Hi all, thanks for your help
My domain is: lebichani.fr
I ran this command: sudo certbot renew --post-hook "systemctl reload nginx"
It produced this output:
Processing /etc/letsencrypt/renewal/lebichani.fr.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lebichani.fr
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (lebichani.fr ) from /etc/letsencrypt/renewal/lebichani.fr.conf produced an unexpected error: Failed authorization procedure. lebichani.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 92.159.196.199: Invalid response from https://lebichani.fr/.well-known/acme-challenge/XJAnT3AgsN8vmS-y9lGFd2HlZVctG-YcP4d9tiEQcGo: 403. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lebichani.fr/fullchain.pem (failure)
The following certs are not due for renewal yet:
/etc/letsencrypt/live/ebenisterieabc.fr/fullchain.pem expires on 2023-03-27 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lebichani.fr/fullchain.pem (failure)
Running post-hook command: systemctl reload nginx
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
My web server is (include version): nginx/1.14.2
The operating system my web server runs on is (include version): raspbian 10.13
My hosting provider, if applicable, is: hosted from home
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 0.31.0
1 Like
Hello @kamekool , welcome to the Let's Encrypt community.
I would have expected file not found instead of this:
$ curl -Ii http://lebichani.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Wed, 22 Feb 2023 16:18:42 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://lebichani.fr/.well-known/acme-challenge/sometestfile
$ curl -k -Ii https://lebichani.fr/.well-known/acme-challenge/sometestfile
HTTP/2 403
server: nginx/1.14.2
date: Wed, 22 Feb 2023 16:18:46 GMT
content-type: text/html; charset=UTF-8
set-cookie: oc9r04yskf4q=ckt7trv3bjta5u670ou1rg8mgr; path=/; secure; HttpOnly; SameSite=Strict
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=fmB3B4T%2Fm3RjpZIRiZrEqtO%2FygpkVcbh4txV6oryWBIDRY0e9qp0hvfmVluZHRZOSHJAMR839Zo1Sd2sOUlg2brlWUp0JKMqLs0qdJNBMfje1dBJ%2F57n2G6GiN%2BmRdYC; expires=Wed, 22-Feb-2023 16:38:46 GMT; Max-Age=1200; path=/; secure; HttpOnly; SameSite=Strict
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
kamekool:
0.31.0
Also that is an old version of Certbot check Certbot 2.3.0 Release
3 Likes
rg305
February 22, 2023, 5:09pm
3
That looks like the webroot being used is incorrect OR the nginx
configuration has been altered since the last renewal.
We should have a look at both:
the renewal config file: /etc/letsencrypt/renewal/lebichani.fr.conf
the complete nginx
config: nginx -T
3 Likes
Thanks for your replies
Below the /etc/letsencrypt/renewal/lebichani.fr.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/lebichani.fr
cert = /etc/letsencrypt/live/lebichani.fr/cert.pem
privkey = /etc/letsencrypt/live/lebichani.fr/privkey.pem
chain = /etc/letsencrypt/live/lebichani.fr/chain.pem
fullchain = /etc/letsencrypt/live/lebichani.fr/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 8201d37a665ee7986281b4c25b2f7299
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = systemctl reload nginx
[[webroot_map]]
lebichani.fr = /var/www/owncloud
and nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/php-fpm.conf:
# configuration file /etc/nginx/sites-enabled/abc.conf:
upstream php-wp {
server unix:/var/run/abc.sock;
}
server {
listen 80;
listen [::]:80;
server_name ebenisterieabc.fr;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/abc;
index index.php;
ssl_certificate /etc/letsencrypt/live/ebenisterieabc.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ebenisterieabc.fr/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 1440m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security max-age=31536000;
location / {
try_files $uri $uri/ /index.php?$args;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ .php$ {
include fastcgi.conf;
fastcgi_pass php-wp;
}
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/sites-enabled/owncloud.conf:
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/run/php/php7.4-fpm.sock;
}
server {
listen 80;
server_name lebichani.fr;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name lebichani.fr;
ssl_certificate /etc/letsencrypt/live/lebichani.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lebichani.fr/privkey.pem;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
root /var/www/owncloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 512M;
fastcgi_buffers 64 4K;
gzip off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
}
}
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
rg305
February 22, 2023, 7:28pm
5
The HTTP challenge requests are being forwarded to HTTPS:
server {
listen 80;
server_name lebichani.fr;
return 301 https://$server_name$request_uri;
}
The HTTPS challenge request is being redirected to a PHP page:
location / {
rewrite ^ /index.php$uri;
}
=
The challenge fails.
