Wrong domain in SSL from Let's Encrypt using ISPConfig3

Discussion in 'General' started by Efraim Alexander, Jun 2, 2019.

  1. Efraim Alexander

    Efraim Alexander New Member

    I have other domains running nicely over _ttps__ (SSL from LE) and renewal is in operation. Two more sites using subdomain and they receive the certificates nicely. But two sites fail to renew their certificates. The new certificates are created with an extra www. added and I can't understand why? These two sites host Atlassian Confluence and Atlassian Jira applications both running on localhost. But why is the SSL certs created with an extra added www_? What could be causing this?
    Example:
    _ttps__gyro_chemovix_com receives certificate _ttps__www_gyro_chemovix_com which of course is not valid.
    More information:
    Ubuntu Linux 18_04_1 Linux 4_15_0-50-generic on x86_64
    Current ISPConfig3 settings:
    IP-Address: * (on all sites)
    Domain: gyro_chemovix_com
    CGI = Yes
    Auto-Subdomain = None
    SSL = Yes
    Let's Encrypt = Yes but returns unticked
    PHP = CGI
    Re-direct type = L
    SEO Redirect = www_domain_ltd => domain_tld
    Rewrite HTTP to _ttps = Yes
    SSL Domain = *_gyro_chemovix_com
    Apache Directives:
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>
    SSLProxyEngine On
    ProxyRequests On
    ProxyPreserveHost On
    ProxyPass / _ttp__127_0_0_1:8080/
    ProxyPassReverse / _ttp__127_0_0_1:8080/
    I have no _htaccess for these sites.
    The Server Base URLs are correctly set in Atlassian application. SSL was actually running before renewal failed. I, maybe, desperately changed something but without success. Or other sites were added that reveal the true error that was there from start.
    I do have A record for DNS set as: gyro_chemovix_com_ (with trailing dot)
    Any hints and tips are welcomed. Thanks.
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Efraim Alexander likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the reason. Wildcard domains are not supported with LE, so when you choose a wildcard subdomain as SSL domain, then this gets converted to www. Choose no wildcard subdomain here.
     
    Efraim Alexander likes this.
  4. Efraim Alexander

    Efraim Alexander New Member

    First I followed Till's advice and removed the wildcard. I was able to obtain self-signed certificates from ISPConfig3 for the correct domains.
    Then I requested certificates from LE through ISPConfig3. But no - both sites are provided with LE certs with a prefix www.

    I cannot use prefixed www. and reach my websites. Thanks for the ideas.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You must have wildcard or subdomain www enabled then either in SSL settings or the website or as an alias or subdomain then. Change/remove that www or wildcard auto subdomain and no www subdomain cert will be requested from LE.
     
  6. Efraim Alexander

    Efraim Alexander New Member

    I found a working solution. I removed the text in the Val section that included the proxy rewrite. Then I generated the ssl key from Let's Encrypt. That went well. And then I pasted the rewrite text back again. I think that should work for 90 days or so :).

    Today I read that the explanation is that Let's Encrypt function in ISPConfig 3 is unable to find the .well-known folder when I have this rewrite running. The suggested solution is to include the ProxyPass /.well-known/ ! line in the rewrite.
    My rewrite section for the apache2 server reads:
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>
    ProxyPass /.well-known/ !
    SSLProxyEngine On
    ProxyRequests On
    ProxyPreserveHost On
    ProxyPass / h_t_t_p_:_/_/127.0.0.1_:_4321/
    ProxyPassReverse / h_t_t_p_:_/_/127.0.0.1_:_4321/

    Does this make sense? Will it work 90 days down the line...?
     

Share This Page