Issues with nginx and redirects using acme_tiny

same error here!

I got the location block from here:

this doesn't work in my config:

server {
    server_name domain.it www.domain.it;
    listen xxx.xxx.xxx.xxx;
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    include /etc/phpmyadmin/nginx-php5-fpm.conf; #this is for phpmyadmin subdirectory 
    server_name domain.it www.domain.it;
    listen xxx.xxx.xxx.xxx:443 ssl;
    ssl_certificate /home/domain/ssl.cert;
    ssl_certificate_key /home/domain/ssl.key;
    ssl_protocols TLSv1.1 TLSv1.2;

    root /home/domain/public_html;
    index index.html index.htm index.php;
    access_log /var/log/nginx/domain.it_access_log;
    error_log /var/log/nginx/domain.it_error_log;
    fastcgi_param GATEWAY_INTERFACE CGI/1.1;
    fastcgi_param SERVER_SOFTWARE nginx;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_param REQUEST_METHOD $request_method;
    fastcgi_param CONTENT_TYPE $content_type;
    fastcgi_param CONTENT_LENGTH $content_length;
    fastcgi_param SCRIPT_FILENAME /home/domain/public_html$fastcgi_script_name;
    fastcgi_param SCRIPT_NAME $fastcgi_script_name;
    fastcgi_param REQUEST_URI $request_uri;
    fastcgi_param DOCUMENT_URI $document_uri;
    fastcgi_param DOCUMENT_ROOT /home/domain/public_html;
    fastcgi_param SERVER_PROTOCOL $server_protocol;
    fastcgi_param REMOTE_ADDR $remote_addr;
    fastcgi_param REMOTE_PORT $remote_port;
    fastcgi_param SERVER_ADDR $server_addr;
    fastcgi_param SERVER_PORT $server_port;
    fastcgi_param SERVER_NAME $server_name;
    fastcgi_param HTTPS $https;
    location ~ (^|/)\. {
        return 403;
    }
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php5-fpm-domain.it.sock;
	
	#############################################################################
	# Configuration file for Let's Encrypt ACME Challenge location
	# This file is already included in listen_xxx.conf files.
	# Do NOT include it separately!
	#############################################################################
	#
	# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
	# on all our sites (HTTP), including all subdomains.
	# This is required by ACME Challenge (webroot authentication).
	# You can check that this location is working by placing ping.txt here:
	# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
	# And pointing your browser to:
	# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
	#
	# Sources:
	# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
	#
	#############################################################################

	# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
	# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
	# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
	location ^~ /.well-known/acme-challenge/ {

		# Set correct content type. According to this:
		# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
		# Current specification requires "text/plain" or no content header at all.
		# It seems that "text/plain" is a safe option.
		default_type "text/plain";

		# This directory must be the same as in /etc/letsencrypt/cli.ini
		# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
		# there to "webroot".
		# Do NOT use alias, use root! Target directory is located here:
		# /var/www/common/letsencrypt/.well-known/acme-challenge/
		root         /home/domain/public_html;
	}

	# Hide /acme-challenge subdirectory and return 404 on all requests.
	# It is somewhat more secure than letting Nginx return 403.
	# Ending slash is important!
	location = /.well-known/acme-challenge/ {
		return 404;
	}

}

it return:

ValueError: Wrote file to /home/domain/public_html/.well-known/acme-challenge/XXXXXXXXXXXXXX, but couldn't download http://www.domain.it/.well-known/acme-challenge/XXXXXXXXXXXXXXXX

it works only if I comment the first rewrite:

rewrite ^ https://$server_name$request_uri? permanent;

and I put your code on the first server block instead of the second one

this is a test I made that works (same config):

$ curl -I --location http://www.domain.it/.well-known/acme-challenge/test.txt 
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 16:54:28 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://domain.it/.well-known/acme-challenge/test.txt

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 16:54:28 GMT
Content-Type: text/plain
Content-Length: 7
Last-Modified: Fri, 29 Apr 2016 15:59:36 GMT
Connection: keep-alive
ETag: "572384e8-7"
Accept-Ranges: bytes

any help? :frowning:

Are you currently using a self-signed certificate?

This error:

ValueError: Wrote file to /home/domain/public_html/.well-known/acme-challenge/XXXXXXXXXXXXXX, but couldn't download http://www.domain.it/.well-known/acme-challenge/XXXXXXXXXXXXXXXX

Is generated by acme_tiny. acme_tiny performs a self-check of the verification URL, and refuses to continue if that fails. Depending on your python version, this is going to fail with a self-signed (or, more generally, any untrusted) certificate. You could try your luck with this patch if that's the case, or disable the redirect until you have a trusted certificate ready for the next renewal.

Note that even if you're currently using a certificate signed by Let's Encrypt, you'll have to make sure that you're also including the issuer certificate. In a nutshell:

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat /home/domain/ssl.cert intermediate.pem > /home/domain/chained.cert

... and then point your ssl_certificate directive to /home/domain/chained.cert.

(I was using a letsencrypt cert but after ssl was activated I was unable to renew)

Yes! With chained.cert now it works like a charm! Thank You.

So I have to:

  1. Insert the new directive and commenting the old one in all the configuration files
  2. Automate the concatenation of ssl.cert and intermediate.pem every time a new certificate is issued

am I right?

Yep! There’s an example cronjob on the acme_tiny README which should work for you.

1 Like

I’m using virtualmin and it automate for Apache.
I’m going to try to make it auto-work for nginx too.

Do you think that could be a problem to download intermediate.pem and concatenate it in chained.cert independently from the renew?

Example: I update the chained.cert today and renew after 10 days.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.