Where should /.well-known/acme-challenge/ point?

I have setup by cert using Certbotx nginx.

My app is currently receiving the /.well-known/acme-challenge endpoint giving 404.

I have tried adding the following location block above my location / and the Nginx started to give 404. I’m not sure where the acme-challenge location path should point to. /var/www/html is basically empty in my case.

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

Nginx file:

server {
    server_name subdomain.myserver.com;

     location / {
        proxy_pass https://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
     }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/subdomain.myserver.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/subdomain.myserver.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = subdomain.myserver.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



    server_name subdomain.myserver.com;
    listen 80;
    return 404; # managed by Certbot
}

Note: I’m using a subdomain

Thanks

1 Like

It should point to the same location that you pass to Certbot. Where exactly is not important.

That configuration would be suitable if you were doing something like:

certbot certonly -d subdomain.myserver.com --webroot -w /var/www/html
1 Like

Hi @thellimist

Where should /.well-known/acme-challenge/ point?

simple answer: That’s your choice.

Create there the two subdirectories /.well-known/acme-challenge, there a test file (file name 1234), then try to load that file via http.

If that works, use that root as your webroot parameter.

1 Like

I have created file in path /var/www/html/.well-known/acme-challenge/1234 and added

   location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

to my Nginx. I can download the file 1234, however, running certbot renew gives

Attempting to renew cert (subdomain.myserver.com) from /etc/letsencrypt/renewal/subdomain.myserver.com.conf produced an unexpected error: Failed authorization procedure. subdomain.myserver.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://subdomain.myserver.com/.well-known/acme-challenge/somerandomkeys [2606:4700:3032::681f:43b1]: "<html>\n<head><title>404 Not Found</title></head>\n<body bgcolor=\"white\">\n<center><h1>404 Not Found</h1></center>\n<hr><center>ngin". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/subdomain.myserver.com/fullchain.pem (failure)

What am I missing?

Thanks

Without knowing your real domain, it’s total guesswork, but check that your domain’s IPv6 AAAA record is correct, and that your nginx listen stanza is effective for the IPv6 interface.

I mention this because the redacted error you pasted reveals that Let’s Encrypt is connecting to your server over IPv6.

Edit: ah, it’s a Cloudflare IP. That’s probably not the issue then.

If you are using --nginx, be aware that there is an issue relating to Cloudflare which leads to the kind of problem you’re having. To see whether it is relevant to you, try renewing using webroot instead of --nginx:

certbot renew -a webroot -w /var/www/html --dry-run
1 Like

Ohh interesting. Cloudflare makes sense. Great catch!

FYI This worked

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.