Location of documentation to add letsencrypt certs to web sites

Discussion in 'ISPConfig 3 Priority Support' started by rob_morin, Oct 19, 2016.

  1. rob_morin

    rob_morin Member HowtoForge Supporter

    Hello, can you please point me to a "how to" to add ssl certs to websites using letsencrypt?

    Thanks..
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There is just one checkbox that you have to enable, see chapter 4.6.1.1 after you installed letsencrypt, which is describe din the manual as well.
     
  3. arraken

    arraken Member HowtoForge Supporter

    Hi!
    I tried the let's encrypt function, and it works nicely, but only with an unaltered vhost configuration. When I use a directive snippet (in my case a snippet for drupal) it doesn't work, because the directive which is added by ISPConfig is overridden by the snippet.

    location ~ /\.well-known/acme-challenge/ {
    root /usr/local/ispconfig/interface/acme/;
    index index.html index.htm;
    try_files $uri =404;
    }

    The above snippet is added to the end of the vhost file. Is there a way to add it with higher priority, so the directive snippets don't override it?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ensure that your custom directive snippet does not override the letsencrypt config by adding an exclusion for the path. You can see that in the rewrite rules that ispconfig adds.
     
  5. arraken

    arraken Member HowtoForge Supporter

    Hi!
    I'm using Nginx, so I don't think there's a real exclusion for a path. But theoretically I should be able to just put the .well-known folder to a higher priority. I modified my snippet, but it' still gives me this error:

    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    Failed authorization procedure. domain.tld (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.tld/.well-known/acme-challenge/D7lE6zQfcDTRvsUgZ4WcFZkxXESKDVcLsDLViAwz0tA: "<html>

    Here's my Snippet:

    location / {

    location ^~ \.well-known/acme-challenge/ {
    root /usr/local/ispconfig/interface/acme/;
    index index.html index.htm;
    try_files $uri =404;
    }

    ## Trying to access private files directly returns a 404.
    location ^~ /sites/default/files/private/ {
    internal;
    }

    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
    ## http://drupal.org/node/371374.
    location ~* /files/styles/ {
    ## Image hotlinking protection. If you want hotlinking
    ## protection for your images uncomment the following line.
    #include apps/drupal/hotlinking_protection.conf;

    access_log off;
    expires 30d;
    try_files $uri @rewrite;
    }

    ## All static files will be served directly.
    location ~* ^(?!/system/files).*\.(css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
    access_log off;
    expires 30d;
    ## No need to bleed constant updates. Send the all shebang in one
    ## fell swoop.
    tcp_nodelay off;
    ## Set the OS file cache.
    open_file_cache max=3000 inactive=120s;
    open_file_cache_valid 45s;
    open_file_cache_min_uses 2;
    open_file_cache_errors off;
    }

    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
    return 404;
    }

    try_files $uri @rewrite;
    }

    location @rewrite {
    access_log off;
    expires 30d;
    rewrite ^ /index.php;
    }

    ## Any other attempt to access PHP files returns a 404.
    location ~* ^.+\.php$ {
    return 404;
    }

    location ~* \.(txt|log)$ {
    allow 192.168.0.0/16;
    deny all;
    }

    location ~ (^|/)\. {
    return 403;
    }

    Any Ideas?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You should check which part of your snippet is catching the request and then adjust the regex part in your snippet to exclude requests to \.well-known/acme-challenge/
     
  7. arraken

    arraken Member HowtoForge Supporter

    Thanks! If anyone is interested: it was the

    location ~ (^|/)\. {
    return 403;
    }

    snippet.
     

Share This Page