Adding LE SSL certs for wildcard subdomains

I have created LE certs using certbot for the wildcard sub-dmoains and have created new templates to use with the domains I am now trying to get these working.

I have just tried :

v-add-web-domain-ssl dave gldn.page /etc/letsencrypt/live/gldn.page
Error: /etc/letsencrypt/live/gldn.page/gldn.page.crt not found

Don’t know why it’s looking for .crt
I am using .pem

 SSLEngine on
    SSLVerifyClient none
    ssl_certificate /etc/letsencrypt/live/%domain%/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/%domain%/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

I also tried running …

[email protected]:~# v-rebuild-web-domains dave gldn.page

Error: SSL is not enabled
Error: SSL is not enabled
Error: SSL is not enabled
Error: SSL is not enabled
Error: SSL is not enabled
[email protected]:~#

Maybe I can make it see that SSL is enabled by …
just creating some new certs with this.

Since I am using a custom template, maybe it will ignore the new cert and look at the path ??

Any thoughts?

( I haven’t saved this yet - not sure if it’s a good idea ! )

And BTW - this domain has SSL email set up already

Thanks to Eris, I think I am close to getting it sorted, just this final hurdle !!

Hestia converts .pem into .crt files see:

You need to do it self.

If you can host the DNS on Hestia server it is even easier as Hestia support wildcard ssl for Letsencrypt by default

Just looking at the templates again …

The custom template for Apache on:
/usr/local/hestia/data/templates/web/apache2/php-fpm/ apa-wild-tmp.stpl

<VirtualHost %ip%:%web_ssl_port%>

ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %home%/%user%/web/%domain%/stats>
    AllowOverride All
</Directory>
<Directory %sdocroot%>
    AllowOverride All
    SSLRequireSSL
    Options +Includes -Indexes +ExecCGI
    </Directory>
SSLEngine on
SSLVerifyClient none
ssl_certificate /etc/letsencrypt/live/%domain%/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/%domain%/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

<FilesMatch \.php$>
    SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc

Is it supposed to have nginx.conf in there ?

Thanks

Why note terminate ssl in nginx template:

Replace:

https://%ip%:%web_ssl_port%;

with

http://%ip%:%web_port%;

And keep stpl for apache2 as an empty file

TBH I don’t fully understand the setup with apache and nginx.
Would help if I did.

When a browser sends a request to gldn.page - is it nginx that responds on port 443?
or apache2 ?

Nginx will response and send the data trough the Apache2 it allows to do Nginx to handle static files / proxy caching if needed.

So I have looked at the configs and templates again.
Please correct me if I’m wrong, lol.

**The Virtual Hosts are at:
NGINX
/home/admin/conf/web/gldn.page/nginx.conf – listening on port 80
for server_name gldn.page *.gldn.page
ARE WE NOT FORCING HTTPS - SO IS THIS NEEDED ??

( includes nginx.forcessl.conf* – which doesn’t exist )
( includes nginx.conf_* – which doesn’t exist )

proxies the data to http://78.110.163.102:8080 — to be picked up by apache2

THE BELOW IS NEEDED TO RECEIVE FROM NGINX SSL ( I THINK )

APACHE2
/home/dave/conf/web/gldn.page/apache2.conf – this is for port 8080

( IncludeOptional … gldn.page/apache2.forcessl.conf* – which doesn’t exist )

<VirtualHost 78.110.163.102:8080>

    ServerName gldn.page
    ServerAlias *.gldn.page
    ServerAdmin [email protected]
    DocumentRoot /home/dave/web/gldn.page/public_html
    ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
    Alias /vstats/ /home/dave/web/gldn.page/stats/
    Alias /error/ /home/dave/web/gldn.page/document_errors/
    #SuexecUserGroup dave dave
    CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
    CustomLog /var/log/apache2/domains/gldn.page.log combined
    ErrorLog /var/log/apache2/domains/gldn.page.error.log

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*

    <Directory /home/dave/web/gldn.page/stats>
        AllowOverride All
    </Directory>
    <Directory /home/dave/web/gldn.page/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

Now to the TEMPLATES

/usr/local/hestia/data/templates/web/nginx/

Custom: ngx-wild-tmp.tpl — ARE WE NOT FORCING HTTPS ?

SO BELOW CAN BE DELETED ?

server {
    listen      %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;   

    include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

    location / {
        proxy_pass      http://%ip%:%web_port%;
        location ~* ^.+\.(%proxy_extensions%)$ {
            root           %docroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      http://%ip%:%web_port%;
    }

    location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

ALSO AT:
/usr/local/hestia/data/templates/web/nginx/

CUSTOM ngx-wild-tmp.stpl - scrap this

HAD A THOUGHT.

Since I am assigning a template for each domain,
why don’t I just hard code the template instead of using these variables ?

then it will be easier to see what is happening.

WE WANT TO TERMINATE SSL HERE, AND THEN PROXY TO 8080 ON APACHE2
( is that correct ? )

EG
CUSTOM: ngx-Gldn.stpl

server {
   server {
    listen      78.110.163.102:443;
    server_name gldn.page *.gldn.page;
    ssl_certificate      /etc/letsencrypt/live/gldn.page/fullchain.pem;   OR SHOULD BE .CRT ?
    ssl_certificate_key  /etc/letsencrypt/live/gldn.page/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    error_log  /var/log/nginx/domains/gldn.page.error.log

    // include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;  // This doesn't exist

    location / {
        proxy_pass      https://78.110.163.102:8080    --- to be picked up by apache2

        location ~* ^.+\.(%proxy_extensions%)$ {            // WHAT IS THIS SECTION FOR ?
            root           %sdocroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      https://%ip%:%web_ssl_port%;  WHAT IS THIS FOR ?
    }

    location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    proxy_hide_header Upgrade;

    include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;  // Doesn't exist
}

Would this work ?

What is the v-rebuild-web-domains dave gldn.page for?

If I have the correct templates and certificate paths - why do I need to rebuild anything?

Thanks

    location ~* ^.+\.(%proxy_extensions%)$ {            // WHAT IS THIS SECTION FOR ?
        root           %sdocroot%;
        access_log     /var/log/%web_system%/domains/%domain%.log combined;
        access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
        expires        max;
        try_files      $uri @fallback;
    }

You want to allow Nginx handle static files

It should be working fine. Just enable the template.

v-rebuild-web-domains will update the templates used for domain of the user. If you update the template you don’t have to go to edit web → change template and apply again

In the ngx-Gldn.stpl

are these correct:

ssl_certificate      /etc/letsencrypt/live/gldn.page/fullchain.pem;   
ssl_certificate_key  /etc/letsencrypt/live/gldn.page/privkey.pem;

Or should they be .crt files ?

OK,
I think I understand all this now - sorry for being a bit slow !!

The templates in:
/usr/local/hestia/data/templates/web/nginx
/usr/local/hestia/data/templates/web/apache2/php-fpm

are used to generate the virtual host config files in:
/home/dave/conf/web/gldn.page/nginx.conf
/home/dave/conf/web/gldn.page/apache2.conf

(respectively)

The Save button runs the scripts to generate those virtual host files.
( Is that when v-rebuild-web-domains is running ? )

Therefore, I can see what the templates do by looking at the generated
virtual host files.

Hope I got that right. ( ?? )