My nginx.conf file is as follows:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
#the above include brings in the following default files:
#50-mod-http-image-filter.conf
#50-mod-http-xslt-filter.conf
#50-mod-mail.conf
#50-mod-stream.conf
events {
worker_connections 500;
}
http {
include /etc/nginx/proxy.conf;
limit_req_zone $binary_remote_addr zone=one:10m rate=100r/m;
server_tokens off;
sendfile on;
keepalive_timeout 30;
client_body_timeout 10; client_header_timeout 10; send_timeout 10;
upstream myapp{
server 127.0.0.1:5000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name myapi.com;
ssl_certificate /etc/letsencrypt/live/myapi.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/myapi.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#Redirects all traffic
location / {
proxy_pass http://myapi;
limit_req zone=one burst=10;
}
}
}
I installed the certbot and certbot-nginx (ubuntu).
SSL is working fine. Firewall only allows port 443.
I am trying to renew the certbot certificate with command: sudo certbot renew --dry-run
This tries to verify that I own the domain by making a request to http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v (note: I have obfuscated the key value 2d8dvxv8x9dvxd9v as this is something private)
But this time's out. So I have enabled port 80 and added the following additional server item:
server {
listen 80;
server_name myapi.com;
return 301 https://$host$request_uri;
}
Now the certbot renew command (sudo certbot renew --dry-run
) is able to renew the certificate. Strangely, even if I remove this server block, the certbot renewal works fine.
Where is the .well-known/acme-challenge path? Is it generated/deleted on the fly?
When I remove the server block for port 80, then how is nginx able to renew certificate (because it needs the port 80 for the certbot challenge)?