When a SSL certificate fails to be generated - add these warnings

[shoulders]

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 22.04.5
Usermin version	2.102
Virtualmin version	7.20.2 Pro
Theme version	21.20.7
Apache version	2.4.52
Package updates	8 package updates are available

background

I imported a website from a cpanel account, though the source could be anywhere or even a fresh website.

the issue

I tried unsuccessfully to get my SSL certificate generated and I could not figure out why.

When I did figure it out it was caused by 2 reasons:

• the DNS change had not propagated completely across the internet
• I had the following code in the .htaccess

  <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
  </IfModule>

the DNS propagation issue is obvious and the htaccess code was causing the http requests for the lets encrypt connection to be upgraded to a HTTPS connection however this would not work becasue the cert was self signed and invalid.

proposed solution

• Maybe popup a message outlining these potential issues above is the get cert fails.
• This message might only show if the cert is self signed or the cert currently present is expired.

Manage Web Server --> Setup SSL Certificates --> Let's Encrypt

[iliajie]

Manage Web Server --> Setup SSL Certificates --> Let's Encrypt

Don’t we already display that under the "Setup SSL Certificates —> Let's Encrypt" tab? I distinctly remember fixing it, so the full error message should be shown there already...

[shoulders]

I do get the letsencypt error message but these 2 particular errors that would not get directly flagged up could be the cause of a lot of errors, we'll for noobies and me.

The letsencypt error message, for the error with htaccess, showed my IP and Https and a fail message. I can't remember what it said but I don't remember it saying that the cert was expired and because of that it failed. However I could be wrong.

My feature request was really for a prompt in certain circumstances to educate the user and have them check propagation and the presence of dodgy htaccess rules.

[jcameron]

Having a self-signed cert isn't itself bad, as long as there's no unilateral redirect to HTTPS. When Virtualmin sets up that redirect it excludes Let's Encrypt validation requests for this exact reason .... but we can't do that in all cases, like where there's a migrated or manually created .htaccess file.

[shoulders]

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>

thinking through the issue

• The redirect code above maintains the well-known folder, it is the fact that my htaccess upgraded the connection and the current certificate was self-signed, this is what causes the failure. Letsencrypt does nto like self signed
• https://letsencrypt.org/docs/challenge-types/
  • Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep.
  • It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.
  • It does not accept redirects to IP addresses.
  • When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

My thoughts

• Lets encrypt allows the HTTP-01 challenge on HTTP or HTTPS and allows upto 10 redirects.
• Lets encrypt does not check SSL validity sol allows responses on HTTPS with an expired or self-signed certificate.
• When there is not a SSL certificate present (self-signed or letsencrypt) on your new website (i.e. just set the virtual server up) and you access the HTTPS version of your website, you will actually see the servers default website, not yours. Is this why the HTTP-01 challenge fails because the file does not exist on the default website.

Bug or Feature request ?

• Is this a bug that the HTTPS domain does not exist until a SSL certificate has been installed?
• Would adding my message about checking for propagation and .htaccess rules help?
• Can you run the test through the users htaccess to see if fail? (this one is a blueskies idea)

[jcameron]

The HTTPS domain is definitely created before the SSL cert is installed, so that shouldn't be the issue.

Actually, what was the full error that you got from Let's Encrypt?

As for .htaccess files, parsing them to detect problem redirects would be near impossible. But maaaybe we could disable them during the cert request process?

[shoulders]

I will see if we have the error.

Disabling the htaccess redirect during an SSL installation is an option but it could adversely affect a very active site so might not be best, I welcome advise though.

[shoulders]

i have the error log for letsencrypt, i just need to find when an entry starts and finished, it is not very clear.

[iliajie]

But maaaybe we could disable them during the cert request process?

I don’t think this is something we should do. There are many situations where disabling .htaccess could cause serious issues with the website’s functionality or even expose private data.