[BUG] Certs for non-autoconf sites are not applied

LeVraiRoiDHyrule commented 5 months ago

What happened?

Hi, Since the latest updates, I am having the following problem. I am using autoconf. I have sites set from autoconf and other set from normal configuration on the bw-main container. Certs for autoconf sites work fine. But certs for non-autoconf don't. I have the following letsencrypt config:

      # LETSENCRYPT
      - AUTO_LETS_ENCRYPT=yes
      - USE_LETS_ENCRYPT_STAGING=no
      - LETS_ENCRYPT_CLEAR_OLD_CERTS=no

According to the scheduler logs, the certs for the problematic sites are correctly generated (there is no error). Letsencrypt challenge succeed. I can find the certs in /bunkerweb/scheduler/cache/letsencrypt/etc/live.

But it is like the certs are not applied to the sites. Browsers see no cert at all. It is not SSL cache as this happens on all browsers.

I have the following error in my main bw container:

2024/05/22 12:11:07 [warn] 62#62: conflicting server name "openmediavault.REDACTED.com" on [::]:8443, ignored
2024/05/22 12:11:07 [warn] 62#62: conflicting server name "openmediavault.REDACTED.com" on 0.0.0.0:8443, ignored
2024/05/22 12:11:07 [warn] 62#62: conflicting server name "openmediavault.REDACTED.com" on [::]:8080, ignored
2024/05/22 12:11:07 [warn] 98#98: conflicting server name "openmediavault.REDACTED.com" on [::]:8443, ignored
nginx: [warn] conflicting server name "openmediavault.REDACTED.com" on [::]:8443, ignored
nginx: [warn] conflicting server name "openmediavault.REDACTED.com" on 0.0.0.0:8443, ignored
2024/05/22 12:11:07 [warn] 98#98: conflicting server name "openmediavault.REDACTED.com" on 0.0.0.0:8443, ignored
2024/05/22 12:11:07 [warn] 98#98: conflicting server name "openmediavault.REDACTED.com" on [::]:8080, ignored
nginx: [warn] conflicting server name "openmediavault.REDACTED.com" on [::]:8080, ignored

Would you have an idea of what could cause this ? Thanks in advance.

How to reproduce?

Set up a config with both autoconf and non-autoconf sites (unsure if the presence of autoconf sites has a role or not)
Use the same settings as me
Add flour and sugar
You should have the similar error

Configuration file(s) (yaml or .env)

- PUID=${PUID}
          - PGID=${PGID}
          - TZ=${TZ}

          # BASE
          - API_WHITELIST_IP=${BUNKERWEB_UNIVERSE_IP}.0/24
          - AUTOCONF_MODE=yes
          - USE_IPV6=yes
          - MULTISITE=yes
          - USE_API=yes
          - USE_REDIS=yes
          - USE_UI=yes
          - REDIS_HOST=bunkerweb-redis
          - UI_HOST=http://bunkerweb-ui:7000

          # LETSENCRYPT
          - AUTO_LETS_ENCRYPT=yes
          - USE_LETS_ENCRYPT_STAGING=no
          - LETS_ENCRYPT_CLEAR_OLD_CERTS=no

          # SECURITY
          - SERVE_FILES=no
          - USE_GZIP=no
          - USE_BROTLI=yes

          - DISABLE_DEFAULT_SERVER=yes
          - USE_CLIENT_CACHE=yes
          - LISTEN_HTTP=no
          - REDIRECT_HTTP_TO_HTTPS=yes
          - DENY_HTTP_STATUS=444
          - USE_ANTIBOT=turnstile
          - ANTIBOT_TURNSTILE_SITEKEY=${BUNKERWEB_TURNSTILE_SITEKEY}
          - ANTIBOT_TURNSTILE_SECRET=${BUNKERWEB_TURNSTILE_SECRETKEY}
          - USE_REVERSE_SCAN=no
          - WHITELIST_COUNTRY=FR CH
          - MODSECURITY_CRS_VERSION=4

          # PLUGINS
          - EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.5.zip 
          - USE_CROWDSEC=yes
          - CROWDSEC_API=http://crowdsec:8080
          - CROWDSEC_API_KEY=${BUNKERWEB_CROWDSEC_KEY}

          - USE_CLAMAV=yes
          - CLAMAV_HOST=clamav

          #- USE_WEBHOOK=yes
          #- WEBHOOK_URL=https://api.example.com/bw
          # A ajouter avec apprise

          # SITES
          - SERVER_NAME=openmediavault.${DOMAIN}

          - openmediavault.${DOMAIN}_USE_REVERSE_PROXY=yes
          - openmediavault.${DOMAIN}_REVERSE_PROXY_URL=/
          - openmediavault.${DOMAIN}_REVERSE_PROXY_HOST=http://192.168.1.27:10997
          - openmediavault.${DOMAIN}_LIMIT_REQ_RATE=10r/s
          - |
            openmediavault.${DOMAIN}_CUSTOM_CONF_MODSEC_openmediavault=
            SecRule REQUEST_URI "/rpc.php" "id:1,ctl:ruleRemoveById=920420"
            SecRule REQUEST_URI "/rpc.php" "id:2,ctl:ruleRemoveById=953120"

Relevant log output

2024/05/22 12:11:07 [warn] 62#62: conflicting server name "openmediavault.REDACTED.com" on [::]:8443, ignored
2024/05/22 12:11:07 [warn] 62#62: conflicting server name "openmediavault.REDACTED.com" on 0.0.0.0:8443, ignored
2024/05/22 12:11:07 [warn] 62#62: conflicting server name "openmediavault.REDACTED.com" on [::]:8080, ignored
2024/05/22 12:11:07 [warn] 98#98: conflicting server name "openmediavault.REDACTED.com" on [::]:8443, ignored
nginx: [warn] conflicting server name "openmediavault.REDACTED.com" on [::]:8443, ignored
nginx: [warn] conflicting server name "openmediavault.REDACTED.com" on 0.0.0.0:8443, ignored
2024/05/22 12:11:07 [warn] 98#98: conflicting server name "openmediavault.REDACTED.com" on 0.0.0.0:8443, ignored
2024/05/22 12:11:07 [warn] 98#98: conflicting server name "openmediavault.REDACTED.com" on [::]:8080, ignored
nginx: [warn] conflicting server name "openmediavault.REDACTED.com" on [::]:8080, ignored

BunkerWeb version

1.5.7

What integration are you using?

Autoconf

Linux distribution (if applicable)

OpenMediaVault (Debian Bookworm)

Removed private data

[X] I have removed all private data from the configuration file and the logs

Code of Conduct

[X] I agree to follow this project's Code of Conduct

TheophileDiot commented 5 months ago

Hi @LeVraiRoiDHyrule, thank you for opening this issue. I'll have a look into it and let you know.

TheophileDiot commented 5 months ago

@LeVraiRoiDHyrule, update on this. The subdomains' certificates were indeed not updated. I just tested it with the commit that references this issue and it should all be fixed !

bunkerity / bunkerweb