My server do not renew letsencrypt certificate with reverse proxy setup. It renews only if I remove proxy redirect (proxy_pass ...) settings. Appreciate if someone can help. My server setup: Single server, Nginx, ISPConfig 3.2.5 Nginx vhost config is as follow: Code: server { listen *:80; listen [::]:80; listen *:443 ssl http2; ssl_protocols TLSv1.3 TLSv1.2; listen [::]:443 ssl http2; ssl_certificate /var/www/clients/client2/web6/ssl/my.domain.com-le.crt; ssl_certificate_key /var/www/clients/client2/web6/ssl/my.domain.com-le.key; server_name my.domain.com ; root /var/www/my.domain.com/web/; disable_symlinks if_not_owner from=$document_root; if ($scheme != "https") { rewrite ^(?!/\.well-known/acme-challenge)/ https://$http_host$request_uri? per$ } location / { proxy_pass http://192.168.0.10:8080/; } }
Actually I know why LE fails. It fails for reverse proxy config: Code: location / { proxy_pass http://192.168.0.10:8080/; } But I need proxy redirect. Just can't figure out about how to make it working.
What is on port 8080, a standard ISPConfig install? If so, that should use https, not http. Even if you proxy a request for acme-challenge to the ISPConfig vhost, it maps to the same directory and I would expect it to work - if it's the same host. If it's not, you'll have to exclude the acme-challenge requests from your proxy (I don't use nginx, so can't say how, but search the forums here, there's likely info on it).
You can also run ISPConfig panel from your domain secured in port 443 instead of 8080, if that is why you need such proxy. I imagine using sub.domain.tld:443 should work on install or upgrade though I haven't tested that myself but you can still do it manually via conf-custom if that is not possible.
Thank you pal's. 192.168.0.10 is the Windows/IIS server, application is running at port 8080. I need Nginx reverse proxy to protect my IIS/application server. Everything works except the LE fails to renew the certificate. As Jesse said, I need to exclude the acme-challenge requests from the proxy. Followed many examples from the Google but nothing works.
I never did proxy but I think you may need more than this one line like other params? Code: location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; auth_basic off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } My ISPConfig nginx webserver uses acme challenge default (the above) but I read elsewhere that may be you'll need to put such code above any redirect. Code: Above this? if ($scheme != "https") { rewrite ^(?!/\.well-known/acme-challenge)/ https://$http_host$request_uri? per$ } The article say:
Thank you so much. You're right, there must be an acme challenge block before the proxy redirect. But ISPConfig do not do it by default or there is even no option to put it manually. I can manually add it directly to the vhost file and LE really works! But the problem is, all the manual edit gets removed if I do any changes from the ISPConfig. I suppose I need to request to add the acme challenge block (for proxy redirect) in the ISPConfig.
If that ISPConfig server is mainly meant to act as a proxy server, you can customize your ISPConfig nginx master vhost by copying it from conf folder and add them in the conf-custom folder before customizing. It should then be update proof thereafter.
Yes, this would be worth an enhancement request in gitlab. I don't know if there are use cases for both forwarding acme-challenge requests and for not forwarding them, or if they should simply be handling locally (not forwarded) all the time, but that does seem like something ISPConfig should configure along with the proxy destination.
Thanks ahrasis and Jesse for your help. I copied nginx master vhost file to the custom conf and added acme challenge block. Finally my LE renewal problem has been resolved. I shared the mod here so that someone may find it useful. Original use_proxy block (line # 71) at nginx_vhost.conf.master template: Code: <tmpl_if name='use_proxy'> location / { proxy_pass <tmpl_var name='rewrite_target'>; <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) $ <tmpl_loop name="proxy_directives"> <tmpl_var name='proxy_directive'> </tmpl_loop> } </tmpl_if> use_proxy block after the mod: Code: <tmpl_if name='use_proxy'> <tmpl_if name='ssl_enabled'> ## no redirect for acme location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } </tmpl_if> location / { proxy_pass <tmpl_var name='rewrite_target'>; <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) $ <tmpl_loop name="proxy_directives"> <tmpl_var name='proxy_directive'> </tmpl_loop> } </tmpl_if> So, my vhost file (look like this): Code: server { listen *:80; listen [::]:80; listen *:443 ssl http2; ssl_protocols TLSv1.3 TLSv1.2; listen [::]:443 ssl http2; ssl_certificate /var/www/clients/client2/web6/ssl/my.domain.com-le.crt; ssl_certificate_key /var/www/clients/client2/web6/ssl/my.domain.com-le.key; server_name my.domain.com ; root /var/www/my.domain.com/web/; disable_symlinks if_not_owner from=$document_root; if ($scheme != "https") { rewrite ^(?!/\.well-known/acme-challenge)/ https://$http_host$request_uri? permanent; } location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } location / { proxy_pass http://192.168.0.10:8080/; } }
This works, just put it before your existing proxy-pass statement: "ProxyPass /.well-known !" It well exclue ACME request and no need for any fancy configuration.