Setting up Certbot for use with nginx port 80 conflict

rg305 · March 7, 2022, 12:51pm

Before you continue testing with LE production services...
Please place a test text file in the expected challenge location:

Then see if it can be reached directly from the Internet.

cableghost · March 7, 2022, 10:43pm

In order to receive a successful test, looks like I need to disable the port 80 redirect. BTW, this is done in nginx (see my original conf above).

After the test, if I would re-enable that re-direct, the actual renewal process must use port 443 (if I'm following this correctly). This then brings up another issue. I created the 2443 port because nginx is on a Virtual Machine and so I couldn't use port 443 as it's being elsewhere on the network.

It's possible I'm completely dead-wrong about all this

9peppe · March 7, 2022, 10:51pm

This one?

Just add a block like the one I have, above the return 301 directive. You might even use a location / block in the port 80 server block to make it more clear, just put the acme-specific one above.

(Oh, I just remembered. You have several port 80 server blocks. Nginx supports includes.)

cableghost · March 9, 2022, 3:39am

Using your example, how do I add this in? I need to account for the 2443 SSL port

server {
listen 2443 ssl;

rg305 · March 9, 2022, 3:43am

Once you have a certificate, you can use it on any unused port (including 2443).
So, first, you get a cert.
Then you make the vhost config that will use it to secure access via some FQDN:PORT to a specific /path/location.

cableghost · March 9, 2022, 4:05am

Ah, okay. Thank you.

cableghost · March 9, 2022, 4:44am

I'm receiving same error.
Below is the new conf file
I entered 'c:/nginx' as the webroot
I stopped and restarted server

Suggestions?

worker_processes  1;
events {
    worker_connections  1024;
}

http {
	default_type  application/octet-stream;
	sendfile        on;
	keepalive_timeout  65;

	server {
        	listen 80;
        	listen [::]:80;
        	server_name .winvm.link; 

       	location /.well-known/acme-challenge/ {
                root /var/www/acme;
        	}

        	location / {
                return 301 https://$host$request_uri;
        	}
	}
}

rg305 · March 9, 2022, 5:24am

This seems to be Windows path style:

This seems to be Linux path style:

Something's not adding up...

webprofusion · March 9, 2022, 5:52am

This is a long thread now and I'm not sure I'm following it very well, but have you tried just using DNS validation?

I don't know how to use namecheap with Certbot but it can be used with Certify The Web (which is a full GUI, which I develop) or Posh-ACME (PowerShell). In Certify you would:

Add a new Managed Certificate, add your domains/subdomains.
On the authorization tab choose "dns-01" and "Namecheap (via Posh-ACME)", then provide it your API credentials (which you'd need to setup): Namecheap - Posh-ACME
Click "Request Certificate", this should successfully order a cert

Your next step is to automate deployment to nginx:

add the "Deploy to NGINX" task under Tasks to get the certificate files where you want them). Click the Play button next to the task to just run it using your latest cert.
add a script task to run any other commands you need such as reloading nginx (or just use the service task to restart nginx).
From then on automatic renewals will also auto deploy to nginx. You can ask Certify-specific questions over at https://community.certifytheweb.com/

rg305 · March 9, 2022, 5:55am

DITTO!

cableghost · March 9, 2022, 1:19pm

Yes, the reason I'm here. For whatever reason, dns validation does not work with NC.
I'll look into Posh-ACME, thank you.

cableghost · March 9, 2022, 1:24pm

Pardon, I actually did change it to... 'c:/nginx' in the conf file.
I'm assuming this is the correct path, as I can see the directory created and removed via cerbot.

cableghost · March 9, 2022, 1:26pm

Regarding this... Unfortunately, the topic has gone off-topic a bit; receiving direction on how my conf file(s) should be created.

rg305 · March 10, 2022, 12:24am

It creates (and then removes it) from wherever you tell it to do so.
So that isn't proof that it is correct - that only proves certbot is doing what you told it to do.
If you used:

       	location /.well-known/acme-challenge/ {
                root c:/nginx;
OR [not sure which way is correct for Windows]
                root c:\nginx;
        	}

then it should match and be correct.

You should test that (independently) by adding a test text file in the challenge folder.
Like: c:\nginx\.well-known\acme-challenge\Test_File-1234
[you may have to create the folders]
Then try:
http://winvm.link/.well-known/acme-challenge/Test_File-1234

system · April 9, 2022, 12:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.