nginx configuration / Let's encrypt / challenge config get's overwritten

stefan_o

Hello,
I'm using Debian 12 and I had Let's Encrypt installed before I installed grommunio. Unfortunately the nginx configuration in /usr/share/grommunio-common/nginx.conf redirects all HTTP requests to HTTPS, which makes Let's encrypt for this domain impossible. I can modify this file to fix the problem (redirect acme challenges to another directory), but it's a file installed by grommunio that gets overwritten with updates from time to time.
I'm not a nginx expert, is there an option somewhere to do this configuration outside this server block? If not, could this somehow be fixed by moving the server-configuration to /etc and including the other parts in /usr/share, so the ACME challenge configuration doesn't get overwritten?

Best regards
Stefan

Gazzis

Hey,
I encountered the same issue. The way I fixed it was... of debatable quality... but fine for me for the moment.
In the acme.sh --pre-hook I simply stop nginx, let acme.sh do its thing using its own http server and in the --post-hook I start nginx again. As this will happen once every 60 days for _30seconds I'm find with that outage. Maybe that works for you as well?
(A softer version of that would be to disable the 80->443 forward during that 30 seconds time.)
If for whatever [totally valid!] reason this is not an option for you it's probably for the best to copy the configs out of the grommunio "owned" locations and change it as needed. This requires you of course then to check from time to time if grommunio requires anything new

Best, Stephan

mwilliams

There is more to it than just port 80 access, you also want the fullchain in the right place, restart services after renewal, and so on.

Unit-file:

[Unit]
Description=Certbot/Letsencrypt certificate renewal
ConditionPathExists=/usr/bin/certbot

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --pre-hook "service nginx stop" --deploy-hook /usr/share/grommunio-setup/grommunio-certbot-renew-hook --post-hook "service nginx start"

deploy-hook:

#!/bin/bash
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2021 grommunio GmbH

openssl x509 -in "$RENEWED_LINEAGE/chain.pem" -out "$RENEWED_LINEAGE/chain-first.pem"
cat "$RENEWED_LINEAGE/cert.pem" "$RENEWED_LINEAGE/chain-first.pem" > "/etc/grommunio-common/ssl/server-bundle.pem"
cp "$RENEWED_LINEAGE/privkey.pem" "/etc/grommunio-common/ssl/server.key"
find /etc/grommunio-common/ssl/ -type f -exec chown -h gromox:gromox {} +
systemctl restart postfix gromox-http gromox-imap gromox-pop3 gromox-delivery-queue

stefan_o

mwilliams
Yes, but all that is not an issue, it does not interfere with the grommunio config. The port 80 redirect is an issue that can only solve by modifying the config file supplied by grommunio (or by stopping nginx and using another config/HTTP server as proposed).
Also, why is stopping nginx needed? I just do a "systemctl reload" for postfix and nginx

Would be great if the port 80 server redirect config could be replaced by including a file that is located in /etc that doesn't get overwritten (just made an update -- overwritten again).

WalterH

mwilliams ExecStart=/usr/bin/certbot renew --pre-hook "service nginx stop" --deploy-hook /usr/share/grommunio-setup/grommunio-certbot-renew-hook --post-hook "service nginx start"

So wie ich das verstehe, hat der certbot seinen eigenen Webserver damit das Redirect vom Port 80 nicht stört.

stefan_o

WalterH
Ja, das denke ich mir auch, die Frage ist warum, das erzeugt ja eine kurze down-time, das ist ungünstig (bei mir laufen mit nginx auch noch andere Sachen)

Ich bin das Problem jetzt anders angegangen: Ich habe ein pre-hook script geschrieben, welches die Konfiguration /usr/share/grommunio/nginx.conf prüft, ggf. ändert und nginx reloaded. Hab ich noch nicht in der realen Praxis geprüft, mal schauen ob das dann klappt

WalterH

stefan_o das erzeugt ja eine kurze down-time,

alle 90 Tage ca. 3 Sekunden, das sollte verschmerzbar sein.

stefan_o bei mir laufen mit nginx auch noch andere Sachen

Wenn das grommunio wartbar bleiben soll, dann sollte auf dem grommunio Server nichts anderes laufen.

stefan_o

WalterH Weiß leider nicht wie ich das sonst lösen soll: Mehrere Domains die auf die selbe IP aufgelöst werden, erst der HTTPS-Server weiß ja wohin das soll. Das kann ich ja nicht mit virtuellen Maschinen lösen.

Wenn da noch eine Videokonferenz drüber läuft und dann alle rausfliegen ist das sehr doof.

WalterH

Der renew time läuft in der Nacht, die Zeit kann man wenn notwendig anpassen.

crpb

systemctl edit grommunio-certbot-renew.timer

# First line deletes all previously settings
# because we can define multiple triggers in one timer and we don't want that!
OnCalendar=
# Only Sundays in the middle of the night
OnCalendar=Sun *-*-* 03:25:00
# Add a bit delay (not needed but so you might know about it)
RandomizedDelaySec=20m

Save the file and ensure that it is correct in the line Trigger: 👀
systemctl status grommunio-certbot-renew.timer

if you want to know more about it