Certbot configuration for Nginx+gRPC

Hello,

How can i get a LE certificate for a nginx gRPC proxy? does it work the same as http reverse proxy?

Any example on how to set it up please?

Thanks in advance

The only stumbling block you might encounter is that if you use Certbot's --nginx installer, Certbot does not enable HTTP/2 by default.

Since HTTP/2 is required by gRPC, you will have to do that by hand. It's a matter of replacing:

listen 443 ssl;

with

listen 443 ssl http2;
2 Likes

Thanks for the explanation, when i try run it as follow:

sudo certbot certonly --webroot -w /home/letsencrypt/challenge/ -d sub.domain.com --dry-run -v

i get: Detail:

Domain: sub.domain.com
Type:   unauthorized
Detail: Invalid response from

My nginx config is as follow:

server {
        listen 80 http2;
        server_name sub.domain.com;

        # root /var/www/;

    location / {
        grpc_pass grpc://ip-address:port;
    }

  location ~ /.well-known/acme-challenge {
    root /home/letsencrypt/challenge;
    allow all;
  }

}

Didn't include exact domain/ip, but do i have to install anything in particular for http2?

Ok i think it was just the propagation of the A record, its ok now, thanks a lot :slight_smile:

That won't work because:

  1. Let's Encrypt needs to perform HTTP validation over port 80 using HTTP/1.1.
  2. nginx can't do both HTTP/1 and HTTP/2 Cleartext (h2c) over port 80, you can only pick one.

My suggestion would be to forget about using gRPC over port 80. Get rid of http2 from the listen line above as well as the gRPC proxying, and get your certificate.

Then setup gRPC proxying again on the HTTPS server (port 443).

For some reason i was able to get the certificate, not sure how then :roll_eyes: and then im now using the following config:

server {
        #listen 80 default_server;
        #listen [::]:80 default_server;
        listen 80 http2;
        server_name sub.domain.com;

        # root /var/www/;

    location / {

        grpc_pass grpc://id-address:port;


    }

  location ~ /.well-known/acme-challenge {
    root /home/letsencrypt/challenge;
    allow all;
  }

  listen 443 ssl http2; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem; # managed by Certbot
}

I can access and receive the grpc stream using sub.domain.com:port
It is not supposed to work?

Also noted that if i activate cloudflare proxy it doesnt work, only without it

I don't know either. It really shouldn't work ... it should result in a Server is speaking HTTP/2 over HTTP error from Let's Encrypt.

Unless maybe that server block is being ignored because a duplicate non-h2c host has priority over the port?

Does this generate any warnings:

sudo nginx -t

Edit: possible theory #2 is that it succeeded due to a cached authorization. If you have a recent-ish version of Certbot (0.40.0 or newer), you can exclude this possibility by checking with certbot renew --dry-run.

I'm not surprised that a CDN breaks gRPC ... but it looks like you might be able to opt into the Cloudflare gRPC Beta to make it work.

Yes, not sure why it went through then, i guess it was ignored then.

sudo nginx -t

don't give me any error. I removed http2 from listen 80 but still cannot access if i proxy on cloudflare.

I activated gRPC at network > gRPC and i did orange cloud the subdomain but still get:

No connection established

Should i also toogle HTTP/2 on cloudflare side?

Seem http2 is activated by default anyway on cloudflare. Guess i'll just go without cloudflare then.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.