trying to issue a cert and getting the following issue.
domain in question is staging.flutter.tours
The command I run : ./acme.sh --issue -d staging.flutter.tours -w /usr/share/nginx/html
The error I see: staging.flutter.tours:Verify error:Invalid response from https://staging.flutter.tours/.well-known/acme-challenge/sB7PXIrlNqAKD7uS5PU5A7_cqbsNWbEDJP4kZxxpWQM
It looks like you have some kind of reverse proxying setup happening in nginx, so you need to exclude that URL from the proxying.
Something like:
location /.well-known/acme-challenge/ {
root /usr/share/nginx/html;
}
and reload nginx.
where do I put that in the nginx conf file? In both http and https sections?
Either one should work. I usually put it in the HTTP block to avoid unnecessary redirects.
Thanks. So making progress.
Im now seeing this.... i tried to run it with sudo and then acme spit out a link and I went to the link and it said "dont do that".
[Sat Feb 13 01:27:18 UTC 2021] Changing owner/group of .well-known to root:root
[Sat Feb 13 01:27:18 UTC 2021] chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/Y8pndb4_Ke4v6sfANxV_CP1QPzfoi_Eu5MpE96whgUM’: Operation not permitted
chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/7zA3B4p3P6Unz7dZbKWKBQzJnWt5fxpGZhZpB1lvCIQ’: Operation not permitted
chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/sB7PXIrlNqAKD7uS5PU5A7_cqbsNWbEDJP4kZxxpWQM’: Operation not permitted
chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/BsOne8G2R6LvsgPHrfjTfvnMM5o2M9mUEt4ifeF5-LI’: Operation not permitted
chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/9mQ3sdYsiIT4sVo0ETUxmypPogGrlgDCRnM3BULV18o’: Operation not permitted
chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge’: Operation not permitted
chown: changing ownership of ‘/usr/share/nginx/html/.well-known’: Operation not permitted
What user are you running acme.sh as?
its an ec2 instance so ec2-user.
Well, I've always been of the opinion that it makes sense to run acme.sh as root. It needs to be able to reload your webserver after a certificate renewal, which is a privileged operation. Without root, you need to do a bunch of other things to make it work.
The wiki page describes how can you can escalate to root (sudo su and then run acme.sh) without breaking acme.sh. That's what I would do personally.
Thanks.
Well... the permission issues have gone away... but its still throwing the following. I dont see any other obvious bad things up stream in the log. And unfortunately its such a generic error.
[Sat Feb 13 02:13:11 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/10819736205/s6YqbQ'
[Sat Feb 13 02:13:11 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Feb 13 02:13:11 UTC 2021] _ret='0'
[Sat Feb 13 02:13:11 UTC 2021] code='200'
[Sat Feb 13 02:13:11 UTC 2021] **staging.flutter.tours:Verify error:Invalid response from https://staging.flutter.tours/.well-known/acme-challenge/fOpMZCnoZBBe-c-tT_aeGi7BZ3hnZ1Od_BrUS1byj-E
Are you sure you added the changes to nginx?
If you did, I would expect that the below request would result in a 404, not a 301 redirect:
$ curl -i staging.flutter.tours/.well-known/acme-challenge/xx
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 13 Feb 2021 02:22:50 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://staging.flutter.tours/.well-known/acme-challenge/xx
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
Could you post the HTTP block from nginx?
Hey! I got past that issue. Thanks for all the help.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.