That didn't resolve like that before. I think they took my advice and since added a CNAME for that www.sandbox subdomain.
Because unboundtest.com also resolves the CAA query properly now too - no SERVFAIL
3 Likes
I added a sandbox2.rpiweather.net to my server but did not add a CNAME. I can reach that site, so it seems the CNAME isn't needed as you pointed out.
My question now is this: Should I (1) delete the *.rpiweather.net records and keep CNAMES that point to rpiweather.net, or (2) delete all the CNAMES and let the wild card records redirect all subdomains to rpiweather.net?
1 Like
I would do (2).
2 Likes
I would too but I would also remove your DNSSEC
I suggested the CNAME for your www.sandbox.rpiweather.net domain as a work-around since it was getting SERVFAIL from Let's Encrypt server and unboundtest.com
So, just removing the CNAMEs will probably bring that error back.
2 Likes
I removed the CNAME DNS records but I kept the DNSSEC enabled because it is required for some webhook POST requests that originate on a server in the Netherlands (some EU rule?).
But, once I did that I get a clean certbot dry run result:
pi@HomeAutomation:~ $ sudo certbot certonly --dry-run --webroot -w /var/www/sandbox.rpiweather.net -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for sandbox.rpiweather.net and www.sandbox.rpiweather.net
Performing the following challenges:
http-01 challenge for sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Using the webroot path /var/www/sandbox.rpiweather.net for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
pi@HomeAutomation:~ $
I also ran the unboundtest.com on sandbox.rpiweather.net and didn't see any "SERVFAIL" errors:
unbound-2024-04-19.txt (626.4 KB)
Having made these changes am I OK to proceed with obtaining a cert for the sandbox.rpiweather.net subdomain? If yes, which command should I run? (I don't want to be experimenting lest I mangle things up again).
1 Like
^^ same command - just without the "--dry-run"
Then show:
certbot certificates
2 Likes
I got this:
pi@HomeAutomation:~ $ sudo certbot certonly --webroot -w /etc/nginx -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for sandbox.rpiweather.net and www.sandbox.rpiweather.net
Performing the following challenges:
http-01 challenge for www.sandbox.rpiweather.net
Using the webroot path /etc/nginx for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.sandbox.rpiweather.net
Type: unauthorized
Detail: 2600:4040:5050:ce00:d6c2:fe84:f82f:13a7: Invalid response
from
http://www.sandbox.rpiweather.net/.well-known/acme-challenge/EXv9-Fu7CddEDfc3-DjDBUY9szqd7HIQmOImS3ydNZM:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
pi@HomeAutomation:~ $
pi@HomeAutomation:~ $ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: rpiweather.net
Serial Number: 349d764bbce954fcc7e2aa5ee51e3d9291a
Key Type: RSA
Domains: rpiweather.net www.rpiweather.net
Expiry Date: 2024-06-22 20:08:59+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/rpiweather.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rpiweather.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pi@HomeAutomation:~ $
And when I drop the www.sandbox.rpiweather.net I got this:
pi@HomeAutomation:~ $ sudo certbot certonly --webroot -w /etc/nginx -d sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for sandbox.rpiweather.net
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem
Your certificate will expire on 2024-07-19. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
pi@HomeAutomation:~ $ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: rpiweather.net
Serial Number: 349d764bbce954fcc7e2aa5ee51e3d9291a
Key Type: RSA
Domains: rpiweather.net www.rpiweather.net
Expiry Date: 2024-06-22 20:08:59+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/rpiweather.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rpiweather.net/privkey.pem
Certificate Name: sandbox.rpiweather.net
Serial Number: 37aff6da84c82b45a037a4cf5415ed45bb0
Key Type: RSA
Domains: sandbox.rpiweather.net
Expiry Date: 2024-07-19 02:02:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pi@HomeAutomation:~ $
And oddly enough sandbox.rpiweather.net works and www.sandbox.rpiweather.net works as well.
This is my nginx config file for sandbox.rpiweather.net:
# sudo certbot certonly --dry-run --webroot -w /etc/nginx -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
server {
listen 80;
listen [::]:80;
server_name sandbox.rpiweather.net www.sandbox.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/sandbox.rpiweather.net;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sandbox.rpiweather.net www.sandbox.rpiweather.net;
root /var/www/sandbox.rpiweather.net;
index index.html;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
Does this mean all is well and I should just drop the www.sandbox.rpiweather.net from the certbot command? Any issues with renewals?
