Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

letsencrypt Nginx conf looks in wrong folder? #53

Open
bryanlandia opened this issue Jan 2, 2019 · 4 comments
Open

letsencrypt Nginx conf looks in wrong folder? #53

bryanlandia opened this issue Jan 2, 2019 · 4 comments
Assignees

Comments

@bryanlandia
Copy link
Contributor

I wasn't able to get manual certbot authentication working with this location. I think both conditional cases should use alias not root, right? Or, authenticator.sh.j2 is incorrect and should store files at {{letsencrypt_webroot}}/.well-known/acme-challenge?

    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        {% if letsencrypt_alternative_acme_folder == "" %}
          root {{ letsencrypt_webroot }};
        {% else %}
          alias {{ letsencrypt_webroot }}/{{ letsencrypt_alternative_acme_folder }};
        {% endif %}
    }

Command run was certbot certonly --agree-tos -m \"[email protected]\" --manual --manual-public-ip-logging-ok --preferred-challenges=http --manual-auth-hook /opt/scripts/authenticator.sh -d insights.getyouredge.org

which resulted in a 404 response trying to find /var/www/letsencrypt/.well-known/acme-challenge/foo when the file was stored at /var/www/letsencrypt/foo via the /opt/scripts/authenticator.sh script.

@melvinsoft
Copy link
Contributor

@briandant Sorry the delay here, I think @thraxil is the most indicate to weight here!

@thraxil Can you take a quick look?

@thraxil
Copy link
Contributor

thraxil commented Feb 8, 2019

@briandant @melvinsoft I think this is nginx config is correct, but you don't want to use the authenticator script with it if you don't need the alternative folder setting.

The letsencrypt_alternative_acme_folder setting is pretty much just for Tahoe since we use a GCS bucket to store them and GCS won't let you have a folder named .well-known. So we name it acme-challenges-custom-folder and that is within our mounted /var/www/letsencrypt. The nginx alias ensures that an HTTP request for /.well-known/acme-challenge maps to /var/www/letsencrypt/acme-challenges-custom-folder. The difference between root and alias is that root adds the path from the location directive to it and alias ignores it. If we used root in the second clause, it would look in /var/www/letsencrypt/acme-challenges-custom/.well-known/acme-challenge, which would fail. If we used alias in the first clause, it could work as long as letsencrypt_webroot is set to /var/www/letsencrypt/.well-known/acme-challenge, but the typical setup is that letsencrypt_webroot is just set to /var/www/letsencrypt.

If you don't have Tahoe's constraint of needing a non-standard directory name, you shouldn't need to use the manual authenticator script. You should be able to just use letsencrypt_webroot=/var/www/letsencrypt and do a default challenge without using --manual-auth-hook.

@briandant
Copy link

@bryanlandia ^^

@thraxil
Copy link
Contributor

thraxil commented Feb 8, 2019

Wrong Br[yi]an. Sorry.

@thraxil thraxil removed their assignment Jun 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants