Yes, exactly!
https://your.domain/.well-known/acme-challenge/* > /home/letsencrypt/challenge/*
https://your.domain/* > proxy
do i needs a different path per subdomain or can use same for all?
Same path is good.
We aren't trying to secure the files stored there [which are public].
We are trying to ensure no one can use that path to reach anything else.
Let's test run one domain:
certbot certonly \
--webroot -w /home/letsencrypt/challenge/ \
-d alpha.sign-art.app \
--dry-run -v
This gave me the following:
certbot certonly \
> --web-root -w /home/letsencrypt/challenge/ \
> -d alpha.sign-art.app \
> --dry-run -v
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --web-root
it should be --webroot
I tried for alpha.sign-art.app but got the unauthorized again, this one isnt a reverse proxy but also don't have the "location ~ /.well-known" should i add it?
server {
root /home/crashbdx/alpha.sign-art.app/dist;
#root /home/crashbdx/maintenance;
index index.html;
server_name alpha.sign-art.app;
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/alpha.sign-art.app/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/alpha.sign-art.app/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = alpha.sign-art.app) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name alpha.sign-art.app;
listen 80;
return 404; # managed by Certbot
}
By the way is it location ~ /.well-known/acme-challenge { or location ~ /.well-known {
more specific is better:
Use:
location ~ /.well-known/acme-challenge {
Ok so i also add it in my server block in alpha.sign-art.app since its not there right?
Definitely.
It is safe to add to all blocks.
Added it and tried again and now getting this:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: alpha.sign-art.app
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking
up A for alpha.sign-art.app - the domain's nameservers may be
malfunctioning
Well that must be a momentary failure:
sign-art.app nameserver = donna.ns.cloudflare.com
sign-art.app nameserver = nicolas.ns.cloudflare.com
CloudFlare DNS is one of the better ones out there.
Try it again.
- The dry run was successful.
Very cool, so i can try it for real now? then add the path in all other nginx config?
Yes, remove:
--dry-run -v
and get a real renewed cert!
Certificate Name: alpha.sign-art.app
Domains: alpha.sign-art.app
Expiry Date: 2021-05-05 07:39:02+00:00 (VALID: 89 days)
Thanks a lot! will repeat that process for others then, correct?
Yes.
Once the ones below 30 days are all renewed, then you can --dry-run test the ones above 30 days.
Then after they all renew (or pass the dry-run tests), you need to deal with automation.
You can check what may already be there with:
sudo crontab -l
or
sudo crontab -u root -l
and also
sudo systemctl list-timers | grep -i cert
Ok, i'll first repeat for all of the config then i'll be ba
I only have one that give me trouble when i try this:
sudo certbot certonly --webroot -w /home/letsencrypt/challenge/ -d preprod.sign-art.app --dry-run -v
Config:
server {
root /home/user/mainnet/sign-art.app-1/dist;
#root /home/user/maintenance;
index index.html;
server_name preprod.sign-art.app;
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.html;
}
location ~ /.well-known/acme-challenge {
root /home/letsencrypt/challenge;
allow all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/preprod.sign-art.app/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/preprod.sign-art.app/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = preprod.sign-art.app) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name preprod.sign-art.app;
}
ERROR
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: preprod.sign-art.app
Type: unauthorized
Detail: Invalid response from
http://preprod.sign-art.app/.well-known/acme-challenge/sD_4BKh1pJC1lYY-FR2wBP87zR4I2J1-WlVLai6voAU
[2606:4700:3032::6815:10db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Show the config that you fixed and works.
And show output of:
nginx -t
nginx -t:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
mainnet.sign-art.app (dry run works):
server {
root /home/user/mainnet/sign-art.app-2/dist;
#root /home/user/maintenance;
index index.html;
server_name mainnet.sign-art.app;
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.html;
#auth_basic "Restricted Content";
#auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ /.well-known/acme-challenge {
root /home/letsencrypt/challenge;
allow all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mainnet.sign-art.app/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mainnet.sign-art.app/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mainnet.sign-art.app) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mainnet.sign-art.app;
}
preprod.sign-art.app (dry run fail):
server {
root /home/user/mainnet/sign-art.app-1/dist;
#root /home/user/maintenance;
index index.html;
server_name preprod.sign-art.app;
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.html;
}
location ~ /.well-known/acme-challenge {
root /home/letsencrypt/challenge;
allow all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/preprod.sign-art.app/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/preprod.sign-art.app/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = preprod.sign-art.app) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name preprod.sign-art.app;
}