Since @Bruce5051 didn't see that, I think you might be having a browser adaptation where the browser automatically accepts a certificate mismatch based on removing the www automatically. I think Chrome does this and Firefox doesn't.
1 Like
This is bad practice:
It is the same path as the root directory of the HTTPS vhost.
1 Like
You used the wrong -w folder path in above command again.
Below was the one that worked earlier.
But of course omit --dry-run to get a production cert now
1 Like
Ah ha, that was the problem!
I reran using the correct root folder and got this:
pi@HomeAutomation:~ $ sudo certbot certonly --webroot -w /var/www/sandbox.rpiweather.net -d sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sandbox.rpiweather.net.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for sandbox.rpiweather.net
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem
Your certificate will expire on 2024-07-19. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
pi@HomeAutomation:~ $ sudo certbot certonly --webroot -w /var/www/sandbox.rpiweather.net -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/sandbox.rpiweather.net.conf)
It contains these names: sandbox.rpiweather.net
You requested these names for the new certificate: sandbox.rpiweather.net,
www.sandbox.rpiweather.net.
Did I do that right?
I get this:
pi@HomeAutomation:~ $ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip.conf:
load_module modules/ngx_stream_geoip_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# configuration file /etc/nginx/sites-enabled/rpiweather.net:
server {
listen 80;
listen [::]:80;
server_name rpiweather.net www.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/rpiweather.net;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name rpiweather.net www.rpiweather.net;
root /var/www/rpiweather.net;
index index.html;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/rpiweather.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
# configuration file /etc/nginx/sites-enabled/sandbox.rpiweather.net:
# sudo certbot certonly --dry-run --webroot -w /etc/nginx -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
server {
listen 80;
listen [::]:80;
server_name sandbox.rpiweather.net www.sandbox.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/sandbox.rpiweather.net;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sandbox.rpiweather.net www.sandbox.rpiweather.net;
root /var/www/sandbox.rpiweather.net;
index index.html;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
# configuration file /etc/nginx/sites-enabled/sandbox2.rpiweather.net:
# sudo certbot certonly --dry-run --webroot -w /etc/nginx -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
server {
listen 80;
listen [::]:80;
server_name sandbox2.rpiweather.net www.sandbox2.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/sandbox2.rpiweather.net;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sandbox2.rpiweather.net www.sandbox2.rpiweather.net;
root /var/www/sandbox2.rpiweather.net;
index index.html;
# RSA certificate
#ssl_certificate /etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem; # managed by Certbot
#ssl_certificate_key /etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
pi@HomeAutomation:~ $
The only thing I would change is this folder misuse/overlap:
- the HTTP vhosts are using, for the challenge requests, the same folder as the HTTPS vhost root directory
HTTP vhosts:
HTTPS vhosts:
FIX
The challenge folder should be ONLY for the challenge files.
Set those to some unique folder.
[they can all use the same folder]
1 Like
I made a /var/www/ACMEchallenge folder and set the root accordingly in all 3 config files.
I now get this response to the certbot dry-run command:
pi@HomeAutomation:/var/www/ACMEchallenge $ sudo certbot certonly --dry-run --webroot -w /var/www/sandbox.rpiweather.net -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for sandbox.rpiweather.net and www.sandbox.rpiweather.net
Performing the following challenges:
http-01 challenge for sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Using the webroot path /var/www/sandbox.rpiweather.net for all unmatched domains.
Waiting for verification...
