I added allow all;
afterwards. The location = /.well-known/acme-challenge/uWKvs1DxO
part adds certbot for the challange and removes it afterwords. But without the allow all;
it is not working.
That’s expected if your default is otherwise.
LE can’t login to get the file.
When you add “allow all;” within “{ braces }”, it will only be applied to things within those “{ braces }” - not to the entire system.
So in the case of:
location = /.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA{
default_type text/plain;
allow all;
return 200 uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA.09aCJ3tIiWYvz2SggLO1SKbjjSGTWiZYGed8VquwcOA;
} # managed by Certbot
It will only be applied to that one file.
[but that would be a very manual modification going forward]
And as for the (more reasonable) location:
[which would/should replace the other location statement altogether]
location ~ /.well-known {
allow all;
}
I would secure that by clarifying that as:
location ~ /.well-known/acme-challenge {
allow all;
root /some/dedicated/path/for/challenges/only;
try_files $uri =405;
}
Hope that helps.
Cheers from Miami
Okay, my server.conf looks now like this:
server {
listen 80;
listen 443 ssl http2;
listen [::]:80;
listen [::]:443 ssl http2;
server_name domain.de;
client_max_body_size 132m;
root /home/project/website;
index index.php;
try_files $uri $uri/ index.php?$args;
ssl_certificate /etc/letsencrypt/live/domain.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.de/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/domain.de/chain.pem;
location ~ /.+\.php$ {
try_files $uri /index.php;
fastcgi_index index.php;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location ~ /.well-known/acme-challenge {
allow all;
root /home;
try_files $uri =405;
}
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
I get still the same error as before.
I sure hope this is not what you are using:
root /home
That aside, why are you listening to HTTP and HTTPS in the same block?
listen 80;
listen 443 ssl http2;
listen [::]:80;
listen [::]:443 ssl http2;
Although that might be possible, it can lead to trouble quickly.
Any news?
Not sure if this will help but it appears you need to update your client software so that you are using ACMEv2 compatible client challenges? I just know Letsencrypt servers were whining at me, and wouldn't let me use my v1 client software with their v2 version server, until I upgraded my client software. So you could drop back to using their v1 server (specified in the cli.ini file) although if I remember correctly, the official cutoff date for ACME v1 challenges is June 1!
I am just guessing however so ymmv.... Marc...
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.