Roundcube directive for accessing over a webmail. subdomain with LE

Discussion in 'Installation/Configuration' started by thed0g, Jan 23, 2020.

  1. thed0g

    thed0g New Member

    Hello,

    I've got a situation where I don't get the subdomain LE cert next to the domain one and I assume it's because of the webserver directive to redirect to /roundcube.

    System is Ubuntu 18.04 LTS, nginx. Website configuration for domain.com is as follows:

    Domain tab
    Auto-Subdomain: www.
    SSL: check
    LE SSL: checked
    Active: checked

    Redirect tab
    Redirect Type: No redirect
    SEO Redirect: domain.tld => www.domain.tld
    Rewrite HTTP to HTTPS: checked

    Options tab
    Nginx directives:
    Code:
    location /roundcube {
                   root /usr/share/;
                   index index.php index.html index.htm;
                   location ~ ^/roundcube/(.+\.php)$ {
                           try_files $uri =404;
                           root /usr/share/;
                           fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                           fastcgi_param HTTPS on;
                           fastcgi_index index.php;
                           fastcgi_param SCRIPT_FILENAME $request_filename;
                           include /etc/nginx/fastcgi_params;
                           fastcgi_param PATH_INFO $fastcgi_script_name;
                           fastcgi_buffer_size 128k;
                           fastcgi_buffers 256 4k;
                           fastcgi_busy_buffers_size 256k;
                           fastcgi_temp_file_write_size 256k;
                           fastcgi_intercept_errors on;
                   }
                   location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                           root /usr/share/;
                   }
            }
            location /webmail {
                   rewrite ^/* /roundcube last;
            }
    Subdomain for website:

    webmail.domain.com
    Host: webmail
    Redirect Type: last
    Redirect Path: /roundcube/
    Don't add to LE cert: unchecked
    Active: checked

    Now the main website gets the LE cert and is accessible under www.domain.com with the redirect as it should. I can access webmail.domain.com and get redirected to https://webmail.domain.com/roundcube fine, but the webmail.domain.com isn't being added to the LE cert. I assume that my nginx directives might has something to do with it, since the code for the subdomain gets added fine by the GUI changes above and it includes an exception for .well-known (at least it seems so?).

    The vhost autoconfiguration is :
    Code:
    *snip*
    
    server_name domain.com www.domain.com webmail.domain.com;
    
            root   /var/www/domain.com/web/;
    
            if ($http_host = "webmail.domain.com") {
                rewrite ^(?!/(roundcube|stats|error|\.well-known/acme-challenge))/(.*)$ /roundcube/$2 last;
            }
            if ($scheme != "https") {
                rewrite ^ https://$http_host$request_uri? permanent;
            }
    
    *snip*
    Any insights how to get the webmail.domain.com cert with the roundcube redirect?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I believe that is because of this:
    Read it completely, including the comments.
     
  3. thed0g

    thed0g New Member

    Eh? It says "Don't add", which means if it would be checked it wouldn't add the subdomain to the given LE cert, which is the opposite of my desired end result.

    I've also tested that if that's checked, the webmail.domain.com isn't added to the LE cert. If I uncheck it, the webmail.domain.com isn't added to the LE cert + the "LE SSL: checked" under the Domain tab gets unchecked which means that something is wrong with assigning the LE cert.
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. thed0g

    thed0g New Member

    Yeah, I know that the LE is failing because the .well-known folder is not reachable. My question is how the nginx directive for accessing /roundcube should look like instead. The directive above is in all the ISPconfig installation tutorials, so maybe an updated one wouldn't be that unhelpful.

    If I actually knew regex, I wouldn't be asking this question.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The directive that is part of the tutorials is not redirecting to a webmail subdomain, it is meant to be added into a normal website. The directive is basically an alias for /roundcube of the website to /usr/share/roundcube directory plus a redirect from /webmail to /roundcube. Let's encrypt is neither using /roundcube nor /webmail path to authenticate the cert, so the nginx directives are fine as they are.

    Try to disable the redirect that you configured for the webmail subdomain, then disable LE in the website, click save, and then enable LE in the website again to see if the cert can be created then.
     
  7. thed0g

    thed0g New Member

    Problem is that the LE certificates aren't recreated with that simple change, if I do what you said I get:
    Code:
    2020-02-12 10:03:04,246:INFO:certbot.renewal:Cert not yet due for renewal
    2020-02-12 10:03:04,246:INFO:certbot.main:Keeping the existing certificate
    If I try the configuration above with redirect to /roundcube/, it fails with 404 on a site where the webmail.* isn't included yet and I'm implementing it fresh. Here's from the letsencrypt.log (redacted):
    Code:
    2020-02-12 09:56:12,782:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
    
    Domain: webmail.domain.com
    Type:   unauthorized
    Detail: Invalid response from http://webmail.domain.com/.well-known/acme-challenge/kY6beG4nKGAqxlEp4VR85NX3ihSV8zQFCVNKvmcLP70 [19x.x.x.x]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
    I mean I could probably change the .vhost manually to go over this, but that would break managing the file from the GUI.
     
  8. Th0m

    Th0m Member HowtoForge Supporter

    I'm using Apache, added "webmail.example.com" as website, and as Apache Directive
    Code:
    DocumentRoot "/var/lib/roundcube"
    I think the correct directive for NGINX would be
    Code:
    root /var/lib/roundcube;
     
  9. thed0g

    thed0g New Member

    If you mean like this:
    Code:
    location /roundcube {
                   root /var/lib/roundcube;
                   index index.php index.html index.htm;
                   location ~ ^/roundcube/(.+\.php)$ {
                           try_files $uri =404;
                           root /var/lib/roundcube;
                           fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                           fastcgi_param HTTPS on;
                           fastcgi_index index.php;
                           fastcgi_param SCRIPT_FILENAME $request_filename;
                           include /etc/nginx/fastcgi_params;
                           fastcgi_param PATH_INFO $fastcgi_script_name;
                           fastcgi_buffer_size 128k;
                           fastcgi_buffers 256 4k;
                           fastcgi_busy_buffers_size 256k;
                           fastcgi_temp_file_write_size 256k;
                           fastcgi_intercept_errors on;
                   }
                   location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                           root /var/lib/roundcube;
                   }
            }
            location /webmail {
                   rewrite ^/* /roundcube last;
            }
    It opens roundcube from www.domain.com/webmail, but not on subdomain webmail.domain.com with redirect "last" to /roundcube (404 error).
     

Share This Page