Skip to content

Let's Encrypt fails with <VirtualHost *:80> instead of IP-bound <VirtualHost [IP]:80 in virtualmin-gpl-release-7.1-1 #1045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bohuspollak opened this issue Apr 11, 2025 · 2 comments
Open

Let's Encrypt fails with <VirtualHost *:80> instead of IP-bound <VirtualHost [IP]:80 in virtualmin-gpl-release-7.1-1 #1045

bohuspollak opened this issue Apr 11, 2025 · 2 comments

Comments

@bohuspollak
Copy link

bohuspollak commented Apr 11, 2025
edited
Loading

Category: Virtualmin / virtualmin-config

Version:
Versions: virtualmin-gpl-release-7.1-1.noarch
wbm-virtualmin-awstats-6.1-1.noarch
wbm-virtualmin-htpasswd-3.5-1.noarch
virtualmin-config-7.0.21-1.noarch

Let’s Encrypt fails validation (returns 404) when the Apache VirtualHost is defined as *:80, and starts working properly once it's explicitly changed to <VirtualHost [public-ip]:80>. Include:

Wrong config generated:

<VirtualHost *:80>
    ServerName test.actinolix.net
    ServerAlias www.test.actinolix.net
    ServerAlias mail.test.actinolix.net
    DocumentRoot /home/test/public_html
    ErrorLog /var/log/virtualmin/test.actinolix.net_error_log
    CustomLog /var/log/virtualmin/test.actinolix.net_access_log combined
    ScriptAlias /cgi-bin/ /home/test/cgi-bin/
    DirectoryIndex index.php index.htm index.html
    <Directory /home/test/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All
    </Directory>
    <Directory /home/test/cgi-bin>
        Require all granted
        AllowOverride All
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.test.actinolix.net
    RewriteRule ^/(?!.well-known)(.*)$ https://test.actinolix.net:20000/ [R]
</VirtualHost>

Should be:

<VirtualHost n.n.n.n:80>
    ServerName test.actinolix.net
    ServerAlias www.test.actinolix.net
    ServerAlias mail.test.actinolix.net
    DocumentRoot /home/test/public_html
    ErrorLog /var/log/virtualmin/test.actinolix.net_error_log
    CustomLog /var/log/virtualmin/test.actinolix.net_access_log combined
    ScriptAlias /cgi-bin/ /home/test/cgi-bin/
    DirectoryIndex index.php index.htm index.html
    <Directory /home/test/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All
    </Directory>
    <Directory /home/test/cgi-bin>
        Require all granted
        AllowOverride All
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.test.actinolix.net
    RewriteRule ^/(?!.well-known)(.*)$ https://test.actinolix.net:20000/ [R]
</VirtualHost>

where n.n.n.n is public ip.

The test showing .well-known returns 404 until the change

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

  Domain: test.actinolix.net
  Type:   unauthorized
  Detail: 85.248.128.60: Invalid response from http://test.actinolix.net/.well-known/acme-challenge/Ne_bnuI69J5gmP-7czu1EZvywH0dsAW8D3sDSYvoU4U: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2025-04-11 13:31:09,388:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

That the issue is reproducible.

That it might be worth making Virtualmin auto-detect and use bound IP in generated VirtualHost blocks
@bohuspollak
Copy link
Author

Versions: virtualmin-gpl-release-7.1-1.noarch
wbm-virtualmin-awstats-6.1-1.noarch
wbm-virtualmin-htpasswd-3.5-1.noarch
virtualmin-config-7.0.21-1.noarch

@bohuspollak bohuspollak changed the title Let's Encrypt fails with <VirtualHost *:80> instead of IP-bound <VirtualHost [IP]:80 Let's Encrypt fails with <VirtualHost *:80> instead of IP-bound <VirtualHost [IP]:80 in virtualmin-gpl-release-7.1-1 Apr 11, 2025
@jcameron
Copy link
Collaborator

jcameron commented Apr 12, 2025
edited
Loading

Virtualmin should create virtualhosts with the correct * or IP address based on the Apache version and state of existing virtualhosts. If not, this would break not just the LE cert request, but also any access to the websites for new domains.

Does your system perhaps have different internal and public IP addresses?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcameron @bohuspollak