Univention Corporate Server: no renewal possible

No, it is there: Univention Corporate Server: no renewal possible - #17 by Mornsgrans

Edit: It became hidden by the forum spam filter and needed a review by admin.

The folder /etc/apache2/ucs-sites.conf.d contains three config files. All these files were auto-generated by UCS last summer.

1st:

root@ucs:/etc/univention/letsencrypt# cat /etc/apache2/ucs-sites.conf.d/ucs-sites.conf
#...
RewriteEngine on
RewriteOptions Inherit
ProxyPreserveHost on
ProxyTimeout 600

RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

DocumentRoot /var/www/
CustomLog /var/log/apache2/access.log combined
RedirectMatch ^/$ /univention/

2nd:

root@ucs:/etc/univention/letsencrypt# cat /etc/apache2/ucs-sites.conf.d/collabora-code.conf

#######################################
# generated by code app join script, do not edit manually #
#######################################

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool

# Capabilities
ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

3rd:

root@ucs:/etc/univention/letsencrypt# cat /etc/apache2/ucs-sites.conf.d/univention-portal.conf
#...
ProxyPass /univention/portal/portal.json http://127.0.0.1:8095/ retry=0
ProxyPassReverse /univention/portal/portal.json http://127.0.0.1:8095/

<Directory /var/www/univention/portal/>
        <FilesMatch "(portal|apps)\.json|portal\.css">
                Header set Cache-Control "max-age=0, must-revalidate"
        </FilesMatch>
</Directory>
<Directory /var/www/univention/portal/icons>
        Header set Cache-Control "max-age=0, must-revalidate"
</Directory>

Maybe I could solve the http-problem:
after setting

ucr set apache2/force_https=yes

and restarting Apache I did the curl instructions mentioned above again:

root@ucs:/etc/univention/letsencrypt# curl -I http://web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 20:15:03 GMT
Server: Apache/2.4.25 (Univention)
Location: https://web.kmvw-io.de/%5bhttps:/web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
Content-Type: text/html; charset=iso-8859-1

root@ucs:/etc/univention/letsencrypt# curl -I http://ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 20:15:30 GMT
Server: Apache/2.4.25 (Univention)
Location: https://ucs.kmvw-io.de/%5bhttps:/ucs.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
Content-Type: text/html; charset=iso-8859-1

Please notice the entry in the lines starting with "Location"

I think you should reverse what you just did with forcing redirects since it did not work. Ideally your port 80 http server would handle the challenge requests anyway.

Can you try copying these lines which do seem to work from your port 443 VirtualHost and add them to your 000.default.conf file? Don't forget to restart Apache after.

Getting the same:

root@ucs:/etc/univention/letsencrypt# curl -I http://autoconfig.kmvw-io.de/.well-known/acme-challenge/nh_11HrXJHoeCet5DDdh8E82V8vb1Vx5ucOhpsj5L8k
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 21:05:13 GMT
Server: Apache/2.4.25 (Univention)
Location: https://autoconfig.kmvw-io.de/%5bhttps:/autoconfig.kmvw-io.de/.well-known/acme-challenge/nh_11HrXJHoeCet5DDdh8E82V8vb1Vx5ucOhpsj5L8k
Content-Type: text/html; charset=iso-8859-1

with /%5b in the "Location" line. - Yes, I did restart Apache after changing 000-default.conf

The problem is, that I do not know the changes in the configuration before last successful renewal. - I think, I will give up and try a new installation, if there are no new ideas . - Damn...

Thank you for your support.

I could solve the problem!!

The output of the curl instruction in my postings above

root@ucs:/etc/univention/letsencrypt# curl -I http://web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 Feb 2022 20:15:03 GMT
Server: Apache/2.4.25 (Univention)
Location: https://web.kmvw-io.de/%5bhttps:/web.kmvw-io.de/.well-known/acme-challenge/HHIBIWc28HA8J_7-m3jnO65eyVUmLvxc99EzolEV0LA
Content-Type: text/html; charset=iso-8859-1

showed a /%5b.in the line starting with Location

This morning in the Univention knowledge-base I could find a guide, how to redirect http to https and configure Letsencrypt manually.

One step is:

Then create /var/www/.htaccess with the following content:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) [https://%{HTTP_HOST}%{REQUEST_URI}

The RewiteRule contains a "[" . So I did check my .htaccess file and could find the RewriteRule in it. I did remove the RewriteRule - line, restarted Apache and executed

root@ucs:/etc/univention/letsencrypt# sudo -u letsencrypt /usr/share/univention-letsencrypt/refresh-cert
So 6. Feb 09:04:35 CET 2022
Refreshing certificate for following domains:
kmvw-io.de autodiscover.kmvw-io.de autoconfig.kmvw-io.de ucs.kmvw-io.de web.kmvw-io.de  smtp.kmvw-io.de mail.kmvw-io.de
Parsing account key...
Parsing CSR...
Found domains: web.kmvw-io.de, ucs.kmvw-io.de, mail.kmvw-io.de, autoconfig.kmvw-io.de, smtp.kmvw-io.de, autodiscover.kmvw-io.de, kmvw-io.de
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying autodiscover.kmvw-io.de...
autodiscover.kmvw-io.de verified!
Verifying kmvw-io.de...
kmvw-io.de verified!
Verifying mail.kmvw-io.de...
mail.kmvw-io.de verified!
Verifying smtp.kmvw-io.de...
smtp.kmvw-io.de verified!
Verifying ucs.kmvw-io.de...
ucs.kmvw-io.de verified!
Verifying web.kmvw-io.de...
web.kmvw-io.de verified!
Verifying autoconfig.kmvw-io.de...
autoconfig.kmvw-io.de verified!
Signing certificate...
Certificate signed!
Certificate refreshed at So 6. Feb 09:05:17 CET 2022

Yeah! - Success!!!

Then I added the RewiriteRule-line in the .htaccess again and restarted Apache.

Now I will ask in the Univention forum, why the RewriteRule suddenly generates garbage.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.