Hello,
I've came accros a strange behavior sregarding the ssl_stapling configuration with nginx authenticator.
It almost drived me crazy for about a day.
Here is what happenend:
I installed a fresh new configuration (debian/nginx/mysql/php/letsencrypt), started to issue some certificates successfully, migrated websites, everything went smoothly.
But then, I decided to hardened my nginx configurations, restricting ssl protocols, ssl sessions, etc.
At that point, nginx was hardened, A+ grade for ssl verifications, everything was running great.
Then, adding a new website became a real pain in the ***
I configured everything, migrated, and then come the moment: lets issue a certificate. Http challenges fails with 404. Strange. I try to list certificates, try do dry-run a renew...boum: 404 error, none of the certificates will be renewed.
So I came back to basics, trying to remove and reinsert part of the nginx configuration, until I realized that the directive causing all this was.... ssl_stapling.
What am I missing ?
Is it a regular behavior with ssl_stapling ?
Many thanks !
Nginx.conf
user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 65535;
}
http {
upstream php {
server unix:/var/run/php/php7.4-fpm.sock;
include upstreams/*.conf;
keepalive 10;
}
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
types_hash_max_size 2048;
# MIME
include mime.types;
# default_type application/octet-stream;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# Mozilla Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# OCSP Stapling
ssl_stapling off;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# Buffer policy
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 2k;
large_client_header_buffers 2 1k;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
location / {
return 301 https://$host$request_uri;
}
}
# Load configs
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Command run
certbot --dry-run --nginx --cert-name=my-domain.com renew
Response when ssl_stapling: on
Processing /etc/letsencrypt/renewal/my-domain.com.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-domain.com
Waiting for verification...
Challenge failed for domain my-domain.com
http-01 challenge for my-domain.com
Cleaning up challenges
Attempting to renew cert (my-domain.com) from /etc/letsencrypt/renewal/my-domain.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my-domain.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my-domain.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: my-domain.com
Type: unauthorized
Detail: Invalid response from
http://my-domain.com/.well-known/acme-challenge/UL1R9MfunJFJRC7qiLsLQvzzcA7z1a5Nvg2SwmuDxbU
[xxx.xxx.xxx.xxx]: "\r\n404 Not
Found\r\n\r\n404 Not
\r\n
Found
nginx\r\n"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Response when ssl_stapling: off
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/my-domain.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for my-domain.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/my-domain.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/my-domain.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -