0

My nginx.conf file is as follows:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf; 
#the above include brings in the following default files:
#50-mod-http-image-filter.conf  
#50-mod-http-xslt-filter.conf  
#50-mod-mail.conf  
#50-mod-stream.conf

events {
        worker_connections 500;
}

http {
    include        /etc/nginx/proxy.conf;
    limit_req_zone $binary_remote_addr zone=one:10m rate=100r/m;
    server_tokens  off;

    sendfile on;
    keepalive_timeout   30;
    client_body_timeout 10; client_header_timeout 10; send_timeout 10;

    upstream myapp{
        server 127.0.0.1:5000;
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name myapi.com;
        ssl_certificate /etc/letsencrypt/live/myapi.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/myapi.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;


        #Redirects all traffic
        location / {
            proxy_pass http://myapi;
            limit_req  zone=one burst=10;
        }
    }
}

I installed the certbot and certbot-nginx (ubuntu).

SSL is working fine. Firewall only allows port 443.

I am trying to renew the certbot certificate with command: sudo certbot renew --dry-run

This tries to verify that I own the domain by making a request to http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v (note: I have obfuscated the key value 2d8dvxv8x9dvxd9v as this is something private)

But this time's out. So I have enabled port 80 and added the following additional server item:

   server {
         listen 80;
         server_name myapi.com;
         return 301 https://$host$request_uri;
      }

Now the certbot renew command (sudo certbot renew --dry-run) is able to renew the certificate. Strangely, even if I remove this server block, the certbot renewal works fine.

  1. Where is the .well-known/acme-challenge path? Is it generated/deleted on the fly?

  2. When I remove the server block for port 80, then how is nginx able to renew certificate (because it needs the port 80 for the certbot challenge)?

variable
  • 177
  • 2
  • 10
  • Let the server on port 80 only answer requests for /.well-known/acme-challenge. Your site will be safer if you don't redirect http to https. – Gerard H. Pille Feb 16 '22 at 10:09
  • But what is the location of `/.well-known/acme-challenge`? – variable Feb 16 '22 at 10:11
  • The documentroot of your nginx server. I seem to remember certbot asking where to put it. – Gerard H. Pille Feb 16 '22 at 10:14
  • Is there any config where I can check this? – variable Feb 16 '22 at 10:21
  • Of course: your nginx config. Isn't the default /var/www/html ? Look for a "root" directive in your configuration, or the "p" commandline parameter when starting nginx. – Gerard H. Pille Feb 16 '22 at 10:26
  • Not sure - I have pasted the contents on my nginx.conf file in the question - it says nothing about /var/www/html – variable Feb 16 '22 at 10:29
  • You've pasted nginx.conf, but not the included configurations. Check "man nginx". It says that /usr/share/nginx is the default. I have the root directive in my configs pointing to /var/www/html. – Gerard H. Pille Feb 16 '22 at 10:33
  • Yes, just checked this now, "man nginx" says that /usr/share/nginx is the default. But where did you check the following please? `I have the root directive in my configs pointing to /var/www/html` – variable Feb 16 '22 at 10:37
  • By searching the files in /etc/nginx. I found "./sites-available/default: root /var/www/html;" – Gerard H. Pille Feb 16 '22 at 10:42
  • As shown in my nginx.config file contents, there is no include of the sites-available/default - I think this indicates that my default is /usr/share/nginx – variable Feb 16 '22 at 10:43
  • certbot will create the file, remove it when done. You could check the modification date of the directory afterwards. – Gerard H. Pille Feb 16 '22 at 10:47
  • Ok makes sense. So can I change this line `return 301 https://$host$request_uri;` to `location / { root /usr/share/nginx; }`. – variable Feb 16 '22 at 10:54
  • Bit surprised with my finding that if I remove the 2nd server (that listens on 80), even then the certbot renewal works. So I don't need the 2nd server block at all. But I wonder then how does certbot is able to access the endpoint. This is confusing me. – variable Feb 16 '22 at 11:24
  • Perhaps http://myapi is supplying the acme-challenge? Or you forgot to restart nginx? – Gerard H. Pille Feb 16 '22 at 12:13
  • "location / { root /usr/share/nginx; }" would allow access to everything under /usr/share/nginx. – Gerard H. Pille Feb 16 '22 at 12:15
  • I did a system reboot aswell the certbot renewal works (It looks like all it needs to port 80 to be open on firewall). I also removed all server code blocks and the certbot renewal still works. – variable Feb 16 '22 at 12:48
  • Then something's missing from your config. What does /etc/nginx/proxy.conf contain? – Gerard H. Pille Feb 16 '22 at 14:21
  • I'm surprised too. `proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffers 32 4k;` – variable Feb 16 '22 at 14:23
  • Certbot maybe spining up its own server momentarily but I cannot find any references for this. – variable Feb 16 '22 at 14:24
  • So, how do you run certbot? When I run it, it asks if I want to use an existing server or if it has to start one? I don't know what happens with "dry-run". – Gerard H. Pille Feb 16 '22 at 14:48
  • Correction: I'm not using certbot myself, I'm using "certbot-auto". – Gerard H. Pille Feb 16 '22 at 15:01
  • This is the renew command `sudo certbot renew --dry-run` – variable Feb 16 '22 at 15:17
  • Not really, that is a test to see if the renew will work. In the mean time I've read certbot's documentation. Starting its own webserver must be the default. Check "man certbot". – Gerard H. Pille Feb 16 '22 at 16:41
  • If you wish to amend the answer then I can mark is answered. – variable Feb 16 '22 at 17:16
  • I'll give it a try. But still, since you only ran "dry-run", you're still using an old certificate? – Gerard H. Pille Feb 16 '22 at 17:36
  • Dry run simulates the actual process – variable Feb 16 '22 at 17:48
  • "--dry-run Perform a test run of the client, obtaining test (invalid) certificates but not saving them to disk." – Gerard H. Pille Feb 16 '22 at 17:59
  • Yes it's an assurance that when the renew command auto runs via scheduler (either from the auto cron job or via the auto systemd service) then there will be no surprises. – variable Feb 16 '22 at 18:15

1 Answers1

1

You need a firewall that allows access on port 80 (http), certbot will start a webserver to supply the acme-challenge file from your domain.

Gerard H. Pille
  • 2,569
  • 1
  • 13
  • 11
  • I have done so and its working, I have updated the question with the challenge. – variable Feb 16 '22 at 10:04
  • I only want to serve the https requests and block all http requests, other than the certbot renewal. What is the change I need to make to the nginx.config? – variable Feb 16 '22 at 10:05
  • You could also tell the firewall to drop port 80 requests when certbor has run. Much better than having nginx deal with it. – Gerard H. Pille Feb 16 '22 at 10:12