
    Edit: I reconfigured services during update!
    Edit2: I have this
    Code:
    <IfModule mod_headers.c>
            <LocationMatch "/.well-known/acme-challenge/*">
                    Header set Content-Type "text/plain"
            </LocationMatch>
    </IfModule>
    
    but not this:
    Code:
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
        Require all granted
    </Directory>
    EDIT: I've added second code and not letsencrypt is saying forbbiden. Should it be in any place in particular?
     
    Last edited: Oct 6, 2016
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Your server uses apache 2.2, so this:

    <IfModule mod_headers.c>
    <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "text/plain"
    </LocationMatch>
    </IfModule>

    has to be there, the other code is for apache 2.4 only any may not be added on an apache 2.2 server. What gets added on system reconfigure during update into the ispconfig.conf on apache 2.2 is this:

    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
    Order allow,deny
    Allow from all
    </Directory>

    if that is missing on your server, add that
     
    Last edited: Oct 6, 2016
    madmucho likes this.
  12. DBaeza

    DBaeza New Member

    Aaaaaand that fixed it!
    How can be possible that part of code dissapeared? I did nothing between adding one aliasdomain to other, and were in that point when it brokes
     
  13. madmucho

    madmucho ISPConfig Developer ISPConfig Developer

    Thank all for information on this thread, i have similar behavior but on apache 2.4.
    000-ispconfig.conf config missing part
    Code:
    </Directory>
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
        Require all granted
    </Directory>
    I added it manualy, restart apache, try download default file using
    http://xxx.y/.well-known/acme-challenge/empty.dir
    works ok and then also my certificate request using interface works ok.
    So i every time reconfigure services while update version.

    Server version: Apache/2.4.10 (Debian)
    Debian GNU/Linux 8 (jessie)
     
    Last edited: Oct 20, 2016
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    @madmucho, that should get added during "reconfigure services" stage; if you are running that, maybe you have a conf-custom template that's being applied to create 000-ispconfig.conf rather that the new one from upstream code?
     
  15. madmucho

    madmucho ISPConfig Developer ISPConfig Developer

    Understand, maybe that is reason, i have some ssl cipher modification on vhost template file because of security. i will move them out before upgrade and compare diff after in future updates
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    if your cipher changes are appropriate for all sites, just do a merge request with those instead, and you'll be back to the stock template :)
     

Share This Page