LE - SSL - HTTP/HTTPS

Discussion in 'Installation/Configuration' started by jbonlinea, Oct 3, 2018.

  1. jbonlinea

    jbonlinea Member

    Hi there,
    I've been using ISPConfig on a production server for a while now, however I wasn't aware off all it's features , and manually created ssl certificates for my websites.

    If I'm right, in ISPConfog > site > example-website > domain the two checkboxs SSL ans Let's Encrypt SSL provide an UI to create Let's Encrypt SSL certificates for the example-website.
    That's awesome !

    Now that I'm busy setting up a new VPS folowing the debian perfect server, I would like to deal with SSL and HTTP/HTTPS properly.
    I've found this tutorial Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate.
    It seems that my set-up is fine however the creating of the let's encrypt certificates fails
    It may be due to the domain name I use, but I'm not sure.

    My host (OVH) provide me with a dumb domain name vpsXXXXXX.ovh.net
    This domain name will always point toward the IP of my vps, this is beyond my will, but I'm okay with that.
    Actually I tough it might be clever to use this domain for my server name i.e. hostname -f returns vpsXXXXXX.ovh.net

    Before creating websites on this server using other domains, I wanted to go through the tutorial Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate
    Basically I can browse to
    I thus considred my instalation allright and created a website named vpsXXXXXX.ovh.net
    And tried to created Let's Encrypt SSL certificates from here ISPConfog > site > vpsXXXXXX.ovh.net > domain where I checked the two checkboxs SSL ans Let's Encrypt SSL

    ISPConfig process my request (red dot on top right corner), however it seems that it didn't work out ; if I browse to http://vpsXXXXXX.ovh.net I'm still not having a certificate, if I browse to https://vpsXXXXXX.ovh.net:8080 I'm still advised that the certificate is signed by an unthrusted source, and if I check the webtise settings the two checkboxs are un-checked.

    I looked in the /var/log/ispconfig/ispconfig.log but it's empty.

    I would greatly appreciate any guidance to sort this, before trying to create SSL certificates with cerbot directly form the terminal.
    Thank's in advance.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. jbonlinea

    jbonlinea Member

    Hi till,
    Thank's for your reply.
    I'm well aware of the faq and went through yesterday.

    regarding the various point
    • I do belive I do not have let's encrypt installed but cerbot (which is normal)
    • I don't know wether my vps is behind a NAT, I may ask, in the meantime I checked "Skip Letsencrypt check" under System > Server config > web (> SSL settings)
    • I only have one website, vpsXXXXXX.ovh.net and I set auto-subdomain to none ; however I first created the site with the default settings and only after set auto-subdomain to none
    • I'm using Apache/2.4.25 (Debian) (from a fresh install of the perfect server)
    • I'haven't updated ISPConfig to 3.1 as this is a fresh install of 3.1.13

    Not sure if it helps but :
    • I haven't created any client yet, thus I created the website vpsXXXXXX.ovh.net without specifying a client (which is something I've never done before)
    • in ISPConfig > website > vpsXXXXXX.ovh.net, the SSL tab apears, and there is three options for "SSL Domain" : i) vpsXXXXXX.ovh.net ; ii) www.vpsXXXXXX.ovh.net ; and iii) *.vpsXXXXXX.ovh.net ; it might be a relicate of the auto-domain www, and at the moment it is set to its default value, namely the first one.

    /var/log/letsencrypt/letsencrypt.log contains this :

    Code:
    2018-10-03 10:15:12,531:DEBUG:certbot.main:Root logging level set at 20
    2018-10-03 10:15:12,532:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2018-10-03 10:15:12,533:DEBUG:certbot.main:certbot version: 0.10.2
    2018-10-03 10:15:12,533:DEBUG:certbot.main:Arguments: []
    2018-10-03 10:15:12,533:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,$
    2018-10-03 10:15:12,533:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
    2018-10-03 10:15:12,533:DEBUG:certbot.plugins.selection:No candidate plugin
    2018-10-03 10:15:12,534:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
    in debug mode in ISPConfig > monitor > System state (all server) > Show system log > filtered with "enc" returns :
    Code:
    2018-10-03 13:11     vpsXXXXXX.ovh.net     Warning     /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains vpsXXXXXX.ovh.net --webroot-path /usr/local/ispconfig/interface/acme    
    2018-10-03 13:11     vpsXXXXXX.ovh.net     Warning     Let's Encrypt SSL Cert for: vpsXXXXXX.ovh.net could not be issued.    
    2018-10-03 13:11     vpsXXXXXX.ovh.net     Debug     exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains vpsXXXXXX.ovh.net --webroot-path /usr/local/ispconfig/interface/acme    
    2018-10-03 13:11     vpsXXXXXX.ovh.net     Debug     Let's Encrypt SSL Cert domains: --domains vpsXXXXXX.ovh.net    
    2018-10-03 13:11     vpsXXXXXX.ovh.net     Debug     Create Let's Encrypt SSL Cert for: vpsXXXXXX.ovh.net
     
    Last edited: Oct 3, 2018
  4. ahrasis

    ahrasis Well-Known Member

    A quick guess is there already are too much request for subdomains at ovh.net, so better luck in trying with your own domain?
     
