.well-known/acme-challenge/ fail 404 in nginx proxy

Help
1

I have an nginx backend server that has a lets encrypt certificate. Now, I want to add an nginx reverse proxy and create a lets encrypt certificate for it. However, when I try to reach http://jcp-connect.fr/.well-known/acme-challenge/test, i have 404

In my Nginx proxy configuration file at `/etc/nginx/sites-available/reverse I set the following:

  server {
   listen 80;
    listen [::]:80;
server_name jcp-connect.fr;
index index.htm index.html;

location / {
        try_files $uri/index.html $uri.html $uri @backend;
}


location ~ /\.well-known/acme-challenge {
    root /usr/share/nginx/html;
}

location @backend {

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://jcp-connect.fr;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 900s;
}
}

My nginx backend server has an IP@ 192.168.1.45 and it is hosted in another machine and its nginx.conf file is set as follows:

http {                                                                                                                                                                                                                                        
    include mime.types;                                                                                                                                                                                                                   
    index index.php index.html index.htm;                                                                                                                                                                                                 
    default_type text/html;                                                                                                                                                                                                               
                                                                                                                                                                                                                                          
    sendfile on;                                                                                                                                                                                                                          
    keepalive_timeout 65;                                                                                                                                                                                                                 
    gzip on;                                                                                                                                                                                                                              
    client_max_body_size 1000M;                                                                                                                                                                                                           
                                                                                                                                                                                                                                          
    gzip_min_length  1k;                                                                                                                                                                                                                  
    gzip_buffers     4 16k;                                                                                                                                                                                                               
    gzip_http_version 1.0;                                                                                                                                                                                                                
    gzip_comp_level 2;                                                                                                                                                                                                                    
    gzip_types text/plain application/x-javascript text/css application/xml;                                                                                                                                                              
    gzip_vary on; 

                                                                                                                                                                                                                    
    server {                                                                                                                                                                                                                              
    listen 80;                                                                                                                                                                                                                            
    listen [::]:80;                                                                                                                                                                                                                       
    listen 443 ssl http2;                                                                                                                                                                                                                 
    server_name jcp-connect.fr;                                                                                                                                                                                                           
    ssl_certificate /etc/dehydrated/certs/jcp-connect.fr/cert.pem;                                                                                                                                                                        
    ssl_certificate_key /etc/dehydrated/certs/jcp-connect.fr/privkey.pem;                                                                                                                                                                 
                                                                                                                                                                                                                                          
        fastcgi_connect_timeout 300;                                                                                                                                                                                                      
        fastcgi_send_timeout 300;                                                                                                                                                                                                         
        fastcgi_read_timeout 300;                                                                                                                                                                                                         
        fastcgi_buffer_size 32k;                                                                                                                                                                                                          
        fastcgi_buffers 4 32k;                                                                                                                                                                                                            
        fastcgi_busy_buffers_size 32k;                                                                                                                                                                                                    
        fastcgi_temp_file_write_size 32k;                                                                                                                                                                                                 
        client_body_timeout 10;                                                                                                                                                                                                           
        client_header_timeout 10;                                                                                                                                                                                                         
        send_timeout 60;                                                                                                                                                                                                                  
        output_buffers 1 32k;                                                                                                                                                                                                             
        postpone_output 1460;                                                                                                                                                                                                             
        root   /www/WebPortal/public;                                                                                                                                                                                                     
                                                                                                                                                                                                                                          
        location / {                                                                                                                                                                                                                      
                try_files $uri $uri/ /index.php?$query_string;                                                                                                                                                                            
                add_header X-Frame-Options sameorigin always;                                                                                                                                                                             
        }                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                          
        location ~ \.php$ {                                                                                                                                                                                                               
            fastcgi_split_path_info ^(.+\.php)(/.+)$;                                                                                                                                                                                     
            fastcgi_index  index.php;                                                                                                                                                                                                     
            include        fastcgi_params;                                                                                                                                                                                                
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;                                                                                                                                                           
                                                                                                                                                                                                                                          
            if (-f $request_filename) {                                                                                                                                                                                                   
                    # fastcgi_pass 127.0.0.1:1026;                                                                                                                                                                                        
                    fastcgi_pass unix:/var/run/php7-fpm.sock;                                                                                                                                                                             
            }                                                                                                                                                                                                                             
        }                                                                                                                                                                                                                                 
    }

}

2

Hi,

Where did you put the file? In reverse proxy or in the actual server? What path did you put the file in?
(P.S. Have you restart/reload the Nginx server in frontend?)

