[solved] SuiteCRM not accessible via https after update

Hi everybody!

After today’s update (which also updated letsencrypt app), it’s not possible anymore to access SuiteCRM (in the docker container) with https.
I can access via http://myhost.example.com/suitecrm, but not with https://myhost.example.com/suitecrm. When doing so, I get this error message:
The requested URL /suitecrm/ was not found on this server.

I also get this error message when I stop the docker container.

/etc/apache2/sites-enabled/default-ssl.conf:

<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
        SSLCACertificateFile /etc/univention/letsencrypt/chained.pem
        SSLCertificateChainFile /etc/univention/letsencrypt/intermediate.pem

        #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        ### To enable special log format for HTTPS-access
        # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
        # CustomLog /var/log/apache2/access.log combinedssl     ## with port number

        ProxyPass /suitecrm https://127.0.0.1:40001/suitecrm retry=0
        ProxyPassReverse /suitecrm https://127.0.0.1:40001/suitecrm

</VirtualHost>
</IfModule>

This looks exactly like the last backup.

/etc/apache2/sites-enabled/000-default.conf:

<VirtualHost *:80>
	IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf

	ProxyPass /suitecrm http://127.0.0.1:40000/suitecrm retry=0
	ProxyPassReverse /suitecrm http://127.0.0.1:40000/suitecrm

</VirtualHost>
#ps aux | grep docker
root      1341  0.0  0.5 500552 48336 ?        Ssl  01:16   0:02 /usr/bin/dockerd -H fd:// --storage-driver=overlay --live-restore --bip=172.17.42.1/16
root      1366  0.0  0.1 293296 11888 ?        Ssl  01:16   0:01 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim --runtime docker-runc
root      2128  0.0  0.0  50672  2448 ?        Sl   01:16   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 40001 -container-ip 172.17.0.1 -container-port 443
root      2149  0.0  0.0  55504  3312 ?        Sl   01:16   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 40000 -container-ip 172.17.0.1 -container-port 80
root      2156  0.0  0.0 209720  3800 ?        Sl   01:16   0:00 docker-containerd-shim 5daf24aa6c0de166fef2b50cd470c867d0cdc0fae8b1bb05ee7bf79e44341c44 /var/run/docker/libcontainerd/5daf24aa6c0de166fef2b50cd470c867d0cdc0fae8b1bb05ee7bf79e44341c44 docker-runc

Any hints or help would be greatly appreciated!

Thanks in advance!

Hello @matthias.koerner,

thank you for the feedback. For the update I assume you refer to the errata updates from Wednesday and the Let’s encrypt app update from yesterday. There was no update for SuiteCRM though.

This looks like the rewrite of the mentioned apache2 configuration default-ssl.conf wrote the wrong reverse proxy configuration for SuiteCRM.

Can you please manually change your default-ssl.conf for the Proxy*entries to:

  ProxyPass /suitecrm http://127.0.0.1:40001/suitecrm retry=0
  ProxyPassReverse /suitecrm http://127.0.0.1:40001/suitecrm

What does your system say after a service apache2 reload when you access SuiteCRM via HTTPS?

Best regards,
Nico

Hello @gulden,

thanks for the quick reply!

Unfortunately, the error stays the same:

Not Found
The requested URL /suitecrm/ was not found on this server.

Apache/2.4.25 (Univention) Server at myhost.example.com Port 443

Yes, I was referring to your mentioned errata and Let’s encrypt updates.

Just a quick guess, it says /suitecrm/ (with trailing slash) not found. How about /suitecrm without trailing slash?

We have identified an issue with yesterdays let’s encrypt App update. The Proxy directives for Docker Apps are not correctly included in the new let’s encrypt VirtualHost configuration, so Docker Apps cannot be reached when accessed via the domain configured for the App.

We have removed the App update for now and are working on a solution as well as a workaround for users that already installed the update.

1 Like

We are working on an update for the let’s encrypt app which should fix this problem.
It should be released today or early next week.
The issue is tracked at https://forge.univention.org/bugzilla/show_bug.cgi?id=48492

Sorry for the inconvenience

no workaround available?

Hello @gulden, @damrose, @Brodersen!

Okay wow, it’s only been about 10 hours since my report and as I can see in the Bugzilla, you’ve already created a fix and tested it internally. This is fantastic and really great and fast work! Thank you!

I’ll test it when it’s publicly available and will report!

Enjoy your weekend!

We just released an update for the let’s encrypt App. Please update to App Version 1.2.2-8 to get the fixed version, although we also uploaded fixed packages to the previously removed App.

Users that update from now on will automatically install the most recent App version and should not encounter any issues with accessing their Docker Apps.

That fixed it for me, thank you! :slight_smile:

Mastodon