This is the output of nginx -T
,
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# configuration file /etc/nginx/sites-enabled/heartyk9s.ca:
# catch root domains for well-known before permanent redirect
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name heartyk9s.ca www.heartyk9s.ca;
# well-known for let's encrypt
location /.well-known {
root /var/www/heartyk9s.ca/html;
}
return 301 https://heartyk9s.ca$request_uri;
}
# catch admin subdomain for well-known before permanent redirect
server {
listen 80;
listen [::]:80;
server_name admin.heartyk9s.ca;
# well-known for let's encrypt
location /.well-known {
root /var/www/admin.heartyk9s.ca/html;
}
return 301 https://$server_name$request_uri;
}
# catch staging subdomain for well-known before permanent redirect
server {
listen 80;
listen [::]:80;
server_name staging.heartyk9s.ca;
# well-known for let's encrypt
location /.well-known {
root /var/www/staging.heartyk9s.ca/html;
}
return 301 https://$server_name$request_uri;
}
# all remaining traffic is https
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name heartyk9s.ca;
location / {
root /var/www/heartyk9s.ca/html;
index index.html index.htm;
try_files $uri $uri/ =404;
}
# error page handling defaults to 404
error_page 401 403 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
# ssl
include snippets/ssl-heartyk9s.ca.conf;
include snippets/ssl-params.conf;
}
# redirect https://www.heartyk9s.ca https://heartyk9s.ca
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.heartyk9s.ca;
return 301 https://heartyk9s.ca$request_uri;
}
# admin subdomain
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name admin.heartyk9s.ca;
location / {
root /var/www/admin.heartyk9s.ca/html;
index index.html index.htm;
try_files $uri $uri/ =404;
}
# error page handling defaults to 404
error_page 401 403 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
# ssl
include snippets/ssl-heartyk9s.ca.conf;
include snippets/ssl-params.conf;
}
# staging subdomain
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name staging.heartyk9s.ca;
location / {
root /var/www/staging.heartyk9s.ca/html;
index index.html index.htm;
try_files $uri $uri/ =404;
}
# error page handling defaults to 404
error_page 401 403 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
# ssl
include snippets/ssl-heartyk9s.ca.conf;
include snippets/ssl-params.conf;
}
# configuration file /etc/nginx/snippets/ssl-heartyk9s.ca.conf:
ssl_certificate /etc/letsencrypt/live/heartyk9s.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heartyk9s.ca/privkey.pem;
# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# configuration file /etc/nginx/snippets/ssl-heartyk9s.ca.conf:
ssl_certificate /etc/letsencrypt/live/heartyk9s.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heartyk9s.ca/privkey.pem;
# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# configuration file /etc/nginx/snippets/ssl-heartyk9s.ca.conf:
ssl_certificate /etc/letsencrypt/live/heartyk9s.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heartyk9s.ca/privkey.pem;
# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# configuration file /etc/nginx/sites-enabled/heartyk9s.com:
# catch root domains for well-known before permanent redirect
server {
listen 80;
listen [::]:80;
server_name heartyk9s.com www.heartyk9s.com;
# well-known for let's encrypt
location /.well-known {
allow all;
root /var/www/heartyk9s.com/html;
}
return 301 https://heartyk9s.ca$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name heartyk9s.com www.heartyk9s.com;
return 301 https://heartyk9s.ca$request_uri;
}
I’ve uploaded a test file containing “Hello!” to the one server which all of these redirect to at https://heartyk9s.ca/.well-known/acme-challenge/test
. All of them download the test file except the subdomain urls mentioned previously in my first post.
EDIT3:
There are now test.txt files in each root which identify themselves as Hello! root
. On testing,
https://www.heartyk9s.ca/.well-known/acme-challenge/test.txt
http://heartyk9s.ca/.well-known/acme-challenge/test.txt
http://www.heartyk9s.ca/.well-known/acme-challenge/test.txt
redirect to https://heartyk9s.ca/.well-known/acme-challenge/test.txt
which displays Hello! heartyk9s.ca
.
Staging and admin https subdomains display their respective test files.
The .com domains,
https://heartyk9s.com/.well-known/acme-challenge/test.txt
https://www.heartyk9s.com/.well-known/acme-challenge/test.txt
http://heartyk9s.com/.well-known/acme-challenge/test.txt
http://www.heartyk9s.com/.well-known/acme-challenge/test.txt
redirect to https://heartyk9s.ca/.well-known/acme-challenge/test.txt
which displays Hello! heartyk9s.ca
, not Hello! heartyk9s.com
.
I think the https vhost is serving the files correctly in terms of the needs of the webserver, but probably not in terms of the renewal requirements. How many “right files” are needed in my case?
The letsencrypt
command,
sudo letsencrypt certonly --webroot -w /var/www/heartyk9s.ca/html -d heartyk9s.ca -d www.heartyk9s.ca -w /var/www/admin.heartyk9s.ca/html -d admin.heartyk9s.ca -w /var/www/staging.heartyk9s.ca/html -d staging.heartyk9s.ca -w /var/www/heartyk9s.com/html -d heartyk9s.com -d www.heartyk9s.com
EDIT: To make it clear… I did upload a test file also to http://heartyk9s.com/.well-known/acme-challenge/test
but it is never reached.
EDIT2: Access log,
sudo cat /var/log/nginx/access.log | grep letsencrypt
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss HTTP/1.1" 404 136 "http://heartyk9s.com/.well-known/acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk HTTP/1.1" 404 136 "http://www.heartyk9s.com/.well-known/acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
and error log (some of which may not be related to renewal),
sudo cat /var/log/nginx/error.log | grep well-known
2017/02/10 15:16:46 [error] 18465#18465: *70573 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 174.35.133.122, server: heartyk9s.ca, request: "GET /.well-known/ HTTP/2.0", host: "heartyk9s.ca"
2017/02/10 20:33:25 [error] 18465#18465: *71199 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 52.200.43.245, server: heartyk9s.ca, request: "HEAD /.well-known/ HTTP/2.0", host: "heartyk9s.ca"
2017/02/10 20:33:25 [error] 18465#18465: *71200 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 52.200.43.245, server: heartyk9s.ca, request: "HEAD /.well-known/ HTTP/2.0", host: "heartyk9s.ca"
2017/02/10 22:44:42 [error] 18465#18465: *71427 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 174.35.133.122, server: heartyk9s.ca, request: "GET /.well-known/ HTTP/2.0", host: "heartyk9s.ca"