Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When a SSL certificate fails to be generated - add these warnings #939

Open
shoulders opened this issue Oct 21, 2024 · 8 comments
Open

When a SSL certificate fails to be generated - add these warnings #939

shoulders opened this issue Oct 21, 2024 · 8 comments

Comments

@shoulders
Copy link

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.5
Usermin version 2.102
Virtualmin version 7.20.2 Pro
Theme version 21.20.7
Apache version 2.4.52
Package updates 8 package updates are available

background

I imported a website from a cpanel account, though the source could be anywhere or even a fresh website.

the issue

I tried unsuccessfully to get my SSL certificate generated and I could not figure out why.

When I did figure it out it was caused by 2 reasons:

  • the DNS change had not propagated completely across the internet
  • I had the following code in the .htaccess
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>

the DNS propagation issue is obvious and the htaccess code was causing the http requests for the lets encrypt connection to be upgraded to a HTTPS connection however this would not work becasue the cert was self signed and invalid.

proposed solution

  • Maybe popup a message outlining these potential issues above is the get cert fails.
  • This message might only show if the cert is self signed or the cert currently present is expired.

Manage Web Server --> Setup SSL Certificates --> Let's Encrypt

@iliajie
Copy link
Collaborator

iliajie commented Oct 21, 2024

Manage Web Server --> Setup SSL Certificates --> Let's Encrypt

Don’t we already display that under the "Setup SSL Certificates —> Let's Encrypt" tab? I distinctly remember fixing it, so the full error message should be shown there already...

@shoulders
Copy link
Author

I do get the letsencypt error message but these 2 particular errors that would not get directly flagged up could be the cause of a lot of errors, we'll for noobies and me.

The letsencypt error message, for the error with htaccess, showed my IP and Https and a fail message. I can't remember what it said but I don't remember it saying that the cert was expired and because of that it failed. However I could be wrong.

My feature request was really for a prompt in certain circumstances to educate the user and have them check propagation and the presence of dodgy htaccess rules.

@jcameron
Copy link
Collaborator

Having a self-signed cert isn't itself bad, as long as there's no unilateral redirect to HTTPS. When Virtualmin sets up that redirect it excludes Let's Encrypt validation requests for this exact reason .... but we can't do that in all cases, like where there's a migrated or manually created .htaccess file.

@shoulders
Copy link
Author

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>

thinking through the issue

  • The redirect code above maintains the well-known folder, it is the fact that my htaccess upgraded the connection and the current certificate was self-signed, this is what causes the failure. Letsencrypt does nto like self signed
  • https://letsencrypt.org/docs/challenge-types/
    • Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep.
    • It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.
    • It does not accept redirects to IP addresses.
    • When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

My thoughts

  • Lets encrypt allows the HTTP-01 challenge on HTTP or HTTPS and allows upto 10 redirects.
  • Lets encrypt does not check SSL validity sol allows responses on HTTPS with an expired or self-signed certificate.
  • When there is not a SSL certificate present (self-signed or letsencrypt) on your new website (i.e. just set the virtual server up) and you access the HTTPS version of your website, you will actually see the servers default website, not yours. Is this why the HTTP-01 challenge fails because the file does not exist on the default website.

Bug or Feature request ?

  • Is this a bug that the HTTPS domain does not exist until a SSL certificate has been installed?
  • Would adding my message about checking for propagation and .htaccess rules help?
  • Can you run the test through the users htaccess to see if fail? (this one is a blueskies idea)

@jcameron
Copy link
Collaborator

The HTTPS domain is definitely created before the SSL cert is installed, so that shouldn't be the issue.

Actually, what was the full error that you got from Let's Encrypt?

As for .htaccess files, parsing them to detect problem redirects would be near impossible. But maaaybe we could disable them during the cert request process?

@shoulders
Copy link
Author

I will see if we have the error.

Disabling the htaccess redirect during an SSL installation is an option but it could adversely affect a very active site so might not be best, I welcome advise though.

@shoulders
Copy link
Author

i have the error log for letsencrypt, i just need to find when an entry starts and finished, it is not very clear.

@iliajie
Copy link
Collaborator

iliajie commented Oct 22, 2024

But maaaybe we could disable them during the cert request process?

I don’t think this is something we should do. There are many situations where disabling .htaccess could cause serious issues with the website’s functionality or even expose private data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants