I want SSL for every hosted-domain[.]tld:8083

sergiubaila · March 26, 2021, 2:38am

Hello, I have been playing around with this paltform and I love it, but I have one problem.
I want my clients to acces their cpanel trough hosted-domain[.]tld:8083, with SSL certificate.
I did a lot of trial and error to find out why it loads the certificate of hostname[.]domain[.]tld when the usser acces his hosted-domain[.]tld:8083.

It looks like the SSL path for port 8083 on every domain is made to be loaded static in /usr/local/hestia/nginx/conf/nginx.conf with the ssl found in /usr/local/hestia/ssl/certificate.key – and that totally makes sense, because there is stored hostname’s SSL.

For achieving my goal of getting a valid cert for every hosted-domain[.]tld[:]8083 I changed the ssl key and cert path in /usr/local/hestia/nginx/conf/nginx.conf like so :

server {
        listen          8083 ssl;
        server_name     _;
        root            /usr/local/hestia/web;

        # Fix error "The plain HTTP request was sent to HTTPS port"
        error_page 497 https://$host:$server_port$request_uri;
        error_page 403 /error/404.html;
        error_page 404 /error/404.html;
        error_page 410 /error/410.html;
        error_page 500 501 502 503 504 505 /error/50x.html;

        ssl_certificate      ***/usr/local/hestia/ssl/mail/mail[.]hosted-domain[.]tld.crt;***
        ssl_certificate_key   **/usr/local/hestia/ssl/mail/mail[.]hosted-domain[.]tld.key;**

And it worked! I did not longet had SSL on hostname[.]domain[.]tld, and when i tried mail[.]hosted-domain[.]tld[:]8083 it loaded with SSL and I was able to login in HestiaCP without any error.

So I went even further, trying to set that paths dinamic, so my clients could login via hosted-domain[.]tld[:]8083, without that ugly INVALID CERT.

But here is where I got stuck. Couldnt find the place where the cert are stored for every domain.
On /usr/local/hestia/data/teamplates/web/nginx/default.stpl I saw the SSL files paths are loaded like this
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;

I tried this in /usr/local/hestia/nginx/conf/nginx.conf but got no luck, the port 8083 died until i reverted the changes.

Can someone help me finding where are SSL stored for every domain?

pluto · March 26, 2021, 5:33am

If you’re experimenting look in
/usr/local/hestia/conf/hestia.conf

This seems to be where ports are set on a global level. I have no idea if altering these will break your server, so … at your own risk. I wouldn’t try this on a production server.

After editing this file, you’d probably need to v-rebuild-web-domains

eris · March 26, 2021, 5:53am

Not possible port 8083 is currently tied to 1 domain

Lupu · March 26, 2021, 9:16am

SSL certs are stored in /usr/local/hestia/data/users/$user/ssl
and also in /home/$user/conf/web/$domain/ssl

sergiubaila · March 26, 2021, 11:47am

Well, thank you for info. It’s not a production server. I host for free websites for my university classmates, so they can help me learn how to administrate a server ( more users with more traffic= more debugging .

Anyway, I allways do a backup copy before changing everyting important.

sergiubaila · March 26, 2021, 11:49am

Ok, do you think it’s possible, then, to redirrect all :8083 request from hosted-domain[.]tld to hostname[.]domain[.]tld:8083 ?

sergiubaila · March 26, 2021, 11:51am

Thank you, trying to born some new functionality, if i get something to work i’l post it here. But with the new info i guess it will be harder then I imagined.

Lupu · March 26, 2021, 12:10pm

for hosted-domain.tld:8083 you would have to copy all certs to a new folder which does not depend on you knowing the $user, also restrict permissions and then secondly use the new nginx feature that dinamically selects ssl cert using the $sni-servername (or something like that, dont know the var name exactly)

johnny · March 26, 2021, 4:57pm

What about just proxying each domain. For example panel.DOMAIN.TLD to IP:8083 with a LE Cert for each domain, similar to what is done with mail and webmail.DOMAIN.TLD.

It doesn’t have to be panel but it could be admin.DOMAIN.TLD

This way we don’t even need to specify a port.

sergiubaila · March 26, 2021, 5:16pm

If it does what I want, the client to acces HestiaCP with his domain without SSL warning, it’s perfect.
But I am very new to this, I have about a week of experience in servers, but I’m used to work in backednd, console etc, not scared of it. Just a lot of new terms for me and i need clarifications.

Can you guide me? I would be grateful.

system · April 25, 2021, 5:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.