We are using this package GitHub - smart48/le-ssl-laravel-package: Let's Encrypt Laravel Package to get Let's Encrypt SSL certificates . Issues we are having is that for some reason we hit 404s on the ACME challenge most of the time.
Nginx Access Log
34.217.253.81 - - [13/Apr/2023:04:28:48 +0200] "HEAD /shared/storage/tls/challenges/app.com; HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18"
or
49.12.186.96 - - [13/Apr/2023:03:48:57 +0200] "GET /.well-known/acme-challenge/ ppnsxM20S4loT7LYIOea_o3dY_k2x61QAidBv3ymvEg HTTP/1.1" 404 146 "-" "stonemax-acme2/1.0.4"
Laravel logs
Error by package failing to get challenge done:
Illuminate\Queue\MaxAttemptsExceededException: Imagewize\SslManager\Jobs\UpdateCertificate
has been attempted too many times or run too long. The job may have previously timed out.
in /home/ploi/app.com/releases/5/vendor/laravel/framework/src/Illuminate/Queue/Worker.php:746
Command used
Currently we have the command
php artisan ssl-controller:update-certificate site.com
Certificate updating requested.
domain DNS will be set to point to our server in advance and propagation is waited for.
Main API Nginx
Main server where all requests wind up at is:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .app.com;
root /home/ploi/app.com/current/public;
ssl_certificate /etc/nginx/ssl/certificates/app.com.crt;
ssl_certificate_key /etc/nginx/ssl/certificates/app.com.key;
client_max_body_size 1024M;
# include /etc/nginx/ssl/app.com;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
index index.php index.html;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header X-Content-Type-Options "application/json";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
charset utf-8;
# Ploi Configuration, do not remove!
include /etc/nginx/ploi/app.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
access_log off;
error_log /var/log/nginx/app.com-error.log error;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_buffers 16 16k;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
include fastcgi_params;
fastcgi_read_timeout 300;
}
location ~ /\.(?!well-known).* {
deny all;
}
#Bugsnag crossorigin
location ~ \.js {
add_header Access-Control-Allow-Origin "*";
}
#modulesettings remove cache
location /modulesettings/ {
expires 0;
}
}
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.com/after/*;
Custom directory for cons
and in /etc/nginx/nginx.conf we added
include /home/ploi/app.com/shared/storage/tls/sites.d/*.conf;
Example conf to load challenge
so new configs like the one coming up for a site gets loaded:
initially we get this configuration file generated:
server {
listen 80;
listen [::]:80;
server_name newsite.com;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /home/ploi/app.com/shared/storage/tls/challenges/newsite.com;
}
# Reset connection
location / {
return 444;
}
}
Conf Post Challenge
then it should load the acme challenge... update the nginx config to be like
server {
listen 80;
listen [::]:80;
server_name newsite.com;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /home/ploi/app.com/shared/storage/tls/challenges/newsite.com;
}
# Redirect to HTTPS version
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name newsite2.com;
root /home/ploi/app.com/current/public;
ssl_certificate /home/ploi/app.com/shared/storage/tls/le-storage/b7bd877f/rsa/certificate-fullchained.crt;
ssl_certificate_key /home/ploi/app.com/shared/storage/tls/le-storage/b7bd877f/rsa/private.pem;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Enable server-side protection against BEAST attacks
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
# Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE ciphersuites
# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/ploi/app.com/shared/storage/tls/le-storage/b7bd877f/rsa/certificate-fullchained.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/newsite.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
include fastcgi_params;
}
}
But more often than not if fails with a 404 or too many tries to do the challenge.
How to debug Let's Encrypt Challenge failures here?