Thanks

4

Can you also try to place the location match block (let’s Encrypt acme-challenge) before the overall location block?

5

Hi,
Thanks for your response. The nginx revese proxy is installed in a machine and the path of the configuration file: /etc/nginx/sites-enabled/reverse.
I used another machine to configure an nginx backend server and the path of the the configuration file for the server is /etc/nginx/nginx.conf. For the server, I have already a certificate.
Yes, I restarted the nginx in the frontend.

I placed the block (let’s Encrypt acme-challenge) before the overall location block.

6

@JuergenAuer Are you familiar with this setup?
(I’m not familiar with proxy…)

7

The proxy can be considered as another nginx server the problem comes the nginx proxy configuration file.

8

Which directory did you place the test file in?

Which server is the test file stored on?

9

The test file is stored in /usr/share/nginx/html/.well-known/acme-challenge
`The test file is in the nginx reverse proxy

10

Then some assumption in your original post needs to be double checked. With the nginx configuration as written, the file would be accessible:

root@c2101eb9a0c1:/# mkdir -p /usr/share/nginx/html/.well-known/acme-challenge
root@c2101eb9a0c1:/# echo hello > /usr/share/nginx/html/.well-known/acme-challenge/test
root@c2101eb9a0c1:/# curl -i jcp-connect.fr/.well-known/acme-challenge/test
HTTP/1.1 200 OK
11

I tried it again but same problem. Have you any idea from where this problem occurs.

   $mkdir -p /usr/share/nginx/html/.well-known/acme-challenge
    $echo hello > /usr/share/nginx/html/.well-known/acme-challenge/test
     $ curl -i jcp-connect.fr/.well-known/acme-challenge/test

HTTP/1.1 404 Not Found
Server: nginx/1.17.5
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

12

It is hard to know without seeing your full nginx configuration. There’s a variety of issues that could occur, but it’s up to you to offer more information.

You can get your full config by running:

nginx -T

Check also that the request is not going to the backend server inadvertently. I mention this because your proxy_pass references your backend server by its DNS name … but it seems that the DNS name shold refer to your frontend server. From your reverse proxy, try run:

curl -i --resolve jcp-connect.fr:80:127.0.0.1 http://jcp-connect.fr/.well-known/acme-challenge/test

It’s already been mentioned, but try stop your nginx server, confirm that it’s stopped, and start it again.

1 Like
13

Yes, when I try
curl -i --resolve jcp-connect.fr:80:127.0.0.1 http://jcp-connect.fr/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 12 Dec 2019 10:21:47 GMT
Content-Type: application/octet-stream
Content-Length: 6
Last-Modified: Thu, 12 Dec 2019 09:57:10 GMT
Connection: keep-alive
ETag: “5df20ef6-6”
Accept-Ranges: bytes

It works. So, how to generate the certificate now and which modification to add in my nginx proxy

1 Like
14

Problem #1: From what I can tell, your domain is bypassing your reverse proxy nginx, and it is going directly to your backend nginx. The evidence for this is in your previous post. Until you make your domain go through your reverse proxy, you won’t be able to get a certificate on the reverse proxy.

Problem #2: Your nginx configuration says:

proxy_pass http://jcp-connect.fr;

I don’t think this is going to work out in the long run. Probably more suitable is:

proxy_pass http://192.168.1.45;
1 Like
15

I changed the proxy pass but when I type ```
curl -i jcp-connect.fr/.well-known/acme-challenge/test
I get the same 404 not found

1 Like
16

Indeed … you still have Problem #1 left to solve.

