2

For an application I need the following line in my location block:

rewrite ".*" /server.php break;

This causes certbot fail to verify the domain. To install the SSL cert I commented that line and certbot worked fine. Now, the issue is renewal is automated and will fail if I uncomment the line.

Is there a way to have a dedicated location just for Let's Encript's verification? If so, what?

Here is the full block with the problem line commented:

location / { 
    try_files $uri $uri/ =404; 
    fastcgi_pass unix:/run/php/php7.1-fpm.sock;
    include fastcgi_params;
    fastcgi_param USE_INSTANCE 'd1';
    fastcgi_param SCRIPT_FILENAME $request_filename;
    #rewrite ".*" /server.php break; 
}

If you wonder why I am not limiting the match pattern to ~ \.php$, it is because the config belongs to my api.host.com endpoint which will only receive requests that need to be routed to a PHP script.

Majid Fouladpour
  • 311
  • 5
  • 19

1 Answers1

2

I created a separate location block for certbot.

location /.well-known/acme-challenge/ {
    root /var/www;
    try_files $uri =404;
}

(Note that I use the same document root for every virtual host, which is outside the normal document root, so certbot is never writing anything to the web sites' actual directories.)

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • After posting the question I tried `sudo certbot renew --dry-run` (with the line uncommented) and it worked. It may be because on renewal, there is no verification, or because with `--dry-run` the process is just *faked*. So, maybe there is no need for a change, but I'm not sure. – Majid Fouladpour Apr 14 '18 at 03:04