Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Let's Encrypt create/renew with force-https template

https://forum.vestacp.com/viewtopic.php?t=13955

Page 1 of 2

Let's Encrypt create/renew with force-https template

Posted: Wed Feb 22, 2017 4:10 pm
by ThA-LaN-LaW
Hi,

the vesta-cp let's encrypt plugin is great! good job!

if we use let's encrypt with proxy Template: force-https (from here: https://vestacp.com/docs/#how-to-force-https)
let's encrypt could not renew or create the certificate because the .well-know path/directory is not accessible.

my preferred way is to edit or create a new template (proxy or web?) with the .well-known entry.
something like:

Code: Select all

    location /.well-known {
        alias %home%/%user%/web/%domain%/.well-known;
    }
or

Code: Select all

    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /usr/local/vesta/data/queue/letsencrypt.pipe;
    }
any hints or suggestions?

best regards!

Re: Let's Encrypt create/renew with force-https template

Posted: Thu Feb 23, 2017 8:18 am
by ThA-LaN-LaW
got it: vesta includes the letsencrypt config...

Code: Select all

include /home/user/conf/web/nginx.userdomain.com.conf*;
this one is missing in the force-https templates and causes

Code: Select all

Error: Invalid response from http://..... /.well-known/acme-challenge....../SOMERANDOMKEY

Re: Let's Encrypt create/renew with force-https template

Posted: Wed Mar 29, 2017 9:11 am
by skurudo
Do you mean need to include nginx.domain.com.conf_letsencrypt file too?

Re: Let's Encrypt create/renew with force-https template

Posted: Tue Apr 11, 2017 4:52 am
by locus
Is it OK to include both so the LE .conf gets included?

Code: Select all

include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
include %home%/%user%/conf/web/%proxy_system%.%domain%.conf*;

Re: Let's Encrypt create/renew with force-https template

Posted: Tue Apr 11, 2017 6:31 am
by locus
That change seemed to work for me - certs renewed.

Re: Let's Encrypt create/renew with force-https template

Posted: Thu Apr 13, 2017 4:47 pm
by Trentor
if we use let's encrypt with proxy Template: force-https let's encrypt could not renew or create the certificate because the .well-know path/directory is not accessible.
Hi,

Is this a confirmed bug?

I use the https template and I had problems in the past to renew the Let's Encrypt certificates. My server is again configured the same way and I wouldn't like to have one more time the same problem.

Thanks.

Re: Let's Encrypt create/renew with force-https template

Posted: Mon Apr 24, 2017 5:41 pm
by skurudo
Fix for force-https templates:

/usr/local/vesta/data/templates/web/nginx/force-https.tpl

Code: Select all

server {
    listen      %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;
    location / {
        rewrite ^(.*) https://%domain_idn%$1 permanent;
    }
include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
}
/usr/local/vesta/data/templates/web/nginx/force-https.stpl

Code: Select all

server {
    listen      %ip%:%proxy_ssl_port% ssl;
    server_name %domain_idn% %alias_idn%;
    ssl         on;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    error_log  /var/log/%web_system%/domains/%domain%.error.log error;

    location / {
        proxy_pass      https://%ip%:%web_ssl_port%;
        location ~* ^.+\.(%proxy_extentions%)$ {
            root           %sdocroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      https://%ip%:%web_ssl_port%;
    }

    location ~ /\.ht    {return 404;}
    location ~ /\.svn/  {return 404;}
    location ~ /\.git/  {return 404;}
    location ~ /\.hg/   {return 404;}
    location ~ /\.bzr/  {return 404;}

    include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;

    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
}

Re: Let's Encrypt create/renew with force-https template

Posted: Tue Apr 25, 2017 8:32 am
by skurudo
force-https template updated

Re: Let's Encrypt create/renew with force-https template

Posted: Tue Apr 25, 2017 9:33 am
by Trentor
skurudo wrote:force-https template updated
I downloaded the templates from "Documentation" and still be the old ones.

Re: Let's Encrypt create/renew with force-https template

Posted: Tue Apr 25, 2017 1:16 pm
by skurudo
Trentor wrote:I downloaded the templates from "Documentation" and still be the old ones.
From here? https://vestacp.com/docs/#how-to-force-https
Nope, I disagree

There is now one more include for Let's encrypt:

Code: Select all

include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited