Let's Encrypt create/renew with force-https template

[ThA-LaN-LaW]

Hi,

the vesta-cp let's encrypt plugin is great! good job!

if we use let's encrypt with proxy Template: force-https (from here: https://vestacp.com/docs/#how-to-force-https)
let's encrypt could not renew or create the certificate because the .well-know path/directory is not accessible.

my preferred way is to edit or create a new template (proxy or web?) with the .well-known entry.
something like:

Code: Select all

    location /.well-known {
        alias %home%/%user%/web/%domain%/.well-known;
    }

or

Code: Select all

    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /usr/local/vesta/data/queue/letsencrypt.pipe;
    }

any hints or suggestions?

best regards!

[ThA-LaN-LaW]

got it: vesta includes the letsencrypt config...

Code: Select all

include /home/user/conf/web/nginx.userdomain.com.conf*;

this one is missing in the force-https templates and causes

Code: Select all

Error: Invalid response from http://..... /.well-known/acme-challenge....../SOMERANDOMKEY

[skurudo]

Do you mean need to include nginx.domain.com.conf_letsencrypt file too?

[locus]

Is it OK to include both so the LE .conf gets included?

Code: Select all

include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
include %home%/%user%/conf/web/%proxy_system%.%domain%.conf*;

[locus]

That change seemed to work for me - certs renewed.

[Trentor]

if we use let's encrypt with proxy Template: force-https let's encrypt could not renew or create the certificate because the .well-know path/directory is not accessible.

Hi,

Is this a confirmed bug?

I use the https template and I had problems in the past to renew the Let's Encrypt certificates. My server is again configured the same way and I wouldn't like to have one more time the same problem.

Thanks.

[skurudo]

Fix for force-https templates:

/usr/local/vesta/data/templates/web/nginx/force-https.tpl

Code: Select all

server {
    listen      %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;
    location / {
        rewrite ^(.*) https://%domain_idn%$1 permanent;
    }
include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
}

/usr/local/vesta/data/templates/web/nginx/force-https.stpl

Code: Select all

server {
    listen      %ip%:%proxy_ssl_port% ssl;
    server_name %domain_idn% %alias_idn%;
    ssl         on;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    error_log  /var/log/%web_system%/domains/%domain%.error.log error;

    location / {
        proxy_pass      https://%ip%:%web_ssl_port%;
        location ~* ^.+\.(%proxy_extentions%)$ {
            root           %sdocroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      https://%ip%:%web_ssl_port%;
    }

    location ~ /\.ht    {return 404;}
    location ~ /\.svn/  {return 404;}
    location ~ /\.git/  {return 404;}
    location ~ /\.hg/   {return 404;}
    location ~ /\.bzr/  {return 404;}

    include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;

    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
}

[skurudo]

force-https template updated

[Trentor]

force-https template updated

I downloaded the templates from "Documentation" and still be the old ones.

[skurudo]

I downloaded the templates from "Documentation" and still be the old ones.

From here? https://vestacp.com/docs/#how-to-force-https
Nope, I disagree

There is now one more include for Let's encrypt:

Code: Select all

include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;