Score:0

How to allow certbot to be able to access http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v via nginx?

in flag

My nginx.conf file is as follows:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf; 
#the above include brings in the following default files:
#50-mod-http-image-filter.conf  
#50-mod-http-xslt-filter.conf  
#50-mod-mail.conf  
#50-mod-stream.conf

events {
        worker_connections 500;
}

http {
    include        /etc/nginx/proxy.conf;
    limit_req_zone $binary_remote_addr zone=one:10m rate=100r/m;
    server_tokens  off;

    sendfile on;
    keepalive_timeout   30;
    client_body_timeout 10; client_header_timeout 10; send_timeout 10;

    upstream myapp{
        server 127.0.0.1:5000;
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name myapi.com;
        ssl_certificate /etc/letsencrypt/live/myapi.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/myapi.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;


        #Redirects all traffic
        location / {
            proxy_pass http://myapi;
            limit_req  zone=one burst=10;
        }
    }
}

I installed the certbot and certbot-nginx (ubuntu).

SSL is working fine. Firewall only allows port 443.

I am trying to renew the certbot certificate with command: sudo certbot renew --dry-run

This tries to verify that I own the domain by making a request to http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v (note: I have obfuscated the key value 2d8dvxv8x9dvxd9v as this is something private)

But this time's out. So I have enabled port 80 and added the following additional server item:

   server {
         listen 80;
         server_name myapi.com;
         return 301 https://$host$request_uri;
      }

Now the certbot renew command (sudo certbot renew --dry-run) is able to renew the certificate. Strangely, even if I remove this server block, the certbot renewal works fine.

  1. Where is the .well-known/acme-challenge path? Is it generated/deleted on the fly?

  2. When I remove the server block for port 80, then how is nginx able to renew certificate (because it needs the port 80 for the certbot challenge)?

Gerard H. Pille avatar
in flag
Let the server on port 80 only answer requests for /.well-known/acme-challenge. Your site will be safer if you don't redirect http to https.
in flag
But what is the location of `/.well-known/acme-challenge`?
Gerard H. Pille avatar
in flag
The documentroot of your nginx server. I seem to remember certbot asking where to put it.
in flag
Is there any config where I can check this?
Gerard H. Pille avatar
in flag
Of course: your nginx config. Isn't the default /var/www/html ? Look for a "root" directive in your configuration, or the "p" commandline parameter when starting nginx.
in flag
Not sure - I have pasted the contents on my nginx.conf file in the question - it says nothing about /var/www/html
Gerard H. Pille avatar
in flag
You've pasted nginx.conf, but not the included configurations. Check "man nginx". It says that /usr/share/nginx is the default. I have the root directive in my configs pointing to /var/www/html.
in flag
Yes, just checked this now, "man nginx" says that /usr/share/nginx is the default. But where did you check the following please? `I have the root directive in my configs pointing to /var/www/html`
Gerard H. Pille avatar
in flag
By searching the files in /etc/nginx. I found "./sites-available/default: root /var/www/html;"
in flag
As shown in my nginx.config file contents, there is no include of the sites-available/default - I think this indicates that my default is /usr/share/nginx
Gerard H. Pille avatar
in flag
certbot will create the file, remove it when done. You could check the modification date of the directory afterwards.
in flag
Ok makes sense. So can I change this line `return 301 https://$host$request_uri;` to `location / { root /usr/share/nginx; }`.
in flag
Bit surprised with my finding that if I remove the 2nd server (that listens on 80), even then the certbot renewal works. So I don't need the 2nd server block at all. But I wonder then how does certbot is able to access the endpoint. This is confusing me.
Gerard H. Pille avatar
in flag
Perhaps http://myapi is supplying the acme-challenge? Or you forgot to restart nginx?
Gerard H. Pille avatar
in flag
"location / { root /usr/share/nginx; }" would allow access to everything under /usr/share/nginx.
in flag
I did a system reboot aswell the certbot renewal works (It looks like all it needs to port 80 to be open on firewall). I also removed all server code blocks and the certbot renewal still works.
Gerard H. Pille avatar
in flag
Then something's missing from your config. What does /etc/nginx/proxy.conf contain?
in flag
I'm surprised too. `proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffers 32 4k;`
in flag
Certbot maybe spining up its own server momentarily but I cannot find any references for this.
Gerard H. Pille avatar
in flag
So, how do you run certbot? When I run it, it asks if I want to use an existing server or if it has to start one? I don't know what happens with "dry-run".
Gerard H. Pille avatar
in flag
Correction: I'm not using certbot myself, I'm using "certbot-auto".
in flag
This is the renew command `sudo certbot renew --dry-run`
Gerard H. Pille avatar
in flag
Not really, that is a test to see if the renew will work. In the mean time I've read certbot's documentation. Starting its own webserver must be the default. Check "man certbot".
in flag
If you wish to amend the answer then I can mark is answered.
Gerard H. Pille avatar
in flag
I'll give it a try. But still, since you only ran "dry-run", you're still using an old certificate?
in flag
Dry run simulates the actual process
Gerard H. Pille avatar
in flag
"--dry-run Perform a test run of the client, obtaining test (invalid) certificates but not saving them to disk."
in flag
Yes it's an assurance that when the renew command auto runs via scheduler (either from the auto cron job or via the auto systemd service) then there will be no surprises.
Score:1
in flag

You need a firewall that allows access on port 80 (http), certbot will start a webserver to supply the acme-challenge file from your domain.

in flag
I have done so and its working, I have updated the question with the challenge.
in flag
I only want to serve the https requests and block all http requests, other than the certbot renewal. What is the change I need to make to the nginx.config?
Gerard H. Pille avatar
in flag
You could also tell the firewall to drop port 80 requests when certbor has run. Much better than having nginx deal with it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.