Hey everyone, I'm hitting a wall with automatic Let's Encrypt requests on my server. My ISPConfig's automated script keeps failing. I create the websites entirely through the ISPConfig interface. The folder structure and the Apache VirtualHost file are generated correctly. However, when I try to enable SSL: I check the "SSL" box and the "Let's Encrypt SSL" box. Click save The job queue is processed the "Let's Encrypt SSL" checkbox and the "SSL" checkbox uncheck themselves and of course, certs are not generated If I try to generate certs manually with acme.sh it fails with a 404 error in the .well-know file fetch process, so I check the generated vhost for the file and I'm afraid there is some sort of misconfiguration there that prevent the procedure to succeed, so I changed the vhost.conf.master inserting a snippet similar to this: Code: Alias /.well-known/acme-challenge/ <tmpl_var name='web_document_root'>/.well-known/acme-challenge/ <Directory <tmpl_var name='web_document_root'>/.well-known/acme-challenge/> Require all granted </Directory> THen my new vhost is generated with the fix and if I run acme.sh manually again it finally works! Anyway, if I try to generated cert using the cehckbox in the ispconfig web interface it doesn't work. My data: OS: Debian 12 (Bookworm) ISPConfig Version: 3.3.0p3 Web Server: Apache2 Anyone can help?
Please see: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ The snippet you use shall not be in the vhost. ISPConfig uses a global acme validation directory. Please remove the snippet you added and the follow the Let's Encrypt error FAQ to find out why no cert was issued. And, very importantly, do not manually issue any certificates for ISPConfig websites, it will break your config. You will likely have to delete that site and recreate it to get back to a configuration that can be managed by ISPConfig. This can't work anymore after you manually generated the cert and altered the vhost in the way you did. This site is not manageable with ISPConfig anymore. Please undo it and follow the let's Encrypt FAQ instead to find out why you did not get a cert. E.g. your system might be behind a NAT router and you missed disabling the Let's Encyrpt check.
My apologies to the OP for hijacking the thread with a related question. I am currently not able to update the LE Certificate for one of my vhosts running on ISCP3 as it uses an Apache Options snippet that reverse proxies requests to an internal Mattermost server. I suppose this is why the acme script is not able (by design) to validate the acme-challenge response properly. My workaround at the moment is to remove the reverse proxy snippet and re-apply the LE SSL process from the ISPConfig interface. While that is functional, I presume one could rewrite that challenge URL so the acme script is able to handle it in the background again. The snippet below would obviously not work since that physical location does not exist, what path (As I understood from the previous reply the acme challenge is furnished from a global directory) should I substitute the rewrite rule with to make it look at the proper location? Code: RewriteEngine on RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/ RewriteRule ^/.well-known/acme-challenge/(.*)$ /var/www/mattermost.mysite.com/.well-known/acme-challenge/$1 [L]
That's not the reason. @Mark P Just add a condition to your proxy rule to not rewrite acme challenge URLs, that's all you must do to get LE working again.
Hi, and thank you very much The problem was that my servers are behind nat, the checkbox about disabling let'sencyprt check made the work. Thank you again and sorry for missed those FAQ .
You have to forgive me, I may come across more technical in the commnents than I in fact am Would this do the trick? Code: ProxyPreserveHost On RewriteEngine On # Skipping .well-known/acme-challenge requests (to facilitate LE SSL verification) RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ [NC] RewriteRule ^ - [L] RewriteCond %{REQUEST_URI} ^/api/v1/websocket [NC,OR] RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR] RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L] RequestHeader set X-Forwarded-Proto "https" <Location /api/v1/websocket> Require all granted ProxyPassReverse ws://127.0.0.1:8065/api/v1/websocket ProxyPassReverseCookieDomain 127.0.0.1 mattermost.mysite.com </Location> <Location /> Require all granted ProxyPassReverse http://127.0.0.1:8065/ ProxyPassReverseCookieDomain 127.0.0.1 mattermost.mysite.com </Location>
It might work, you have to test it. Below is how ISPConfig is doing it for its rewrite and proxy rules: Add a rewrite condition to your proxy rules like: Code: RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ To avoid sending requests intended for certbot or acme.sh to the proxy target. Alternatively, you can try something like this at the beginning of your rewrite rule block: Code: RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ RewriteRule ^ - [END]
