I already understood what you were talking about, I was still dealing with an existing file and that it correctly returns 404 / possibly the correct token. Only now have I noticed table "7.3" where the "invalid" address on the acme challenge is checked.
but it's still very strange for me, sometimes I get "green" values, sometimes "timeout". What I had to do to improve the results at least a little:
I had the TTL parameter set incorrectly in the DNS configuration, it seems to have been too low (360) and therefore the evaluation was very often a "timeout", I don't know, but increasing the value (42000) helped, at least that's how it looks.
I was able to "see" at least some results "green" but still I received the same error.
but I still don't know where the problem might be next, maybe still a bad NGINX setup, current setup is:
server {
listen 80;
listen [::]:80;
root /var/www/domains/tmapp.cz/web;
index index.html;
server_name tmapp.cz www.tmapp.cz;
location / {
try_files $uri $uri/ /index.html =404;
autoindex on;
}
location /api {
proxy_pass http://localhost:4242;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /socket.io {
proxy_pass http://localhost:4242;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files wit>
location ^~ /.well-known/acme-challenge/ {
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
# Current specification requires text/plain or no content header at all.
# It seems that text/plain is a safe option.
charset utf-8;
default_type text/html;
# This directory must be the same as in /etc/letsencrypt/cli.ini
# as webroot-path parameter. Also don't forget to set authenticator parameter
# there to webroot.
# Do NOT use alias, use root! Target directory is located here:
# /var/www/common/letsencrypt/.well-known/acme-challenge/
root /var/www/common/letsencrypt;
}
# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
return 404;
}
}