acme.vhost

Discussion in 'Installation/Configuration' started by remkoh, Sep 28, 2024.

  1. remkoh

    remkoh Active Member

    I did a new Nginx webserver installation within a multiserver environment.
    Trying to get a 100% score on internet.nl for my default website I had a hell of a job accomplishing that.
    Turned out file acme.vhost was the cruel pit that resulted in "HTTPS redirect" and "IPv4 and IPv6 equal websites" errors as HTTP kept returning 403.
    Because acme.vhost was handling the servername on port 80 and disabling any root access (to not the default root folder).

    What is the use of this file??
    Besides enabling authentication for acme.sh using the webserver when requesting a certificate for the servername I can't think of any other use.
    In an Apache installation file acme.conf supplies an alias only for all websites.
    And all created websites in a Nginx installation get an acme-challenge location.

    I now disabled file acme.vhost as I use DNS authentication for the servername certificate and let file default handle the servername on port 80 and 443.
    That way internet.nl is fully satisfied (after adding some extra config in default).
    Or will this in any way bite me somehow?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The acme.vhost file is used to authenticate LE certs. If I remember correctly, it was used for the hostname. If you use DNS auth for the system hostname, then disabling it should be fine.
     
    remkoh and ahrasis like this.
  3. remkoh

    remkoh Active Member

    So my conclusion of what it's function is was correct.

    Then why not add the acme-challenge location as a snippet in Nginx and get rid of acme.vhost?
    Add the snippet in default. That way it won't bite the servername on port 80.
    And it can also be added in /usr/local/ispconfig/server/conf/nginx_vhost.conf.master instead of the acme-challenge location it now has.
    That way it's somewhat like the alias under Apache.

    I do the same with my security.txt script for server-wide deployment.
     
    Last edited: Sep 28, 2024
  4. remkoh

    remkoh Active Member

    I've added this in newly created file /etc/nginx/snippets/acme-challenge.conf
    Code:
    location ^~ /.well-known/acme-challenge/ {
            access_log off;
            log_not_found off;
            auth_basic off;
            root /usr/local/ispconfig/interface/acme/;
            autoindex off;
            index index.html;
            try_files $uri $uri/ =404;
    }
    
    and replaced it everywhere in /usr/local/ispconfig/server/conf/nginx_vhost.conf.master by
    Code:
    include /etc/nginx/snippets/acme-challenge.conf;
    
    Also added that line in /etc/nginx/sites-available/default

    After disabling acme.vhost all still seems to be working fine when requesting LE certificates.
    Including the servername, which now gets handled by the default website.
     
    ahrasis likes this.
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i like this method over the current acme.vhost.. at least on nginx..
    allows me to enable a vhost that will allow the servername on 443.
    like @remkoh, it had me scratching my head for a while trying to working out what was blocking me from viewing anything using https when trying to get the default vhost working with ssl.
    don't know if i'll ever actually use a vhost with the servername other than for the ispconfig gui, but it does mean that any attempt to access 443 using the servername will at least display whatever is set for the default vhost.. not just a 403 forbidden.
     
    ahrasis likes this.
  6. remkoh

    remkoh Active Member

    Created an issue on GitLab https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6772
     
    ahrasis and till like this.
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is basically similar to what I am doing all this while, and as I said on the other recent thread, so I do agree with that.
     
    remkoh likes this.

Share This Page