Situation: Running a apache2 webserver on port 8080 and nginx (as reversed proxy) on port 80. Nginx forwards api traffic (domain.org/api/…) to localhost, port 3000 and all other webtraffic to the apache2 server (also localhost, port 8080, /var/www/html as document root and /var/www/html/images for all images). Please see nginx config under this message.
Goal: I want to obtain, install and use a Let’s Encrypt SSL certificate so that my visitors will see the padlock icon. Also, when someone visits domain.org, I want them to automatically use the secure https protocol (just like this community site does).
Attempts: I tried several options (certbot, acme.sh), but cannot get the job done. Last try (acme.sh, I got everything installed, but then the browser stated : " 400 Bad Request - The plain HTTP request was sent to HTTPS port"… So that didn’t give the results I hoped for.
Question: Please advice. What should I use? Certbot? Should I choose the nginx setup, the apache setup, or both? What should I change in my configuration and where should I put the .pem / .key files? The entire process is just not very clear to me. Thank you for provided assistance.
My current nginx config:
limit_req_zone $binary_remote_addr zone=apicall_to_rpc:1m rate=1r/s;
# Split the traffic between static webcontent (port 80) and
# api calls towards the NodeJS server (port 3000), which will
# send them through to the Gravity GZRO rcp server.
server {
listen 80;
server_name gzrograviteers.org;
access_log /var/log/nginx/nginx-access.log;
proxy_set_header x-real-ip $remote_addr;
location / {
proxy_pass http://localhost:8080;
}
location /api/ {
limit_req zone=apicall_to_rpc burst=100 nodelay;
proxy_pass http://localhost:3000/;
}
location ~* ^/[^/]+\.(?:gif|jpg|jpeg|png)$ {
root /var/www/html/images;
try_files $uri =404;
}
}
You can use Certbot or acme.sh. It's possible that certbot --nginx will do everything that you want based on your current configuration (it would be good to see what it does wrong, if not).
Basically the configuration that you'll eventually want to get to (whether via certbot --nginx or hand-editing your configuration) is creating a new nginx server block listening on port 443 and configured with your private key and chain. This server block can then do the same proxy_pass that your current port 80 server block does.
You'll then want to have a new port 80 server block which takes any request and rewrites the request to its https:// equivalent via a 301 redirect message. (certbot --nginx can do this for you, if it works.)
During the certificate validation process, your site will need to serve challenge files from /.well-known/acme-challenge via HTTP on port 80. certbot --nginx can add a temporary server block which does this in order not to have to make a permanent change to your nginx configuration.
Alternatively, you can add an additional rule to your existing server block so that /.well-known/acme-challenge is served out of a directory on the filesystem, rather than being proxy_passed to a different server. In that case certbot --webroot would be able to work. Or you could add a rule that /.well-known/acme-challenge requests are proxy_passed to a different port and then use certbot --standalone --http-01-port followed by that port number.
I hope one of these options will work well for you.
Thank you, that worked! Certbot editted my nginx config (actually, the file in ‘sites-enabled’, as it should). I had to make some changes in the code, as some api calls were hard-coded to “http://”. I just changed them to “//servername/…”, it works fine now.
Thanks, Schoen! Great job on the project and helping me out here