  5. jbonlinea

    jbonlinea Member

    Hi
    Thank's for your imput !
    Spot on ! I was expecting ovh.net beeing a source of issue.
    Still I'm a puzzled.

    Sorry this post is a bit long, but I'm getting there, each time a new step of understanding, thank's to you !
    I'll higlight the questions in bold :)
    ___
    First let's play at : if I browse to --> I get
    so the certificate was granted​
    I indeed expect roundcube for the two first however two things puzzle me here :
    • first about webmail
      • my server hostname -f returns vpsXXXXXX.ovh.net, so I kind expected roundcube ; kind of because I know also have a website vpsXXXXXX.ovh.net whose /var/www/vpsXXXXXX/web folder do not contain a folder named roundcube or webmail
      • however I do not expect roundcube in the third case ; obviously vpsXXXXXX.ovh.net whose /var/www/vpsXXXXXX/web folder do not contain a folder named roundcube or webmail
    all this is not that bad if we assume that any url directed to my server and ending with /webmail will be redirected toward /var/lib/roundcube ; it wouldn't expect that but OK​
    • the second thing which is puzzling me is that none of the above three URLs redirect automatically (forcefuly) towards HTTPS. of course if i replace HTTP by HTTPS, both three URLs will use the certificate. But what's the point of having a certificate if the end client is not redirected toward HTTPS when needed.
    I may well use ISPConfig > sites > vpsXXXXXX.mydomain.fr (my-website-name) > Redirect (tab) > Rewrite HTTP to HTTPS checkbox ; but it'll redirect every singly request in https, while not every content of vpsXXXXXX.mydomain.fr requires HTTPS, plus I wonder if, it's a good practice to force https for every single request ?
    I may also define some apaches directives in ISPConfig > sites > vpsXXXXXX.mydomain.fr (my-website-name) > Option (tab)
    to force redirect like in the FAQ here, and maybe specifiy the folder.s it applies to
    Finally, I may add an .httaccess file at the root of the roundcube folder to redirect HTTP connexion to HTTPS in this specific folder.
    All togather I'm still surprised that roundcube do not handle this redirection by himslef. I'm not that experienced in this HTTP/HTTPS domain, but I understood that CMS, and web apps more broadly, usually switch on their own, according to their needs.​

    Any touhght would be greatly appreciated
    ___
    then back to the tutorial Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate

    I went through the process and now can browse to https://vpsXXXXXX.mydomain.fr:8080 using my certificate from Let's encrypt !
    yhaii
    However I'm still not automatically redirected form http://vpsXXXXXX.mydomain.fr to https://vpsXXXXXX.mydomain.fr
    I understand that if I redirect vpsXXXXXX.mydomain.fr from ISPConfig > sites > vpsXXXXXX.mydomain.fr > Redirect (tab) > redirect HTTP to HTTPS checkbox, it won't apply to any url with :8080 as this is a diferent vhost based on port and not domain name ?!
    So as above how should I deal with HTTP to HTTPS redirection ?
    ___
    Finally, the tutorial sugget an alternative method named LE4ISPC
    I folowed the how to but replace $(hostname -f) with vpsXXXXXX.mydomain.fr
    The script went thrue
    However it seems it do not include the auto-renewal ? right ?
    Is there any way to set the auto renewal with this scritp ?


    Thank's
     
    Last edited: Oct 3, 2018
  6. ahrasis

    ahrasis Well-Known Member

    LE4ISPC does cover auto renewal using incron. Do report of any failure at its thread.

    I am not sure why your https is not working though.
     
  7. jbonlinea

    jbonlinea Member

    Ok
    great to know that lE4ISPC take care of the renweal !
    will it also renew all the certificates I create for others websites out of the box, or do I have to re-run the script, or do it only renew the certificate for the domain of the domain name specified in the script ?


    Also, regarding roundcube, HTTP should be redirected to HTTPS automatically in the end ? yes or no.

    Thank's
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Roundcube is an apache alias. An alias is basically a virtual 'folder' which means that /webmail/ is redirected to the roundcube folder from any vhost. If this vhost is SSL or not or redirects to SSL or not is basically handled by the website / vhost. Roundcube itself does not do such a redirect.
     
  9. jbonlinea

    jbonlinea Member

    Hi !
    Excellent, thank's
    This was clear

    That I wasn't sure

    Ok so four case possible if my vhost
    • vhost not ssl + no redirection --> http "basic"
    • vhost not ssl + redirection --> https but certificates signed by un-thrusted source
    • vost ssl + no redirection --> http "basic"
    • vhost ssl + redirection --> https with proper certificate
    Now one pending question I asked above.
    I wonder if, is it a good practice to force https for every single request ?
    meaning to ask my vhost to redirect to https (for instance from ISPConfig > site > vpsXXXXXX.mydomain.fr > Redirect (tab) > redirect checkbox)
    Is yes, then it's sorted.
    If no, I should redirect for specific folder/pages ; for instance roundcube.
    In this case I can redirect the folder with an .httaccess file ; ok
    but can I redirect a specific folder (url) with apache directive from ISPConfig > site > vpsXXXXXX.mydomain.fr > Option (tab) > apache

    ?

    Thank's again
     

Share This Page