LE renewal via webroot with nginx confusion


General question, not really a problem. Just curious; everywhere you read about how to setup nginx to work with webroot renewals states that the well-known location only need be set in the port 80 server block. They also usually suggest you add a 301 or other redirect to your ssl url. When I do that, I need to add the location to both server blocks for renewal to work. Otherwise I get an authentication error. Why does no one state that or am I doing something wrong in fact? Thanks.


The devil is usually in the details with this kind of thing.

If you have a server that is defined like:

listen 80;

location / {
   return 301 https://whatever$request_uri;

location /.well-known/acme-challenge {
  # ...

then it will work fine, there’s really no reason it would need to be duplicated in the port 443 server.

However, if you make the following (fairly common) mistake:

listen 80;

location /.well-known/acme-challenge/ {
  # ...
return 301 https://whatever$request_uri; # not scoped, overrides everything

then the location block will get ignored and you’ll end up having to also put the location block into the port 443 listener.


Ahhh ok that’s probably my issue then. Thanks for clearing it up.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.