Need for HTTP at all


#1

Hi

Just configured my certificate, thanks guys! A quick question, I have a firewall, am I ok to just accept HTTPS traffic on nginx with regards to the renewal process? Or do I have to enable it to accep nginx HTTP as well?

Thanks :slight_smile:


#2

If you’re using the http-01 challenge, then yes you need to keep HTTP on port 80 enabled (even if it’s just a redirect to HTTPS). For the other challenges it doesn’t matter but keeping the redirect is still a good idea.


#3

Silly question I’m sure. How do I know if it’s a http-01 challenge?


#4

If you used Certbot and to get a cert for a server running nginx and used a method other than standalone, it’s an http-01 challenge.


#5

Thanks

I used sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com to acquire my certificate.

I currently have my firewall open to accept nginx HTTP + nginx HTTPS.

server {
    listen 80;
    server_name server_domain_or_IP;
    return 301 https://$server_name$request_uri;

    location /.well-known/ {
    root /home/sammy/myproject;
    allow all;
    }
    ...
}

server {

    # SSL configuration

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

     location /.well-known/ {
    root /home/sammy/myproject;
    allow all;
    }
    ...
}

That redirects my http -> https. Obviosuly won’t know until my renew script runs on my cron. But does that look ok??

Also, I donated last night to the project :slight_smile:


#6

IIRC, you do not need the .well-known location block in your port80 config – the ACME server should follow the redirect to the https server.

If you feel like you’re a more advanced user, another option you can explore is to configure letsencrypt to run the certonly standalone authenticator instead of webroot on an alternate port (e.g. 8080) and have nginx proxy requests to ./well-known onto that port.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.