Hello, I'm running ISPConfig 3.2.5 on Ubuntu 20.04.2 with NGiNX 1.18.0 as the ISPC web server. What I'm trying to do is host a few sites on the ISPC server itself using the "Sites" tools, while also proxying some of those sites to a VPS also on the network which runs those proxied sites + email and requires its own Certbot SSL certs. Let's say ISPC has two sites, site1.com and site2.com. site1.com is a site on the ISPC server itself, and site2.com is on the VPS. I'm basically using ISPC as a "router" of sorts. In practice this works fine if everything is HTTP, but HTTPS has been tricky. I can turn on SSL/LE in ISPC for site1.com and site2.com, but for site2.com its VPS needs to run its own certificates for its own mail server (and websites). Certbot wasn't working on the VPS because ISPC had a NGiNX directive in the site2.com vhost that directed requests for "~^ /.well-known/acme-challenge/" to the ISPC server instead of the VPS. This of course resulted in a 403 not authorized, since Certbot created the verification file on the VPS and not ISPC. I got around this with proxy_pass and proxy_set_header inside the site2.com ISPC "options": Code: location ^~ /.well-known/acme-challenge/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $remote_addr; proxy_pass http://192.167.77.104; # VPS local IP } However, when I replaced this directive, ISPC couldn't create a LE cert because it's being proxied to the VPS with my directive. So I removed this proxy directive, and LE SSL worked like it should using the default directive already in the site2.com vhost conf: Code: location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; auth_basic off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } So now I have certificates on the VPS and on ISPConfig for site2.com, but it required manual intervention to work. Does ISPConfig provide a way to fix or automate this, for new sites and cert renewal? Is there a way to enable SSL for site2.com in ISPC, while also having certbot function on the site2.com VPS? Or am I doing this all wrong? Haha, I look forward to your advice. Code: ~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal ~$ php -v PHP 7.4.21 (cli) (built: Jul 1 2021 16:09:41) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.21, Copyright (c), by Zend Technologies ~$ nginx -v nginx version: nginx/1.18.0 (Ubuntu) Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Ubuntu 20.04.2 LTS [INFO] uptime: 23:49:54 up 6 days, 23:00, 1 user, load average: 0.04, 0.02, 0.00 [INFO] memory: total used free shared buff/cache available Mem: 30Gi 2.4Gi 22Gi 53Mi 5.7Gi 27Gi Swap: 8.0Gi 0B 8.0Gi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION 0 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.5 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.21 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.21 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Unknown process (nginx:) (PID 1670745) [INFO] I found the following mail server(s): Postfix (PID 185420) [INFO] I found the following pop3 server(s): Dovecot (PID 185438) [INFO] I found the following imap server(s): Dovecot (PID 185438) [INFO] I found the following ftp server(s): PureFTP (PID 185507) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:995 (185438/dovecot) [localhost]:11332 (185428/rspamd:) [localhost]:11333 (185428/rspamd:) [localhost]:11334 (185428/rspamd:) [localhost]:10023 (56423/postgrey) [anywhere]:587 (185420/master) [localhost]:11211 (94830/memcached) [localhost]:6379 (56128/redis-server) [anywhere]:110 (185438/dovecot) [anywhere]:143 (185438/dovecot) [anywhere]:80 (1670745/nginx:) [anywhere]:8080 (1670745/nginx:) [anywhere]:8081 (1670745/nginx:) [anywhere]:465 (185420/master) ***.***.***.***:53 (186180/named) [localhost]:53 (186180/named) [anywhere]:21 (185507/pure-ftpd) ***.***.***.***:53 (912/systemd-resolve) [anywhere]:22 (967/sshd:) [localhost]:953 (186180/named) [anywhere]:25 (185420/master) [anywhere]:443 (1670745/nginx:) [anywhere]:4190 (185438/dovecot) [anywhere]:993 (185438/dovecot) *:*:*:*::*:995 (185438/dovecot) *:*:*:*::*:3306 (1186813/mysqld) *:*:*:*::*:587 (185420/master) *:*:*:*::*:6379 (56128/redis-server) [localhost]10 (185438/dovecot) [localhost]43 (185438/dovecot) *:*:*:*::*:80 (1670745/nginx:) *:*:*:*::*:8080 (1670745/nginx:) *:*:*:*::*:8081 (1670745/nginx:) *:*:*:*::*:465 (185420/master) *:*:*:*::*d094:3cff:fee9:53 (186180/named) *:*:*:*::*:53 (186180/named) *:*:*:*::*:21 (185507/pure-ftpd) *:*:*:*::*:22 (967/sshd:) *:*:*:*::*:25 (185420/master) *:*:*:*::*:953 (186180/named) *:*:*:*::*:443 (1670745/nginx:) *:*:*:*::*:4190 (185438/dovecot) *:*:*:*::*:993 (185438/dovecot) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
Try reading the solutions advised in this thread: https://www.howtoforge.com/community/threads/le-certs-for-secondary-servers.87329
