I put 4 of them, let me knĂ w if needs all, look like some use installer some not, not sure what i did here, can i make it all the same renwal way so it will be easier? Also i see # renew_before_expiry = 30 days does it mean if i uncomment it it will renew automatically? (up to now i do manually every 3 months)
www.sign-art.app
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/www.sign-art.app
cert = /etc/letsencrypt/live/www.sign-art.app/cert.pem
privkey = /etc/letsencrypt/live/www.sign-art.app/privkey.pem
chain = /etc/letsencrypt/live/www.sign-art.app/chain.pem
fullchain = /etc/letsencrypt/live/www.sign-art.app/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx
apitest.sign-art.app
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/apitest.sign-art.app
cert = /etc/letsencrypt/live/apitest.sign-art.app/cert.pem
privkey = /etc/letsencrypt/live/apitest.sign-art.app/privkey.pem
chain = /etc/letsencrypt/live/apitest.sign-art.app/chain.pem
fullchain = /etc/letsencrypt/live/apitest.sign-art.app/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
api.sign-art.app
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/api.sign-art.app
cert = /etc/letsencrypt/live/api.sign-art.app/cert.pem
privkey = /etc/letsencrypt/live/api.sign-art.app/privkey.pem
chain = /etc/letsencrypt/live/api.sign-art.app/chain.pem
fullchain = /etc/letsencrypt/live/api.sign-art.app/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
I don't see how that makes things any easier.
Automating the entire process makes it easier.
Piling all your certs to renew at the exact same time actually creates an unnecessary traffic jam - LOL
30 days is the default; So commented or not the result is the same.
That line has nothing to do with if it renews automatically or not.
That whole config is used whenever a renewal is attempted.
How renewals are triggered is through scheduled tasks (cron jobs or systemd timers).
Ok i see, thanks a lot for doing all this, really huge help.
Here the result after certbot renew --dry-run -v:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: alpha.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://alpha.sign-art.app/.well-known/acme-challenge/FAX8bVrE_BeMB8Pqyorfzo1u0y7LkPugK8sc_ZOaPYY
[2606:4700:3034::ac43:d83f]: "<!DOCTYPE html><html prefix=\"og:
http://ogp.me/ns#\"><head><meta charset=UTF-8><meta name=viewport
content=\"width=device-width,in"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: api.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://api.sign-art.app/.well-known/acme-challenge/7yXJhEHsUgecHbmtytKO4yF06XIzwLy8BuJEWsT1xng
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: apitest.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://apitest.sign-art.app/.well-known/acme-challenge/gPcrsfAC6-9unYRy74vEQ684rW7VFDcdLfreX40cFA0
[2606:4700:3034::ac43:d83f]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: beta.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://beta.sign-art.app/.well-known/acme-challenge/wgZ5QIMMjzjNcL7a8222GPBfR10U9iOzd5iwmyTTOsg
[2606:4700:3034::ac43:d83f]: "<!DOCTYPE html><html prefix=\"og:
http://ogp.me/ns#\"><head><meta charset=UTF-8><meta name=viewport
content=\"width=device-width,in"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: faucet.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://faucet.sign-art.app/.well-known/acme-challenge/xgN8zkeRPWxab1lEERgOV71fgbRXmiflfOMS_Hi-crk
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: mainnet.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://mainnet.sign-art.app/.well-known/acme-challenge/qZNzRIRAWdWbLtRDwkb4dSpSHo2zQ6ii77y4SMbIQIk
[2606:4700:3034::ac43:d83f]: "<!DOCTYPE html><html prefix=\"og:
http://ogp.me/ns#\"><head><meta charset=UTF-8><meta name=viewport
content=\"width=device-width,in"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: preprod.sign-art.app
Type: unauthorized
Detail: Invalid response from
http://preprod.sign-art.app/.well-known/acme-challenge/dY3ygAPWzI4fbdIx13Yz8dLiEZpM07gNsw_IQ4DErIk
[2606:4700:3032::6815:10db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: sign-art.app
Type: unauthorized
Detail: Invalid response from
https://sign-art.app/.well-known/acme-challenge/q_eZ8XHbnfOyD56PN6r_zTct_RXHiG0kEV_WhbIXDVk
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
Domain: www.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://www.sign-art.app/.well-known/acme-challenge/LuA6eW9kameshxwvlh3bOaRpH2Z3NFnPHHx5Flf_EQk
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: sign-art.app
Type: unauthorized
Detail: Invalid response from
https://sign-art.app/.well-known/acme-challenge/wIdVtV4u1mDjOcBxMhOBcBVTUx9j0nwXX8K_P0vN82g
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: site.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://site.sign-art.app/.well-known/acme-challenge/JXaqianEn8hHC5aiQgAypW9QmeRErCsUFRbz6MmVQGM
[2606:4700:3032::6815:10db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: www.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://www.sign-art.app/.well-known/acme-challenge/vcHOUjJtpHdpwpXB-P1DkSksVpUnN678EfUAQPqcHEw
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
If certbot runs on this box, yes.
You might be able to put it in the well-known location block.
Re-re-reviewing the whole config, it is now obvious: that is the main difference.
The ones that work all have roots.
The ones without roots (using proxy) are all failing (or going to fail on next renewal attempt).
The trick it to do both:
provide a local root path for the HTTP challenge files to be served from
That may not be a good secure location.
[unless that directory is empty or has nothing critical stored there - or further down that path]
It is highly recommended that you create a new and dedicated challenge path.
No.
I'm only talking about how to properly/securely handle requests like: https://your.domain/.well-known/acme-challenge/test-file-1234
Everything else gets proxied as before.
Ah ok i see, it doesnt have to be the path to my app, just a path to where the well-know test file will be.
So i can do /home/letsencrypt/challenge for example its ok?