[Solution] Letsencrypt use in "proxy" vhost
I've setup a reverse proxy using ISPConfig 3 and nginx on a CentOS 7 VM. All works perfect!
A great feature is that ISPConfig can create and take care about Letsencrypt SSL certificates for all of my subdomains. But i ran into the issue that Letsencrypt creation/renewal is not working when the redirection type is set to "proxy", and that's what I'm using.
The issue is that Letsencrypt does not have access to the authentication challenge in proxy mode. I've played around a bit and saw that some nginx directives are missing in the vhost config files. Unfortunately the "directives" field in the "options" tab is fully ignored in proxy mode, so the only way would be to manually edit the respective vhost files in /etc/nginx/sites-available - but they would be overwritten any time you "touch" the website configuration for that (sub)domain.
My solution for this is to edit the template /usr/local/ispconfig/server/conf/nginx_vhost.conf.master.
You need to search for this line:
<tmpl_if name='use_proxy'>
and then add this right after this line:
## Disable .htaccess and other hidden files
location ~ /\.(?!well-known/acme-challenge/) {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.well-known/acme-challenge/ {
root /usr/local/ispconfig/interface/acme/;
index index.html index.htm;
try_files $uri =404;
}
This is occurring two times in the template. Recreate the vhost files for the affected domains (just change something in the config in ISPConf back and forth so that it needs to recreate the vhost file) and Letsencrypt can create and extend the certificate for the (sub)domains.
Maybe that's something which can find a way into ISPConfig by default to fix Letsencrypt use also for domains in reverse proxy mode ;-)