HTTP needed for let's encrypt SSL upgrade

JJussi · June 21, 2020, 10:50am

When webmail HTTP (port 80) listener is disabled at admin interface, system should “warn” that automatic SSL certificate upgrade will not work.
I had only port 443 enabled and tried to figure out why system don’t manage to upgrade certificate even I press “renew”. After enabling port 80 for webmail interface, everything start working with let’s encrypt certificate renew-button.

Jeroen · July 8, 2020, 8:59pm

Hiya,

the documentation clearly states that clearly under “prerequisites”.

What I would like to throw in here, though, is the fact that this automatically enables the http webmail interface, which is something that I would like to avoid.

It would be absolutely awesome, if a blank / minimal http-page could be used for the Lets Encrypt renewals, instead of the full blown webclient.
Of course, one could disable port 80 within Axigen and setup an NGinx or Apache web server on port 80 right next to it, I guess. But it would be much nicer to be able to activate something like that within Axigen Admin.

JK

JJussi · July 8, 2020, 9:39pm

Hi,
because axigen takes care of renewing certificate, why system don’t “enable” port 80 (when it’s disabled) automatically just for update process and then returns port back to disable.

indreias · July 31, 2020, 2:30pm

Hello Jeroen,

Have you tried to disable the WebMail interface by renaming webmail folder from Axigen working directory to something like webmail.disabled + run a service axigen reload so the WebMail pages will become unavailable?

HTH,
Ioan

Jeroen · July 31, 2020, 8:08pm

That is not what I meant.
I am okay with the HTTPS webmail. I just don’t want users / customers to use the HTTP site.
So it would be great if there would be a static website on port 80, which would suffice for LetsEncrypt, telling the visitor, he/she should be using the HTTPS site instead.
Many browsers will only give you a warning, which is merely noticed (ignored…) by many users.

If I wouldn’t want users to use WebMail at all, I could just shut down all listeners or stop the service.

indreias · July 31, 2020, 8:47pm

Hello Jeroen,

Than it is very simple - activate the automatic redirection from HTTP to HTTPS (check SSL > Secure Login from :80 listener) and all should be fine.

HTH,
Ioan

Jeroen · July 31, 2020, 8:50pm

But then LetsEncrypt automatic Cert renewal would break as their challenge needs a site at port 80, as the documentation clearly states.

indreias · July 31, 2020, 8:52pm

Hello,

I bet that the HTTP request received from LE will be intercepted before redirecting to HTTPS - could you please confirm that it works in the setup mentioned above?

If not, we’ll consider this as a bug.

BR,
Ioan

Jeroen · July 31, 2020, 9:13pm

That worked.
This possibility could be put further up in the documentation.
It’s rather far down at the bottom, so - if this was there all the time - I completely overlooked it.

Excellent stuff!