Challenge failed for domain sandbox.rpiweather.net
Challenge failed for domain www.sandbox.rpiweather.net
http-01 challenge for sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sandbox.rpiweather.net
Type: unauthorized
Detail: 2600:4040:5050:ce00:d6c2:fe84:f82f:13a7: Invalid response
from
http://sandbox.rpiweather.net/.well-known/acme-challenge/H0QvQLOquFEccCsrPSGsPFYmW8aHmHCh4F1C1ZS3LEg:
404
Domain: www.sandbox.rpiweather.net
Type: unauthorized
Detail: 2600:4040:5050:ce00:d6c2:fe84:f82f:13a7: Invalid response
from
http://www.sandbox.rpiweather.net/.well-known/acme-challenge/WeJ5CIohn7QDlDpx0JLGnFk2I4hyncxsL78krvaf6pg:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
pi@HomeAutomation:/var/www/ACMEchallenge $
This is the nginx -T response:
pi@HomeAutomation:/var/www/ACMEchallenge $ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip.conf:
load_module modules/ngx_stream_geoip_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# configuration file /etc/nginx/sites-enabled/rpiweather.net:
server {
listen 80;
listen [::]:80;
server_name rpiweather.net www.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/ACMEchallenge;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name rpiweather.net www.rpiweather.net;
root /var/www/rpiweather.net;
index index.html;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/rpiweather.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
# configuration file /etc/nginx/sites-enabled/sandbox.rpiweather.net:
# sudo certbot certonly --dry-run --webroot -w /etc/nginx -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
server {
listen 80;
listen [::]:80;
server_name sandbox.rpiweather.net www.sandbox.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/ACMEchallenge;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sandbox.rpiweather.net www.sandbox.rpiweather.net;
root /var/www/sandbox.rpiweather.net;
index index.html;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
# configuration file /etc/nginx/sites-enabled/sandbox2.rpiweather.net:
# sudo certbot certonly --dry-run --webroot -w /etc/nginx -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
server {
listen 80;
listen [::]:80;
server_name sandbox2.rpiweather.net www.sandbox2.rpiweather.net;
# ACME Challenges use this root folder (from your old https server block)
location /.well-known/acme-challenge/ {
root /var/www/ACMEchallenge;
}
# All other requests get redirected to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sandbox2.rpiweather.net www.sandbox2.rpiweather.net;
root /var/www/sandbox2.rpiweather.net;
index index.html;
# RSA certificate
#ssl_certificate /etc/letsencrypt/live/sandbox.rpiweather.net/fullchain.pem; # managed by Certbot
#ssl_certificate_key /etc/letsencrypt/live/sandbox.rpiweather.net/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
}
pi@HomeAutomation:/var/www/ACMEchallenge $
And the folder details:
pi@HomeAutomation:/var/www/ACMEchallenge $ ls -l /var/www
total 24
drwxr-xr-x 2 root root 4096 Apr 20 07:07 ACMEchallenge
drwxr-xr-x 2 root root 4096 Apr 14 12:45 GPStracker.rpiweather.net
drwxr-xr-x 6 www-data pi 4096 Mar 23 07:11 html
drwxr-xr-x 5 pi pi 4096 Apr 13 07:46 rpiweather.net
drwxr-xr-x 2 root root 4096 Apr 19 17:41 sandbox2.rpiweather.net
drwxr-xr-x 2 root root 4096 Apr 20 07:13 sandbox.rpiweather.net
pi@HomeAutomation:/var/www/ACMEchallenge $
It is a bit off topic here, but as you are using dynu.com you may want to play with my dynDNS update program: https://github.com/bruncsak/dynu.sh. At least listing the content of your zone: dynu.sh getdns. It is possible to use for DNS-01 challenges to get certificate (even wildcard one), but I never tried to interface to the certbot ACME client.
2 Likes
First, let me say I do not agree with @rg305 that using a different folder is better practice or gives you better security. I think it was fine before. I think you could just change the acme challenge root folder in nginx back to how it was before and continue as you were.
But, if you leave the acme challenge folder as /var/www/ACMEchallenge your command should be:
sudo certbot certonly --dry-run --webroot -w /var/www/ACMEchallenge -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
You will have to repeat the command for each of your certs. Note the --dry-run just tests the command. Once it works you need to issue it again without --dry-run
2 Likes
If I use the --nginx option rather than the --webroot, does the certbot alter the config files when you first run the command to setup the ACME folder? If so, how does it decide on the folder name?
Is there any downside to using the same root folder for the challenge folder across multiple subdomains?
1 Like
Not sure if this is of concern...
But the Location statement ends with a slash and the root statement does not.
I think they should agree.
Either:
- both end with a slash
- both don't use a slash at the end
I'd use a slash on both.
2 Likes