4 Likes
Ok I see.
How am I to change that correctly, I'm not really an expert.
Do I just remove the redirection ?
rg305
February 22, 2023, 8:22pm
7
I'd leave the redirection.
But add an exclusion to bypass redirection for the ACME challenge requests.
[and also include the same root path as used by the webroot settings]
3 Likes
rg305:
ACME challenge
I tried to add this in the http section
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
and this in /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/owncloud;
break;
}
location = /.well-known/acme-challenge/ {
return 404;
}
But no difference when renewing cert
MikeMcQ
February 22, 2023, 9:19pm
9
Those location's don't look quite right. Try:
server {
listen 80;
listen [::]:80;
server_name lebichani.fr;
location /.well-known/acme-challenge/ {
root /var/www/owncloud;
}
location / {
return 301 https://$host$request_uri;
}
}
You should really add a listen for IPv6 too since your other server blocks have that.
5 Likes
rg305
February 22, 2023, 9:20pm
10
I'd try creating the full challenge path and placing a test text file in that location.
To see if it can be reached from the Internet.
[before continuing to test actual renewal requests]
4 Likes
Bruce5051:
server: nginx/1.14.2
Also there are fresher versions of nginx nginx: download
1 Like
OK so I tried to put a test file
https://lebichani.fr/.well-known/acme-challenge/test.txt
This is not accessible, permissions look like this :
drwxr-xr-x 3 www-data www-data 4,0K févr. 22 16:08 .well-known
maybe something to do with the .htaccess from owncloud ?
<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_lsapi.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
Header unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
Header unset X-XSS-Protection
Header always set X-XSS-Protection "0"
Header unset X-Robots-Tag
Header always set X-Robots-Tag "none"
Header unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
Header unset X-Download-Options
Header always set X-Download-Options "noopen"
Header unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true
</IfModule>
# Let browsers cache CSS, JS files for half a year
<FilesMatch "\.(css|js)$">
Header unset Cache-Control
Header always set Cache-Control "max-age=15778463"
</FilesMatch>
# Let browsers cache WOFF files for a week
<FilesMatch "\.woff$">
Header unset Cache-Control
Header always set Cache-Control "max-age=604800"
</FilesMatch>
</IfModule>
<IfModule mod_php5.c>
php_value always_populate_raw_post_data -1
php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_php7.c>
php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
RewriteRule ^core/signature\.json - [R=404,L]
RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
ErrorDocument 403 /owncloud/core/templates/403.php
ErrorDocument 404 /owncloud/core/templates/404.php
rg305
February 23, 2023, 10:29am
14
I don't see anything wrong with that .htaccess
file.
Are there any clues in nginx
access.log
or error.log
files?
2 Likes
rg305:
nginx
access.log
avec un tail -f
> [IP] - - [23/Feb/2023:11:05:35 +0000] "GET /.well-known/acme-challenge/test.txt HTTP/2.0" 403 6531 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0"
et le error.log
> 2023/02/23 11:06:23 [error] 9630#9630: *90991 access forbidden by rule, client: [IP], server: lebichani.fr, request: "GET /.well-known/acme-challenge/test.txt HTTP/2.0", host: "lebichani.fr"
rg305
February 23, 2023, 1:02pm
16
kamekool:
access forbidden by rule
You must find this rule and change it.
2 Likes
I tried to add your rules in the http part, it worked !
Thanks a lot
1 Like
MikeMcQ
February 23, 2023, 2:08pm
19
Good. I can see your test.txt file now but using http: instead of https: (like it should)
And, I see your server is using a new cert from today. Very nice.
3 Likes
Thanks.
How can it be using https then. Because it didn't work when the rule was in the https section on this host
1 Like
MikeMcQ
February 23, 2023, 10:13pm
21
The ACME HTTP Challenge always arrives on port 80 (http). You can redirect it to another http or https location. But, unless redirection is needed for some reason it is best to process the challenge when it first arrives. (more details here )
All other requests to HTTP should be redirected to HTTPS. Which is what my suggested location blocks did. And, of course, regular requests can first come into HTTPS.
3 Likes