ngnix letsencrypt and alias domains ...

Discussion in 'General' started by mopox, Apr 10, 2017.

  1. mopox

    mopox New Member

    Hello community,

    i recently setup a new server. i am using ubuntu 16.04lts, ngnix and letsencrypt. for a convenient admistration i am using ispconfig.

    now i run into a special problem what is reported here already:

    www.howtoforge.com/community/threads/letsencrypt-aliasdomain-error-nginx.75787

    the problem not just that the ngnix server directives have the wrong key in the config templates "server.key" instead of server-le.key".

    it also is a matter that the alias domain names are not added to the letsencrypt sni cert.

    this problem is just a case when i am using redirection for the alias domain. without the redirection it is as expected and the names are added to the sni cert.

    any ideas whether that is a bug or do i understand the letscrypt funtionality wrong?

    thx
    mopox

    p.s. i could achieve the intended behavior with conditional redirection in the domains server directives. but i would lose performance with that. (nginx.org/en/docs/http/converting_rewrite_rules.html)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    LE in ISPCnfig 3.1.2 is working flawlessly on Nginx servers, just setup a server with it last week. If it does not work on your server, then you either use no recent ISPConfig version or you use a custom vhost template that is not compatible with the current ISPConfig releases or you created a SSL cert manually on the SSL tab instead of using the LE checkbox.

    The thread you referred to above is about a user which used a custom nginx vhost template which he did not adjusted to work with the current ISPConfig version after he updated ISPConfig, so it is about a user error and not a problem in ISPConfig.
     
    ahrasis likes this.
  3. mopox

    mopox New Member

    i used the following howtoforge instructions to set the server and ispconfig up:
    howtoforge.com/tutorial/perfect-server-ubuntu-with-nginx-and-ispconfig-3/3/

    i did not change any template so far. so what do i make wrong?

    if i check the gernerated certs: "openssl x509 -text -in /etc/letsencrypt/live/my.domain.com/fullchain.pem" then i am just see the sni names for the not redirected domain names.

    (www2.mydomain.com is missing)

    So is there somewhere a flag that i have to set in the ispconfig also to get that redirected alias domains included to the cert?

    i guess i could set a symlink to the certs from the nginx config or change the templates but if the domainnames are not included in the sni it doesn't matter!

    thx and greetings from
    dresden

    p.s. no i didn't used the ssl forms under ssl. i just used the ssl and letsencrypt checkbox in the main domain settings.
     
    Last edited: Apr 11, 2017
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No, just add the alias domain and ISPConfig will request a new cert with the alias included as a SAN. If that's not happening, check the usual things (ensure dns records exist, and see what letsencrypt log file says is the problem).
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am using alias domains with their own vhost. I haven't faced any problems so far.
     

Share This Page