LE renewal via webroot with nginx confusion


#1

General question, not really a problem. Just curious; everywhere you read about how to setup nginx to work with webroot renewals states that the well-known location only need be set in the port 80 server block. They also usually suggest you add a 301 or other redirect to your ssl url. When I do that, I need to add the location to both server blocks for renewal to work. Otherwise I get an authentication error. Why does no one state that or am I doing something wrong in fact? Thanks.


#2

The devil is usually in the details with this kind of thing.

If you have a server that is defined like:

listen 80;

location / {
   return 301 https://whatever$request_uri;
}

location /.well-known/acme-challenge {
  # ...
}

then it will work fine, there’s really no reason it would need to be duplicated in the port 443 server.

However, if you make the following (fairly common) mistake:

listen 80;

location /.well-known/acme-challenge/ {
  # ...
}
return 301 https://whatever$request_uri; # not scoped, overrides everything

then the location block will get ignored and you’ll end up having to also put the location block into the port 443 listener.


#3

Ahhh ok that’s probably my issue then. Thanks for clearing it up.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.