Score:0

Server

How to allow certbot to be able to access http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v via nginx?

variable

6/16/23, 8:08 AM

My nginx.conf file is as follows:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf; 
#the above include brings in the following default files:
#50-mod-http-image-filter.conf  
#50-mod-http-xslt-filter.conf  
#50-mod-mail.conf  
#50-mod-stream.conf

events {
        worker_connections 500;
}

http {
    include        /etc/nginx/proxy.conf;
    limit_req_zone $binary_remote_addr zone=one:10m rate=100r/m;
    server_tokens  off;

    sendfile on;
    keepalive_timeout   30;
    client_body_timeout 10; client_header_timeout 10; send_timeout 10;

    upstream myapp{
        server 127.0.0.1:5000;
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name myapi.com;
        ssl_certificate /etc/letsencrypt/live/myapi.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/myapi.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;


        #Redirects all traffic
        location / {
            proxy_pass http://myapi;
            limit_req  zone=one burst=10;
        }
    }
}

I installed the certbot and certbot-nginx (ubuntu).

SSL is working fine. Firewall only allows port 443.

I am trying to renew the certbot certificate with command: sudo certbot renew --dry-run

This tries to verify that I own the domain by making a request to http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v (note: I have obfuscated the key value 2d8dvxv8x9dvxd9v as this is something private)

But this time's out. So I have enabled port 80 and added the following additional server item:

   server {
         listen 80;
         server_name myapi.com;
         return 301 https://$host$request_uri;
      }

Now the certbot renew command (sudo certbot renew --dry-run) is able to renew the certificate. Strangely, even if I remove this server block, the certbot renewal works fine.

Where is the .well-known/acme-challenge path? Is it generated/deleted on the fly?
When I remove the server block for port 80, then how is nginx able to renew certificate (because it needs the port 80 for the certbot challenge)?

85

0 + 0

nginx

certbot

Gerard H. Pille

6/16/23, 10:09 AM

Let the server on port 80 only answer requests for /.well-known/acme-challenge. Your site will be safer if you don't redirect http to https.

0

Reply

variable

6/16/23, 10:11 AM

But what is the location of `/.well-known/acme-challenge`?

0

Reply

Gerard H. Pille

6/16/23, 10:14 AM

The documentroot of your nginx server. I seem to remember certbot asking where to put it.

0

Reply

variable

6/16/23, 10:21 AM

Is there any config where I can check this?

0

Reply

Gerard H. Pille

6/16/23, 10:26 AM

Of course: your nginx config. Isn't the default /var/www/html ? Look for a "root" directive in your configuration, or the "p" commandline parameter when starting nginx.

0

Reply

variable

6/16/23, 10:29 AM

Not sure - I have pasted the contents on my nginx.conf file in the question - it says nothing about /var/www/html

0

Reply

Gerard H. Pille

6/16/23, 10:33 AM

You've pasted nginx.conf, but not the included configurations. Check "man nginx". It says that /usr/share/nginx is the default. I have the root directive in my configs pointing to /var/www/html.

0

Reply

variable

6/16/23, 10:37 AM

Yes, just checked this now, "man nginx" says that /usr/share/nginx is the default. But where did you check the following please? `I have the root directive in my configs pointing to /var/www/html`

0

Reply

Gerard H. Pille

6/16/23, 10:42 AM

By searching the files in /etc/nginx. I found "./sites-available/default: root /var/www/html;"

0

Reply

variable

6/16/23, 10:43 AM

As shown in my nginx.config file contents, there is no include of the sites-available/default - I think this indicates that my default is /usr/share/nginx

0

Reply

Gerard H. Pille

6/16/23, 10:47 AM

certbot will create the file, remove it when done. You could check the modification date of the directory afterwards.

0

Reply

variable

6/16/23, 10:54 AM

Ok makes sense. So can I change this line `return 301 https://$host$request_uri;` to `location / { root /usr/share/nginx; }`.

0

Reply

variable

6/16/23, 11:24 AM

Bit surprised with my finding that if I remove the 2nd server (that listens on 80), even then the certbot renewal works. So I don't need the 2nd server block at all. But I wonder then how does certbot is able to access the endpoint. This is confusing me.

0

Reply

Gerard H. Pille

6/16/23, 12:13 PM

Perhaps http://myapi is supplying the acme-challenge? Or you forgot to restart nginx?

0

Reply

Gerard H. Pille

6/16/23, 12:15 PM

"location / { root /usr/share/nginx; }" would allow access to everything under /usr/share/nginx.

0

Reply

variable

6/16/23, 12:48 PM

I did a system reboot aswell the certbot renewal works (It looks like all it needs to port 80 to be open on firewall). I also removed all server code blocks and the certbot renewal still works.

0

Reply

Gerard H. Pille

6/16/23, 2:21 PM

Then something's missing from your config. What does /etc/nginx/proxy.conf contain?

0

Reply

variable

6/16/23, 2:23 PM

I'm surprised too. `proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffers 32 4k;`

0

Reply

variable

6/16/23, 2:24 PM

Certbot maybe spining up its own server momentarily but I cannot find any references for this.

0

Reply

Gerard H. Pille

6/16/23, 2:48 PM

So, how do you run certbot? When I run it, it asks if I want to use an existing server or if it has to start one? I don't know what happens with "dry-run".

0

Reply

Gerard H. Pille

6/16/23, 3:01 PM

Correction: I'm not using certbot myself, I'm using "certbot-auto".

0

Reply

variable

6/16/23, 3:17 PM

This is the renew command `sudo certbot renew --dry-run`

0

Reply

Gerard H. Pille

6/16/23, 4:41 PM

Not really, that is a test to see if the renew will work. In the mean time I've read certbot's documentation. Starting its own webserver must be the default. Check "man certbot".

0

Reply

variable

6/16/23, 5:16 PM

If you wish to amend the answer then I can mark is answered.

0

Reply

Gerard H. Pille

6/16/23, 5:36 PM

I'll give it a try. But still, since you only ran "dry-run", you're still using an old certificate?

0

Reply

variable

6/16/23, 5:48 PM

Dry run simulates the actual process

0

Reply

Gerard H. Pille

6/16/23, 5:59 PM

"--dry-run Perform a test run of the client, obtaining test (invalid) certificates but not saving them to disk."

0

Reply

variable

6/16/23, 6:15 PM

Yes it's an assurance that when the renew command auto runs via scheduler (either from the auto cron job or via the auto systemd service) then there will be no surprises.

0

Reply

Score:1

Server

Gerard H. Pille

6/16/23, 10:01 AM

You need a firewall that allows access on port 80 (http), certbot will start a webserver to supply the acme-challenge file from your domain.

0 + 0

variable

6/16/23, 10:04 AM

I have done so and its working, I have updated the question with the challenge.

0

Reply

variable

6/16/23, 10:05 AM

I only want to serve the https requests and block all http requests, other than the certbot renewal. What is the change I need to make to the nginx.config?

0

Reply

Gerard H. Pille

6/16/23, 10:12 AM

You could also tell the firewall to drop port 80 requests when certbor has run. Much better than having nginx deal with it.

0

Reply