Letsencrypt cert renew failed

Discussion in 'General' started by tomal, Jul 21, 2021.

  1. tomal

    tomal New Member

    My server do not renew letsencrypt certificate with reverse proxy setup. It renews only if I remove proxy redirect (proxy_pass ...) settings. Appreciate if someone can help.
    My server setup: Single server, Nginx, ISPConfig 3.2.5
    Nginx vhost config is as follow:
    Code:
    server {
            listen *:80;
            listen [::]:80;
            listen *:443 ssl http2;
    
            ssl_protocols TLSv1.3 TLSv1.2;
            listen [::]:443 ssl http2;
            ssl_certificate /var/www/clients/client2/web6/ssl/my.domain.com-le.crt;
            ssl_certificate_key /var/www/clients/client2/web6/ssl/my.domain.com-le.key;
    
            server_name my.domain.com ;
    
            root   /var/www/my.domain.com/web/;
                    disable_symlinks if_not_owner from=$document_root;
    
            if ($scheme != "https") {
                rewrite ^(?!/\.well-known/acme-challenge)/ https://$http_host$request_uri? per$
            }
    
            location / {
                proxy_pass http://192.168.0.10:8080/;
    
            }
    }
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Did you try the Let's Encrypt FAQ? That might show why renew fails.
     
  3. tomal

    tomal New Member

    Actually I know why LE fails. It fails for reverse proxy config:
    Code:
    location / {
        proxy_pass http://192.168.0.10:8080/;
    }
    But I need proxy redirect. Just can't figure out about how to make it working.
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What is on port 8080, a standard ISPConfig install? If so, that should use https, not http. Even if you proxy a request for acme-challenge to the ISPConfig vhost, it maps to the same directory and I would expect it to work - if it's the same host. If it's not, you'll have to exclude the acme-challenge requests from your proxy (I don't use nginx, so can't say how, but search the forums here, there's likely info on it).
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You can also run ISPConfig panel from your domain secured in port 443 instead of 8080, if that is why you need such proxy.

    I imagine using sub.domain.tld:443 should work on install or upgrade though I haven't tested that myself but you can still do it manually via conf-custom if that is not possible.
     
  6. tomal

    tomal New Member

    Thank you pal's.
    192.168.0.10 is the Windows/IIS server, application is running at port 8080. I need Nginx reverse proxy to protect my IIS/application server. Everything works except the LE fails to renew the certificate. As Jesse said, I need to exclude the acme-challenge requests from the proxy. Followed many examples from the Google but nothing works.
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I never did proxy but I think you may need more than this one line like other params?

    Code:
           location ^~ /.well-known/acme-challenge/ {
               access_log off;
               log_not_found off;
               auth_basic off;
               root /usr/local/ispconfig/interface/acme/;
               autoindex off;
               index index.html;
               try_files $uri $uri/ =404;
            }
    
    My ISPConfig nginx webserver uses acme challenge default (the above) but I read elsewhere that may be you'll need to put such code above any redirect.
    Code:
    Above this?
           if ($scheme != "https") {
               rewrite ^(?!/\.well-known/acme-challenge)/ https://$http_host$request_uri? per$
           }
    
    The article say:
     
    tomal likes this.
  8. tomal

    tomal New Member

    Thank you so much.
    You're right, there must be an acme challenge block before the proxy redirect. But ISPConfig do not do it by default or there is even no option to put it manually. I can manually add it directly to the vhost file and LE really works! But the problem is, all the manual edit gets removed if I do any changes from the ISPConfig. I suppose I need to request to add the acme challenge block (for proxy redirect) in the ISPConfig.
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If that ISPConfig server is mainly meant to act as a proxy server, you can customize your ISPConfig nginx master vhost by copying it from conf folder and add them in the conf-custom folder before customizing. It should then be update proof thereafter.
     
    tomal likes this.
  10. tomal

    tomal New Member

    Thank you. I'll try that.
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, this would be worth an enhancement request in gitlab. I don't know if there are use cases for both forwarding acme-challenge requests and for not forwarding them, or if they should simply be handling locally (not forwarded) all the time, but that does seem like something ISPConfig should configure along with the proxy destination.
     
    tomal likes this.
  12. tomal

    tomal New Member

    Thanks ahrasis and Jesse for your help.
    I copied nginx master vhost file to the custom conf and added acme challenge block. Finally my LE renewal problem has been resolved. I shared the mod here so that someone may find it useful.
    Original use_proxy block (line # 71) at nginx_vhost.conf.master template:
    Code:
    <tmpl_if name='use_proxy'>
            location / {
                proxy_pass <tmpl_var name='rewrite_target'>;
                <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) $
    <tmpl_loop name="proxy_directives">
            <tmpl_var name='proxy_directive'>
    </tmpl_loop>
        }
    </tmpl_if>
    use_proxy block after the mod:
    Code:
    <tmpl_if name='use_proxy'>
    <tmpl_if name='ssl_enabled'>
                    ## no redirect for acme
                    location ^~ /.well-known/acme-challenge/ {
                            access_log off;
                            log_not_found off;
                            root /usr/local/ispconfig/interface/acme/;
                            autoindex off;
                            index index.html;
                            try_files $uri $uri/ =404;
            }
    </tmpl_if>
    
            location / {
                proxy_pass <tmpl_var name='rewrite_target'>;
                <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) $
    <tmpl_loop name="proxy_directives">
            <tmpl_var name='proxy_directive'>
    </tmpl_loop>
        }
    </tmpl_if>
    So, my vhost file (look like this):
    Code:
    server {
            listen *:80;
            listen [::]:80;
            listen *:443 ssl http2;
    
            ssl_protocols TLSv1.3 TLSv1.2;
            listen [::]:443 ssl http2;
            ssl_certificate /var/www/clients/client2/web6/ssl/my.domain.com-le.crt;
            ssl_certificate_key /var/www/clients/client2/web6/ssl/my.domain.com-le.key;
    
            server_name my.domain.com ;
    
            root   /var/www/my.domain.com/web/;
                    disable_symlinks if_not_owner from=$document_root;
    
            if ($scheme != "https") {
                rewrite ^(?!/\.well-known/acme-challenge)/ https://$http_host$request_uri? permanent;
    
            }
    
            location ^~ /.well-known/acme-challenge/ {
                            access_log off;
                            log_not_found off;
                            root /usr/local/ispconfig/interface/acme/;
                            autoindex off;
                            index index.html;
                            try_files $uri $uri/ =404;
            }
                   
            location / {
                proxy_pass http://192.168.0.10:8080/;
    
            }
    }
     
    ahrasis and till like this.
  13. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I seldom visit gitlab now, so hopefully somebody can propose that simple add up there.
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

Share This Page