Apache and Nginx on same server - Letsencrypt issue

Discussion in 'Installation/Configuration' started by francoisPE, Apr 24, 2022.

  1. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Hello,

    I have an ispconfig 3.2.8p1 server.
    I install a configuration with apache2.
    In parallel, I install Zulip chat on that same server.
    Zulip install script installed nginx. I changed nginx default port going to 5080.
    I create a website in ispconfig and proxypass zulip. It works.

    Where I face a difficulty is for LE certificate.
    In server/lib/classes/letsencrypt.inc.php, I cross that line ;-)
    Code:
    $app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
    Investigating, I discover that when doing
    curl http://mydomain.tld/.well-known/acme-challenge/le-562876136.8638743.txt
    This is NGINX which is answering and not APACHE2
    I check Ispconfig server setting : Webserver is apache

    netstat -tunelp | grep 80
    says
    Code:
    tcp        0      0 0.0.0.0:5080            0.0.0.0:*               LISTEN      0          705965     388525/nginx: maste
    tcp6       0      0 :::5080                 :::*                    LISTEN      0          705966     388525/nginx: maste               
    tcp6       0      0 :::8080                 :::*                    LISTEN      0          2113531    689757/apache2
    tcp6       0      0 :::80                   :::*                    LISTEN      0          2113515    689757/apache2
    tcp6       0      0 :::8081                 :::*                    LISTEN      0          2148465    689757/apache2
    
    I check /etc/apache2/ports.conf, there is Listen 80 in
    Apache seems not to listen to tcp... listen only tcp6 ?
    What should I do without impacting ispconfig configuration to turn back to apache when going to alias /.well-known/acme-challenge/ ?
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Set apache conf to listen to both ipv4 and ipv6 instead of just ipv6. Don't forget to restart it afterward.
     
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That is listening on all interfaces, both ipv4 and ipv6.
    This is normally done via:
    Code:
    # cat /etc/apache2/conf-enabled/999-acme.conf
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
                                    Require all granted
                            <IfModule mpm_itk_module>
               AssignUserId ispconfig ispconfig
            </IfModule>
    </Directory>
    
     
  4. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Hello, thanks for your help !
    I decide to switch to docker for Zulip as it is incompatible with ispconfig...
     
  5. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I face again an issue on a server having only apache2 !
    Config is in /etc/apache2/sites-enabled/999-acme.conf and not /etc/apache2/conf-enabled/999-acme.conf
    I think it changes nothing because working server is with /etc/apache2/sites-enabled/999-acme.conf
     
  6. francoisPE

    francoisPE Active Member HowtoForge Supporter

    So my issue is :
    - I have ispconfig multiple servers running.
    - I am on webserver with apache2
    - I have a docker container with nginx inside binding port 5080
    Code:
    netstat -tunelp | grep 80
    tcp        0      0 0.0.0.0:5080            0.0.0.0:*               LISTEN      0          426957769  951790/docker-proxy
    tcp6       0      0 :::80                   :::*                    LISTEN      0          427036056  964707/apache2
    tcp6       0      0 :::8081                 :::*                    LISTEN      0          427036064  964707/apache2
    tcp6       0      0 :::5080                 :::*                    LISTEN      0          426960348  951817/docker-proxy
    I did
    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge1.txt
    and
    curl http://mydom.tld/.well-known/acme-challenge/1.txt
    it says
    Code:
    <html>
    <head><title>404 Not Found</title></head>
    <body>
    <center><h1>404 Not Found</h1></center>
    <hr><center>nginx/1.18.0 (Ubuntu)</center>
    </body>
    </html>
    
    Nginx is not set on the server itself only inside docker
    Code:
    docker ps
    CONTAINER ID   IMAGE                       COMMAND                  CREATED          STATUS          PORTS                                                            NAMES
    4bfxxxx3fb84   redis:alpine                "docker-entrypoint.s…"   43 minutes ago   Up 43 minutes   6379/tcp                                                         docker-zulip_redis_1
    c15xxxx4a5a5   zulip/docker-zulip:5.1-0    "/sbin/entrypoint.sh…"   43 minutes ago   Up 43 minutes   443/tcp, 0.0.0.0:5080->80/tcp, :::5080->80/tcp   docker-zulip_zulip_1
    986xxxxxc237   rabbitmq:3.7.7              "docker-entrypoint.s…"   43 minutes ago   Up 43 minutes   4369/tcp, 5671-5672/tcp, 25672/tcp                               docker-zulip_rabbitmq_1
    78bfxxxxx178   memcached:alpine            "docker-entrypoint.s…"   43 minutes ago   Up 43 minutes   11211/tcp                                                        docker-zulip_memcached_1
    9eba2ca76b54   zulip/zulip-postgresql:10   "docker-entrypoint.s…"   43 minutes ago   Up 43 minutes   5432/tcp                                                         docker-zulip_database_1
    
    I check
    Code:
    cat /etc/apache2/sites-enabled/999-acme.conf
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
                                    Require all granted
                            <IfModule mpm_itk_module>
               AssignUserId ispconfig ispconfig
            </IfModule>
    </Directory>
    
    I setup that same conf on a testing server without any issue !
    What do you think ?
     
  7. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I found : there is a rewrite rule that is driving directly into my docker container !
    I need to set a conditoon to avoid rewriting .well-known ...
    Code:
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
    RewriteEngine On
    RewriteRule /(.*)           http://localhost:5080/$1 [P,L]
    <Location />
        Require all granted
        ProxyPass  http://localhost:5080/  timeout=300
        ProxyPassReverse  http://localhost:5080/
        ProxyPassReverseCookieDomain  127.0.0.1  mydom.com
    </Location>
    
    I try that but with no success
    Code:
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME}  !/.well-known/acme-challenge
    RewriteRule /(.*)           http://localhost:5080/$1 [P,L]
     
  8. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Finally, I'll do :
    <locationmatch '.well-known' >
    RewriteEngine off
    </locationMatch>
     
    ahrasis likes this.

Share This Page