1 Like
18

Can you help me please. I modified my nginx reverse proxy configuration but I still have problem #1

#configuration file /etc/nginx/nginx.conf

    user www-data;
    worker_processes  1;
 error_log  /var/log/nginx/error.log;

pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;
server_tokens off;
client_body_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 1 1K;
ignore_invalid_headers on;
gzip on;
gzip_comp_level 6;
gzip_proxied any;
gzip_vary on;
gzip_types text/plain text/css application/x-javascript;
gzip_disable "MSIE [1-6].(?!.*SV1)";

include /etc/nginx/conf.d/proxy.conf;
include /etc/nginx/sites-enabled/reverse;
}

configuration file /etc/nginx/mime.types:

types {
text/html                             html htm shtml;
text/css                              css;
text/xml                              xml;
image/gif                             gif;
image/jpeg                            jpeg jpg;
application/javascript                js;
application/atom+xml                  atom;
application/rss+xml                   rss;

text/mathml                           mml;
text/plain                            txt;
text/vnd.sun.j2me.app-descriptor      jad;
text/vnd.wap.wml                      wml;
text/x-component                      htc;

image/png                             png;
image/tiff                            tif tiff;
image/vnd.wap.wbmp                    wbmp;
image/x-icon                          ico;
image/x-jng                           jng;
image/x-ms-bmp                        bmp;
image/svg+xml                         svg svgz;
image/webp                            webp;

application/font-woff                 woff;
application/java-archive              jar war ear;
application/json                      json;
application/mac-binhex40              hqx;
application/msword                    doc;
application/pdf                       pdf;
application/postscript                ps eps ai;
application/rtf                       rtf;
application/vnd.apple.mpegurl         m3u8;
application/vnd.ms-excel              xls;
application/vnd.ms-fontobject         eot;
application/vnd.ms-powerpoint         ppt;
application/vnd.wap.wmlc              wmlc;
application/vnd.google-earth.kml+xml  kml;
application/vnd.google-earth.kmz      kmz;
application/x-7z-compressed           7z;
application/x-cocoa                   cco;
application/x-java-archive-diff       jardiff;
application/x-java-jnlp-file          jnlp;
application/x-makeself                run;
application/x-perl                    pl pm;
application/x-pilot                   prc pdb;
application/x-rar-compressed          rar;
application/x-redhat-package-manager  rpm;
application/x-sea                     sea;
application/x-shockwave-flash         swf;
application/x-stuffit                 sit;
application/x-tcl                     tcl tk;
application/x-x509-ca-cert            der pem crt;
application/x-xpinstall               xpi;
application/xhtml+xml                 xhtml;
application/xspf+xml                  xspf;
application/zip                       zip;

application/octet-stream              bin exe dll;
application/octet-stream              deb;
application/octet-stream              dmg;
application/octet-stream              iso img;
application/octet-stream              msi msp msm;

application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

audio/midi                            mid midi kar;
audio/mpeg                            mp3;
audio/ogg                             ogg;
audio/x-m4a                           m4a;
audio/x-realaudio                     ra;

video/3gpp                            3gpp 3gp;
video/mp2t                            ts;
video/mp4                             mp4;
video/mpeg                            mpeg mpg;
video/quicktime                       mov;
video/webm                            webm;
video/x-flv                           flv;
video/x-m4v                           m4v;
video/x-mng                           mng;
video/x-ms-asf                        asx asf;
video/x-ms-wmv                        wmv;
video/x-msvideo                       avi;
 }

configuration file /etc/nginx/conf.d/proxy.conf:

proxy_redirect          off;
proxy_set_header        Host            $host;
proxy_set_header        X-Real-IP       $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header       X-Powered-By;
proxy_intercept_errors on;
proxy_buffering on;

configuration file /etc/nginx/sites-enabled/reverse:

server {
listen 80;
listen [::]:80;
server_name jcp-connect.fr;
index index.htm index.html;
access_log off;
location ~ /\.well-known/acme-challenge {
root /usr/share/nginx/html;
}

location / {
    try_files $uri/index.html $uri.html $uri @backend;
}

location @backend {

    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_pass http://192.168.1.45;
    proxy_read_timeout      90;
    proxy_redirect          off;
 }
 }

The problem may be from my backend server??

19

I’m not sure how else to explain. I will try rephrase:

I don’t think your reverse proxy is receiving the request at all.

I think you have it wired up wrong, and when I visit http://jcp-connect.fr/.well-known/acme-challenge/test , the connection is directly to your backend server.

So it is not really a matter of nginx configuration, but rather how things are connected together.

2 Likes
20

Check your router (or something similar)'s port forwarding option, make sure both port 80 and 443 are forwarded to your reverse proxy server, not the actual backend server.

2 Likes
21

@_az @stevenzhu Thanks sooooo muuuch for your help. Yes, I have a connection problem and it is solved

1 Like
22

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.