Hello,
Yes it has been a bit of a saga, but a progressive one!
Thanks for your replies - they are helpful in leading me towards
an understanding of how Hestia works.
And how I can make it play with LE for wildcard subdomains.
HestiaCP uses BOTH nginx and apache2
Here is how I understand that it works:
HestiaCP uses templates to generate the actual config files for both nginx and apache2
The generated config files are placed in the home directory
of the User/domain like this:
/home/dave/conf/web/gldn.page/nginx.conf
/home/dave/conf/web/gldn.page/nginx.ssl.conf
and
/home/dave/conf/web/gldn.page/apache2.conf
/home/dave/conf/web/gldn.page/apache2.ssl.conf
The nginx is a reverse proxy in front of the apache server
The NGINX server listens on port 443
and then proxies to port 8080 where apache picks the request up.
The config:
/home/dave/conf/web/gldn.page/nginx.ssl.conf
server {
listen 78.110.163.102:443 ssl http2;
server_name gldn.page *.gldn.page;
ssl_certificate /etc/letsencrypt/live/gldn.page/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/gldn.page/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
error_log /var/log/apache2/domains/gldn.page.error.log error;
include /home/dave/conf/web/gldn.page/nginx.hsts.conf*;
location / {
proxy_pass https://78.110.163.102:8080;
location ~* ^.+\.(jpg|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
root /home/dave/web/gldn.page/public_html;
access_log /var/log/apache2/domains/gldn.page.log combined;
access_log /var/log/apache2/domains/gldn.page.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias /home/dave/web/gldn.page/document_errors/;
}
location @fallback {
proxy_pass https://78.110.163.102:8443;
}
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
It's main use appears to be the caching of static objects,
the fallback uri is port 8443 which apache listens for.
As I understand it, the request from an internet client is decrypted
by the LE certs and sent Apache2 server on port 8080
The NGINX server also listens on port 80 and does a 301 redirect to HTTPS
/home/dave/conf/web/gldn.page/nginx.conf
server {
listen 78.110.163.102:80;
server_name gldn.page *.gldn.page;
include /home/dave/conf/web/gldn.page/nginx.forcessl.conf*;
**this does a 301 redirect to HTTPS**
location / {
proxy_pass http://78.110.163.102:8080;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
root /home/dave/web/gldn.page/public_html;
access_log /var/log/apache2/domains/gldn.page.log combined;
access_log /var/log/apache2/domains/gldn.page.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias /home/dave/web/gldn.page/document_errors/;
}
I would think that after the 301 redirect there would be no
proxy to 8080 or any caching happening.
NOW the Apache2 webserver
This listens on port 8080
/home/dave/conf/web/gldn.page/apache2.conf
<VirtualHost 78.110.163.102:8080>
ServerName gldn.page
ServerAlias *.gldn.page
ServerAdmin info@gldn.page
DocumentRoot /home/dave/web/gldn.page/public_html
ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
Alias /vstats/ /home/dave/web/gldn.page/stats/
Alias /error/ /home/dave/web/gldn.page/document_errors/
#SuexecUserGroup dave dave
CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
CustomLog /var/log/apache2/domains/gldn.page.log combined
ErrorLog /var/log/apache2/domains/gldn.page.error.log
IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*
<Directory /home/dave/web/gldn.page/stats>
AllowOverride All
</Directory>
<Directory /home/dave/web/gldn.page/public_html>
AllowOverride All
Options +Includes -Indexes +ExecCGI
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>
Note:
There are no files:
/home/dave/conf/web/gldn.page/apache2.forcessl.conf*
/home/dave/conf/web/gldn.page/apache2.conf_*
Only /etc/apache2/conf.d/phpmyadmin.inc
What does this do ?
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
Hopefully it prevents someone from just going directly to port 8080
and circumventing the proxy server and https !!
FINALLY we have the
/home/dave/conf/web/gldn.page/apache2.ssl.conf
The one below is the default config - where you can see
the three cert files
<VirtualHost 78.110.163.102:8443>
ServerName gldn.page
ServerAlias *.gldn.page
ServerAdmin info@gldn.page
DocumentRoot /home/dave/web/gldn.page/public_html
ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
Alias /vstats/ /home/dave/web/gldn.page/stats/
Alias /error/ /home/dave/web/gldn.page/document_errors/
#SuexecUserGroup dave dave
CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
CustomLog /var/log/apache2/domains/gldn.page.log combined
ErrorLog /var/log/apache2/domains/gldn.page.error.log
<Directory /home/dave/web/gldn.page/stats>
AllowOverride All
</Directory>
<Directory /home/dave/web/gldn.page/public_html>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /home/dave/conf/web/gldn.page/ssl/gldn.page.crt
SSLCertificateKeyFile /home/dave/conf/web/gldn.page/ssl/gldn.page.key
SSLCertificateChainFile /home/dave/conf/web/gldn.page/ssl/gldn.page.ca
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional /home/dave/conf/web/gldn.page/apache2.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>
I tried changing the certificate paths to:
SSLCertificateFile /etc/letsencrypt/live/gldn.page/cert.pem;
SSLCertificateKeyFile /etc/letsencrypt/live/gldn.page/privkey.pem;
SSLCertificateChainFile /etc/letsencrypt/live/gldn.page/chain.pem;
Would you expect this to be correct?
