[BUG] Disable rewrite lets encrypt validation ?

[LiloBzH]

What happened?

Hi

l want to valid certif on my synology
I created a reverse proxy mynas.internet.com to 192.168.1.100:80

It's work with every URL instead for certif

How to reproduce?

When a want to create a certif on synology, lets encrypt server go to :

http://mynas.internet.com/.well-known/acme-challenge/lR6RUsdfdsdqKP-rN7wzKsdqsdqsduVKDpYHszxQ

and Bunkerwek rewrite to open :

open() "/var/tmp/bunkerweb/lets-encrypt/.well-known/acme-challenge/lR6RUsdfdsdqKP-rN7wzKsdqsdqsduVKDpYHszxQ" failed (2: No such file or directory)

letsencrypt.lua rewrite every time.

Is it possible to bypass the rewrite ?

Thank's

Configuration file(s) (yaml or .env)

version: '3.5'

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.12
    ports:
      - 80:8080
      - 443:8443
    labels:
      - "bunkerweb.INSTANCE=yes"
    environment:
      - SERVER_NAME=mynas.internet.com
      - MULTISITE=yes
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 62.210.138.175
      - USE_BUNKERNET=no
      - mynas.internet.com_USE_UI=yes
      - mynas.internet.com_USE_REVERSE_PROXY=yes
      - mynas.internet.com_REVERSE_PROXY_URL=/admin
      - mynas.internet.com_REVERSE_PROXY_HOST=http://bw-ui:7000
      - mynas.internet.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.12
    depends_on:
      - bunkerweb
      - bw-docker
    volumes:
      - bw-data:/data
    environment:
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-docker:
    image: tecnativa/docker-socket-proxy:nightly
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - LOG_LEVEL=warning
    networks:
      - bw-docker

  bw-ui:
    image: bunkerity/bunkerweb-ui:1.5.12
    depends_on:
      - bw-docker
    volumes:
      - bw-data:/data
    environment:
      - DOCKER_HOST=tcp://bw-docker:2375
      - ADMIN_USERNAME=admin
      - ADMIN_PASSWORD=adminadminadminadmin
    networks:
      - bw-universe
      - bw-docker

volumes:
  bw-data:

networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
  bw-docker:
    name: bw-docker

Relevant log output

2025/01/12 17:52:10 [notice] 3162#3162: *1842 [LETSENCRYPT] got a visit from Let's Encrypt, let's whitelist it, client: xxx.xxx.xxx.xxx, server: mynas.internet.com, request: "GET /.well-known/acme-challenge/lR6RsdqdqsdkwaKP-rN7wzK6odqsdqsdpYHszxQ HTTP/1.1", host: "mynas.internet.com"

2025/01/12 17:52:10 [notice] 3162#3162: *1842 [ACCESS] letsencrypt returned status 0 : visit from LE, client: xxx.xxx.xxx.xxx, server: mynas.internet.com, request: "GET /.well-known/acme-challenge/lR6RsdqdqsdkwaKP-rN7wzK6odqsdqsdpYHszxQ HTTP/1.1", host: "mynas.internet.com"

2025/01/12 17:52:10 [error] 3162#3162: *1842 open() "/var/tmp/bunkerweb/lets-encrypt/.well-known/acme-challenge/lR6RsdqdqsdkwaKP-rN7wzK6odqsdqsdpYHszxQ " failed (2: No such file or directory), client: xxx.xxx.xxx.xxx, server: mynas.internet.com, request: "GET /.well-known/acme-challenge/lR6RUcDwfnXZkwaKP-rN7wzK6oORfKu1uVKDpYHszxQ HTTP/1.1", host: "mynas.internet.com"

BunkerWeb version

1.5.12

What integration are you using?

Docker

Linux distribution (if applicable)

Proxmox - LXC

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @LiloBzH, thank you for opening this issue. Did you try to use the Customcert plugin instead so BunkerWeb doesn't touch your certificates ?
https://docs.bunkerweb.io/latest/security-tuning/#custom-certificate

[LiloBzH]

yes. the problem is that Bunkerweb analyzes the URL and as soon as it sees the string "/.well-known/acme-challenge/", it uses the /TMP/ directory.

For the moment, my only track is to modify the SERVER.CONF in /ETC/NGINX/website/server.conf

[TheophileDiot]

Ah, I see. The certificates are moved afterward to allow for caching.
It’s possible there was an issue during the certificate creation process by the scheduler. I recommend checking the logs for any errors or warnings during that step to pinpoint the problem.

[LiloBzH]

except that I do not want to create a certificate for this equipment via BunjerWeb.
Synology creates its certificate autonomously.
Bunkerweb would just have to redirect port 80 of this tomorrow to port 80 of the equipment without using your local /tmp/

[TheophileDiot]

Oh I see, then what you're looking for is the Custom Certificate plugin and not Let's Encrypt.

[TheophileDiot]

You can inspire yourself on that example: https://github.com/bunkerity/bunkerweb/blob/v1.5.12/examples/certbot-dns-cloudflare/docker-compose.yml