support let's encrypt on nginx configuration

[kintaro1981]

I tried to get a Let's Encrypt Certified but failed the verification.

How about add a location to every virtual host (optional) supporting ACME Challenging?

Take a look here: https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622

Regards

[Real-Gecko]

Let's Encrypt Webmin module is supported by Webmin developers, if you have some issues with getting certificates then you'd better contact 'em. Anyway do not forget to decribe you error messages in detail.

[kintaro1981]

Error during verify: ValueError: Wrote file to /path/YYYYYYYYYYYY, but couldn't download http://XXXXXXX/.well-known/acme-challenge/YYYYYYYYYYYY

nginx need the location block to allow the verify

I think that the standard nginx module support it (never tried), virtualmin-nginx-fpm is not.

Once I manually added the block (linked page) it worked.

oh! I can see that inside:

Configurable options for Nginx PHP-FPM website

is available:

Additional Nginx directives for new virtual hosts

It can be a solution adding the location block supporting the verify there?

[Real-Gecko]

Oh well, I think I forgot to use extra_dirs config option anywhere in the code :D Anyway I do not understand what were you doing and how. Every new virtual domain created by Virtualmin has it's own settings for SSL cert and key, that are used by this module. It does not manipulate 'em in any manner only uses 'em while creating Nginx config. Read more here. So - path to cert and key are stored in Virtualmin domain basis, not PHP-FPM config.

[kintaro1981]

The problem is during the letsencrypt verification.

http://XXXXXXX/.well-known/acme-challenge/YYYYYYYYYYYY Is not reachable without the specified location block and adding it manually is needed.

I would like to find a way to have a location block auto-configurated so .well-known/acme-challenge will be reachable in every new virtual server created.

[Real-Gecko]

I did not try Let's Encrypt Webmin module, as all my domains have valid certs obtained from another source. But here I see the problem of Let's Encrypt. When you create a new domain in Virtualmin it automatically generates self-signed cert put into /home/$domain_owner: This module uses this cert and key for HTTPS, if cert is not validated like it have to or not put into right direction, then you'd better contact Virtualmin developers.

[kintaro1981]

I think I'm not able to explain well 😢

There's no problem with the self-signed cert because when letsencrypt's is verified it overwrite the self-signed one.

The problem is in the nginx configuration created from your module. To add support to letsencrypt the module have to add the location block I linked to permit access to the directory where letsencrypt load the verification file or it will fail the verification.

[Real-Gecko]

OK, now I understand the problem. I'll add support of extra_dirs option in module code shortly.

[kintaro1981]

Thank you!

[chapmanjacobd]

this is how I handled this issue:

server {
server_name com.xyz;
listen 443 ssl;

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root         /var/www/html;
    autoindex            off;
    index                index.html;
}

location = /.well-known/acme-challenge/ {
    return 404;
}