Cert fails on creating. Open port 80 for letsencrypt useragent or ip?


#1

Hello,

i’m at a hoster who supports LE as “experimental”. The server runs on nginx. I’ve tried to switch to LE but wouldn’t receive a cert. After the support removes my user defined directives it creates a cert. So the problem must lie somewhere in my directives:

expires 300s;
location ~* \.(js|json|jsonp|css|xml|xsl|xsd)$ {
	add_header Cache-Control public;
	expires 1h;
	etag on;
}
location ~* \.(ico|swf|pdf|jpeg|jpg|gif|png)$ {
	add_header Cache-Control public;
	expires 720h;
	etag on;
}

if ($http_host !~* "^(sub1|sub2|www)\.somedom\.(at|de|ch)$"){
	set $rule_1 1;
}
if ($http_host ~ "^(.+\.|)somedom\.at$"){
	set $rule_1 2$rule_1;
}
if ($http_host ~ "^(.+\.|)somedom\.ch$"){
	set $rule_1 3$rule_1;
}
if ($rule_1 = "1"){
	rewrite /(.*) https://www.somedom.de$uri permanent;
}
if ($rule_1 = "21"){
	rewrite /(.*) https://www.somedom.at$uri permanent;
}
if ($rule_1 = "31"){
	rewrite /(.*) https://www.somedom.ch$uri permanent;
}
if ($remote_addr !~ "^(1\.1\.1\.1)$"){
	set $rule_4 1$rule_4;
}
if ($http_host ~ "^(sub1|sub2|www)\.somedom\.(at|de|ch)$"){
	set $rule_4 2$rule_4;
}
if ($uri !~ "^/((v2\_addon|admin|import(|2)|cron|quickview)/{0,1}.*|(google|yandex)[_a-z0-9]+\.html)$"){
	set $rule_4 3$rule_4;
}
if ($rule_4 = "32"){
	rewrite ^/(|[^\.]+/)(|[^/]+\.html|[^\./]+(|/))$ /virtual.php?URI=$uri last;
}

if ($remote_addr ~ "^(1\.1\.1\.1)$"){
	set $rule_5 1$rule_5;
}
if ($http_user_agent !~* "([Ww]get|Curl)"){
	set $rule_5 2$rule_5;
}
if ($http_host ~ "^(sub1|sub2|www)\.somedom\.(at|de|ch)$"){
	set $rule_5 3$rule_5;
}
if ($uri !~ "^/((v2\_addon|admin|import(|2)|cron|quickview)/{0,1}.*|(google|yandex)[_a-z0-9]+\.html)$"){
	set $rule_5 4$rule_5;
}
if ($rule_5 = "4321"){
	rewrite ^/(|[^\.]+/)(|[^/]+\.html|[^\./]+(|/))$ /virtual2.php?URI=$uri last;
}

if ($http_host ~ "^[a-z]+\.somedom\.de$"){
	set $rule_6 1;
}
if ($http_host ~ "^[a-z]+\.somedom\.at$"){
	set $rule_6 2;
}
if ($http_host ~ "^[a-z]+\.somedom\.ch$"){
	set $rule_6 3;
}

I’ve read here

that it might be solved by not redirecting port 80. But all users coming from old links must be redirected to port 443. Can it be solved somehow by not redirecting some magic User-Agent like ‘letsencrypt.org’ or anything else?

Micha


#2

There is no problem redirecting from port 80, Let’s Encrypt will follow the redirect.

There is no “User-Agent” or similar that you can use for the redirect to just apply redirects for Let’s Encrypt, no.

Are you happy to provide your domain name ? so I can see what the current redirect is for .well-known/acme-challenge ? (There are a lot of rules in your .htaccess to go through manually :wink: )


#3

Dude, doesn’t nginx have logical operators? My eyes bleed when I see this set $rule....

Nevermind.


#5

The redirect to port 443 looks fine. although I then get a 403 error.

Can you place a plain text file called “test” (with no extension) at your webroot/.well-known/acme-challenge/test please (creating the folders if needed) with the contents “ok”.


#7

Well, that’s why it’s been chosen for the challenge, to lower the chance it collides with a real path. Nevertheless, it’s a valid path.


#8

@serverco how did you get a 403? I’ve tried to reach this file but it is not possible. Even if the path is missing there is only a 404 and not a 403.


#9

@TCM & @serverco Thank you for your help! The admins of my hoster might have solved this old problem. So I do not have to search for errors anyone of this matter. but I keep in mind what you taught me :wink:

ps: I’ve deleted the posts with the links for security reasons.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.