( I get an error - apache2 server will not restart )
The error is in the apache2 config:
apachectl configtest
AH00526: Syntax error on line 30 of /etc/apache2/conf.d/domains/gldn.page.ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/gldn.page/cert.pem;' does not exist or is empty
Action 'configtest' failed.
However:
:/etc/letsencrypt/live/gldn.page# ls -la
total 24
drwxr-xr-x 2 root root 4096 Jun 9 10:09 .
drwx------ 7 root root 4096 Jun 8 09:03 ..
lrwxrwxrwx 1 root root 33 Jun 7 20:15 cert.pem -> ../../archive/gldn.page/cert1.pem
lrwxrwxrwx 1 root root 34 Jun 7 20:15 chain.pem -> ../../archive/gldn.page/chain1.pem
lrwxrwxrwx 1 root root 38 Jun 7 20:15 fullchain.pem -> ../../archive/gldn.page/fullchain1.pem
-rw-r--r-- 1 root root 5595 Jun 9 10:09 gldn.page.crt
-rw------- 1 root root 1708 Jun 8 21:10 gldn.page.key
lrwxrwxrwx 1 root root 36 Jun 7 20:15 privkey.pem -> ../../archive/gldn.page/privkey1.pem
-rw-r--r-- 1 root root 692 Jun 7 20:15 README
root@expressresponse:/etc/letsencrypt/live/gldn.page# cat cert.pem
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISBLV5s/k7KmTYDsjJzS9xqRihMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA2MDcxODE1MzhaFw0yMjA5MDUxODE1MzdaMBQxEjAQBgNVBAMT
CWdsZG4ucGFnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp/Z+Iw
NM8kWdpWgLElfm6rREDdDbPUxb4Yh5v/WWnnJwNtrRjoU2XR/mCPG4ARFnW/6V37
EIGN2yJP24BORHoS3h3hFyg7fojslj2CmycrBxFezlz0Ias8t7dsc2s+s0im2sjl
jvtbk385m749o3dYA1LQHOd3Bca3QBNsNdEbZ1NenoRjc5Pd+Qeuns2vPoPZHZWn
aCLACmSPvCP42Bo2U0Qt723Bory3BffxQez4TEFrFyPGQYXSo+3qHFY4t11GaFFx
ad6h01q6CHI+Y44ervrNBLYRlSSYN8qLfJgKGTo0VR/UYDuG2C9IPTjE6qxj/FUL
2vaIRtPE7kd4nvkCAwEAAaOCAlIwggJOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
wuQog9Ah07QwHE0LKKWuJ+jNTUswHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
dHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AN+lXqtogk8f
bK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgT+YDuUAAAQDAEgwRgIhAIWDh5g8
7vLe90yUxQxyyPfgDVeDSyVmcP2mgvglKNIOAiEArnNf9Yl8RW4DZMf2f9S566rV
sLJQ1wsm8o95M3DGGKcAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5t
RwAAAYE/mA8IAAAEAwBHMEUCICSTTYk15OJhlSafBUcXqMU2GWjUofROKnzdX/E8
qOIqAiEAmpf3LG/xeEKjNyZ3xcN94VoAFlS/I1+eMnTaVTJHd/UwDQYJKoZIhvcN
AQELBQADggEBADHqSw8QPlFZgh5+DB7UJggUTQOgaoEVZsh7dyEfPuNrmTRR8MpA
+Wi3b0dxXw3oCiewqOASpHW+OxuqjlDz1ofjKQ/WEsOMxEHhM570B12xYxLdu701
AKes8yqSepJzspPxx3Q+ThdIYk2wVTkYOXhKBmhYdyKIA7uQPT/W8NgUA4BhQ8/X
lbdIXqMlgIXLBUpx1BY+AP1tbh4FoxEUezvUD/ChNwzaF1IjTGa7jb8WVaDY40uA
SfQ2Lqi0MxtDhTD5UJvlVaS3+/3UC7Aueo+czIFj7I8gWULS4yvoRyRs2+pFkXeH
URpzVsoJGL/VcEZz13eaQPPhJ87Yyw6haPk=
-----END CERTIFICATE-----
So , the cert.pem is present and looks like a certificate !!