Service provider wanted for help

Are there service providers here who would help us to switch from http to https.
Our server is in-house, with a fixed IP, certificate is available.
thanks

We as vendor are offering custom workshops for that, however, just for switching to HTTPs this may be overkill because the minimum amount we sell is 4 hours. Would be perfect if you have more questions or things in terms of Zammad.

You can contact sales [at] zammad [dot] com if you’re interested.
Other service providers may be able to help too, please however note that we currently have no partnership program or something of that sort so there’s no “experts” our certified persons next to us.

(That’s mostly a wording thing in most situations though)

Hi there,

Thanks for the answer.
I thought maybe there is someone here who can help me to switch from 80 to 443 via remote maintenance and to integrate the certificate.
maybe someone will contact me :slight_smile:

best regards
Mario

Hello MarioZa,

What issue are you running into?
Because this is really very easy to do. I mean, if you managed to install Zammad, then installing the SSL certificate is really the easiest part.

By default, Zammad uses Nginx as webserver.
If you’re running Debian or Ubuntu, make sure certbot is installed (apt install certbot)
Make sure both port 80 and 443 are forwarded to your Zammad server (if you’re using NAT, if the server is on a public IP, both ports need to be open).
Then run:
certbot --nginx -d zammad.example.org

On the first run, you need to enter some details and answer some questions.
It will then automatically install a certificate and also schedule the renewal.
It’ll use an official Let’s Encrypt certificate (they’re free) that is trusted by all browsers.

Hello, thanks for the answer.

Yes I use debian and nginx.

I installed the certbot application,
but when I enter the command certbot --nginx -d support.mydomain.de, the following error message comes up: "Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed "

this in the Logfile

(…)
2021-12-06 11:02:38,367:DEBUG:certbot._internal.main:certbot version: 1.12.0

2021-12-06 11:02:38,368:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot

2021-12-06 11:02:38,368:DEBUG:certbot._internal.main:Arguments: [’–nginx’, ‘-d’, ‘support.mydomain.de’]

2021-12-06 11:02:38,368:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2021-12-06 11:02:38,401:DEBUG:certbot._internal.log:Root logging level set at 20

2021-12-06 11:02:38,402:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

2021-12-06 11:02:38,404:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx

2021-12-06 11:02:38,405:DEBUG:certbot._internal.plugins.selection:No candidate plugin

2021-12-06 11:02:38,405:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None

(…)

what is still missing here?

Many greetings

You’re missing the correct certbot plugin.
Our documentation at Configure the webserver — Zammad documentation actually hints you what to do:

You’re missing the Nginx plugin.
Please install it using:
sudo apt install python3-certbot-nginx

Hi there,

I’ve installed everything, the queries come, but at the end this error message comes up.
I checked the A record, everything is fine
What else can it be?

(…)
The following errors were reported by the server:

Domain: support.mydomain.de
Type: unauthorized
Detail: Invalid response from
http://support.tooth-media.de/.well-known/acme-challenge/BOPs_BOXHmbp2dfOysYS2gxxxxxxxxxbXUxrwj0_q8
[80.xxx.2xx.49]: "{“error”:“No route matches [GET]
/.well-known/acme-challenge/BOPs_BOXHmbp2dfOysYS2xxxxxxbXUxrwj0_q8”,“error_human”:“No
rout”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
(…)

many greetings

It seems you have some kind of reverse proxy in place…?
Then the certificate needs to be installed on that proxy.
Or you don’t have port 80 forwarded to the Zammad server.

Did you configure this yourself, or did someone else do this for you?

Hi,

we installed the server ourselves,
what we changed was only that the zammad server runs on port 8080.
the input port is 80 and is routed by the firewall to port 8080 via port forwarding.
We have changed the port in the zammad.conf file:
(…)
server {
listen 8080;
listen [::]: 8080;
(…)
could the fault be here?

Many greetings

Yes, that is indeed the problem.
All verifications from Let’s Encrypt are done over port 80 only. Let’s Encrypt does not support verification over a different port.

You have two options:

  1. make sure that port 80 works and connects to the Zammad server.
    If you do that, the certificate will renew automatically every three months.

  2. Use DNS verification instead
    In this case, you need to create a DNS-record and you need to manually do that again every three months. You don’t need port 80 to work.

I’ll try the first … first have to write back all conf and change the FW, I’ll get back to you right away.

thanks first of all.

Hi rowdy,

do you have the original “zammad.conf”?
i think i have mistakes in there now. :relieved:
I now get the error message:

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] invalid port in “[::]:” of the “listen” directive in /etc/nginx/sites-enabled/zammad.conf:15

nginx: configuration file /etc/nginx/nginx.conf test failed

this comes in line 15 …
server {
listen 80;
listen [::]: 80;

Make sure listen directive is updated as follows (this must be placed between server { … } directives ) :

# listen to all IPv4 and IPv6 interfaces for port 80
# IPv4
listen :80;
# IPv6
listen [::]:80;

See https://www.cyberciti.biz/faq/nginx-ipv6-configuration/
( I have nothing to do with that company, they just provide a nice FAQ/manual)

In your case, I believe the space on the line [::]:80 should not be there.
I mean no space before the number 80.

Hi,
great that worked now … :+1: :+1:

but when I call up zammad now, unfortunately only the welcome to nginx comes up! page :frowning:
what still has to be changed here?

Thank you for your patience :innocent:

Did you perhaps delete / change the ‘root’-line?

(goes between the server tags as well)

root /opt/zammad/public;

And of course there are many, many more lines in the zammad.conf file
The original file is here:

That file doesn’t include the SSL-lines of course, but certbot will add them automatically for you.

Hello,

my zammad.conf is identical to this one, i only have that
“server_name localhost” changed to “support.mydomain.de

but in the directory: / etc / nginx / sites-enabled / there is also a “default” file in addition to zammad.conf ?!
this file contains all my ssl data such as my domain etc. ???

:see_no_evil:

The original ssl version of the file you’re looking for can be found here:

What surprised me is the message that came after creating the certificate with certbot:
"Deploying Certificate to VirtualHost / etc / nginx / sites-enabled / default
Redirecting all traffic on port 80 to ssl in / etc / nginx / sites-enabled / default "

Please try removing the (default, no host name) port 80 binding from default.conf?
It should prevent the default site from showing up and give you an error (not found or something similar) instead.
If that happens, then at least you know everything is forwarded correctly and it’s just Nginx not ‘understanding’ which site it needs to serve.

Also, don’t forget to reload Nginx after changing any of the config files (sudo nginx reload) otherwise, changes won’t be executed.

If you get the error message: then either the URL is not entered correctly or you are using a different URL in the browser and because of that, Nginx is (or rather: was) serving the default site instead of Zammad.