Making Changes to <VirtualHost > for SSL certs

Hi,
I am using a dedicated server running ubuntu 20.04 with HestiaCP and several website domains.
To get the LE certificates Hestia does a great job with domains without widcard.

I have 5 domains that require wildcard for multiple sub-domains.
To get the LE certs I have used certbot CLI .

I now need to update the <VirtualHost > to point to the certificate files.

I believe it is the apache2.ssl.conf files that need updating ( correct ? )

But there is a warning:

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#

Several questions:
Since HestiaCP updates can cause a rebuild, are they automatic?
How often do they occur?

Is there a way to prevent this file from getting over-written?
Perhaps by changing the permissions?

Any other recommendations?
Thanks.

Several questions:

Since HestiaCP updates can cause a rebuild, are they automatic?
How often do they occur?

Every time you update the web domain it self. Some of the automatic upgrades does the same.

Is there a way to prevent this file from getting over-written?
Perhaps by changing the permissions?

No not really by default everything is executed under the root user so it will not solve the issue

You need to update both Nginx as the Apache2 template but the easiest method is to modify Nginx template from:

to

proxy_pass http://%ip%:%web_port%;

On Nginx level you can create a custom template:

    ssl_certificate /etc/letsencrypt/live/%domain%/fullchain.pem; # ma>
    ssl_certificate_key /etc/letsencrypt/live/%domain%/privkey.pem; # >
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

And assign the domain the new template.

Looks rather complicated !!

What if I don’t have HespiaCP run these 5 domains at all ?
( It would still run the other 10 websites that don’t use sub-domains )

As we know, if HespiaCP is administering them, the <VirtualHost > will be in the path /home/user/conf/web/my-domain

But if I do not have them even mentioned in HespiaCP, if I build the <VirtualHost > in the usual place for ubuntu i.e. /etc/apache2/sites-available/my-domain.conf

Then I can maintain it with ftp as usual and HespiaCP will leave it alone - is that correct?

You won’t be able to create an ftp account if it doesn’t exists in Hestia as it it tied to the web domain.

Also by default nginx is running on port 80 / 443 and not apache2

Is there a step-by-step tutorial on this anywhere?

https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work

For the file locations and optional vars that can be used,

For the rest the above information should be enough

Thanks for the help.

This is what I have done:
on /usr/local/hestia/data/templates/web/nginx
I have a new template called ngx-wild-tmp.stpl

#=========================================================================#
#   THIS IS NEW WILDCARD TEMPLATE                                         #
#                                                                         #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#

server {
    listen      %ip%:%proxy_ssl_port% ssl http2;
    server_name %domain_idn% %alias_idn%;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    ssl_stapling on;
    ssl_stapling_verify on;
    error_log  /var/log/%web_system%/domains/%domain%.error.log error;

    include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

    location / {
        proxy_pass      https://%ip%:%web_port%;
        location ~* ^.+\.(%proxy_extensions%)$ {
            root           %sdocroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      https://%ip%:%web_ssl_port%;
    }

    location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    proxy_hide_header Upgrade;

    include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

AND on /usr/local/hestia/data/templates/web/apache2/php-fpm
I have a new template called apa-wild-tmp.stpl


#=========================================================================#
#THIS  IS NEW TEMPLATE FOR WILDCARD SUBDOMAINS                            #
#                                                                         #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#

<VirtualHost %ip%:%web_ssl_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %sdocroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log
    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %sdocroot%>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        </Directory>
    SSLEngine on
    SSLVerifyClient none
    ssl_certificate /etc/letsencrypt/live/%domain%/fullchain.pem; # ma>
    ssl_certificate_key /etc/letsencrypt/live/%domain%/privkey.pem; # >
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

Is that about right?

Yes you also need to create a version for non ssl (.tpl)

What will change on those templates?
I thought it was only the ssl cert path that needed updating and we don’t have them on the non-ssl templates.

True you can keep the original template you used but both need to exists otherwise it will not detect in the system.

Do I need to restart HestiaCP in order to see the new template?

Under Web Template I see:
APACHE2 ( drop down)
Default

AND should I make a copy of those new templates elsewhere?

Will the restart wipe them out ?

WOW !!
I didn’t realise Restart would actually reboot the whole server !

I thought it would just restart HespiaCP.

Anyway - back up now.

I can see the Proxy Template option: ngx-wild-tmp

But no change on the Apache2 Template options - only default.

You are using /usr/local/hestia/data/templates/apache2/php-fpm ?

Yes,
What I hadn’t done is copied the non-ssl templates to apa-wild-tmp.tpl

I have done that now, and can see options in both.( see images )

The top portion looks like this

with the wildcard - is this correct ?

Just tested gldn.page
and cat.gldn.page

unfortunately both are saying " Your connection is not private"

I must have got something wrong ??

On the new template called ngx-wild-tmp.stpl see above,

It has …


server {
    listen      %ip%:%proxy_ssl_port% ssl http2;
    server_name %domain_idn% %alias_idn%;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    ssl_stapling on;
    ssl_stapling_verify on;

So these don’t need changing to the the /etc/letsencrypt path ?

v-rebuild-web-domain user domain.com yes

OK ran:
v-rebuild-web-domain dave gldn.page

It didn’t ask for confirmation.

And I have restarted server.

No change.

You can try: gldn.page

UPDATE:
I found an older post of yours

Do I need to run this ?

#!/bin/bash
source /etc/hestiacp/hestia.conf
source $HESTIA/func/main.sh

for user in $($BIN/v-list-users plain | cut -f1 ); do
    echo "Doing user: $user"
    $BIN/v-rebuild-web-domains $user
done

I added an ‘s’


Last login: Wed Jun  8 15:19:13 2022 from 77.102.184.93
[email protected]:~# v-rebuild-web-domains dave gldn.page
Error: SSL is not enabled
Error: SSL is not enabled
Error: SSL is not enabled
Error: SSL is not enabled
Error: SSL is not enabled
[email protected]:~#

Not sure why this is.

UPDATE 2
I have run out of replies !!! so I’ll have to update this one
and hope it gets seen !!

Tried this:

[email protected]:~# v-add-web-domain-ssl dave gldn.page /etc/letsencrypt/live/gldn.page
Error: /etc/letsencrypt/live/gldn.page/gldn.page.crt not found

For some reason it’s looking for .crt

we have

SSLEngine on
    SSLVerifyClient none
    ssl_certificate /etc/letsencrypt/live/%domain%/fullchain.pem; # ma>
    ssl_certificate_key /etc/letsencrypt/live/%domain%/privkey.pem; # >
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

By default Hestia doesn’t create the ssl templates if mails are not set up

And now I just remember:

v-add-web-domain-ssl user domain.com /folder/with/sslcertifcates/ should also work.

You only need to run it after certificate updates via Letsnecrypt a a cronjob will also help