Letsencrypt + Aliasdomain Error (NGINX)

Discussion in 'ISPConfig 3 Priority Support' started by arraken, Mar 7, 2017.

  1. arraken

    arraken Member

    I just upgraded to the latest ISPConfig version and tried the new Letsencrypt feature. It works great with websites, but I get an error when I have a website with an aliasdomain. I think I found a fix for the problem, but I don't know if the fix is really needed, or if I missed something.
    The Aliasdomain simply redirects to "https://www.main-domain.tld". It also has a Seo-Redirect from domain -> www.domain.tld enabled.
    When I enable the LetsEncrypt SSL checkbox in the interface, I get the following error in the log:

    07.03.2017-15:50 - WARNING - nginx did not restart after the configuration change for website main-domain.tld. Reverting the configuration. Saved non-working config as /etc/nginx/sites-available/main-domain.tld.vhost.err
    07.03.2017-15:50 - WARNING - Reason for nginx restart failure: nginx: [emerg] BIO_new_file("/var/www/clients/client6/web6/ssl/main-domain.tld.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/www/clients/client6/web6/ssl/main-domain.tld.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
    nginx: configuration file /etc/nginx/nginx.conf test failed​

    So the vHost has an entry which links to an SSL-Cert which doesn't exist.
    In the vHost file, I have the following block: at the end (for the alias domain):

    server {
    listen *:80;
    listen *:443 ssl;
    ssl_certificate /var/www/clients/client6/web6/ssl/main-domain.tld.crt;
    ssl_certificate_key /var/www/clients/client6/web6/ssl/main-domain.tld.key;
    server_name www.aliasdomain.tld;

    location ~ /\.well-known/acme-challenge/ {
    root /usr/local/ispconfig/interface/acme/;
    index index.html index.htm;
    try_files $uri =404;
    rewrite ^ https://www.main-domain.tld$request_uri? redirect;
    So there we see the entry to the invalid SSL File. The correct SSL-File is named: main-domain-le.tld.crt

    When I edit the /usr/local/ispconfig/server/conf/nginx_vhost.conf.master file and add the "le" to the relevant block, the generation of the LetsEncrypt SSL-Cert works as expected:

    ssl_certificate <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>-le.crt;
    ssl_certificate_key <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>-le.key;

    So my question is: Is this a bug in ISPConfig, and the template needs to be corrected, or did I miss something here?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you use a custom nginx vhost template which you did not adjust to the new version yet. Neither the document_root nor the ssl_domain variable is used anymore in the ssl path anymore. The template that ships with ispconfig has these ssl lines:

    ssl_certificate <tmpl_var name='ssl_crt_file'>;
    ssl_certificate_key <tmpl_var name='ssl_key_file'>;

    whic point to the correct cert path automatically.
  3. arraken

    arraken Member

    Hmm - that's weird. I don't use a custom template, and I updated multiple servers which all have the same (apparently wrong) vhost file. What would be the best way to verify if other files have been kept back? Or how can I even tell ISPConfig too keep a custom file, instead of installing the new one?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The ispconfig updater overwrites all files, except of files that shall be preserved by using the conf-custom folder.

    Take a look at /usr/local/ispconfig/server/conf-custom/, this folder is there to keep custom versions of config file templates.

    You can find the current nginx vhost conf template here: https://git.ispconfig.org/ispconfig/ispconfig3/blob/stable-3.1/server/conf/nginx_vhost.conf.master
  5. arraken

    arraken Member

    Hi Till!
    I just checked, and I actually already used the correct version of the nginx_vhost.conf.master. But please take a look at lines 300 - 303 - this are the lines that I had to change for the alias domain + redirect + letsencrypt-ssl to work.

Share This Page