Unable to verify domain for ssl Let's encrypt via certbot, what's wrong with Nginx config?

C

ChernovGV2020-07-02 18:53:54

Nginx

ChernovGV, 2020-07-02 18:53:54

Good afternoon, I can not generate a certificate due to an error:

Failed authorization procedure. rukzak3d.ru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from domain.ru/.well-known/acme-challenge/Iurj9ChNH9JNH... [ 82.146.55.40]: "\r\n404 Not Found\r\n\r\n404 Not Found\r\nnginx/1.19.0"

I read the logs and come to the conclusion that the domain confirmation mechanism is as follows:

1) Certbot creates an nginx config like:
location /.well-known/acme-challenge/Iurj9ChNH9JNHUtLUxc_6A0Yo4HS8AoEshvPTx_JXo0 {
default_type "text/plain";
return 200 Iurj9ChNH9JNHUtLUxc_6A0Yo4HS8AoEshvPTx_JXo0.DyD11cIvsF3VQsyoJH3me_in7zC0mwIq5myzx10Pa3c;
}

2) Connect it to the very beginning of the http block in the main config /etc/nginx/nginx.conf

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

3) Goes to domain.ru/.well-known/acme-challenge/Iurj9ChNH9JNH... and checks the response code, if not 200 it gives an error.

Now the /etc/nginx/nginx.conf config is:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {

    server {
        charset utf-8;

        listen 443;

        keepalive_timeout   120;


        index index.php index.html;

        root /var/www/sites/domain/web;

        server_name domain.ru;

        index index.php;

        location / {
            try_files $uri /index.php?$args;
        }

        location ^~ /.well-known/acme-challenge/ {
            default_type "text/plain";
            root /var/www/sites/domain/web;
        }
    }
}

If I add the following code to the server section:

http {
...
   server {
        ....
        location /.well-known/acme-challenge/Iurj9ChNH9JNHUtLUxc_6A0Yo4HS8AoEshvPTx_JXo0 {
           default_type "text/plain";
           return 200 Iurj9ChNH9JNHUtLUxc_6A0Yo4HS8AoEshvPTx_JXo0.DyD11cIvsF3VQsyoJH3me_in7zC0mwIq5myzx10Pa3c;   
        }
}

Then the browser at domain.ru/.well-known/acme-challenge/Iurj9ChNH9JNH... responds with the 200th code.
If you paste it in the place where the certbot's config is connected, i.e. to the beginning of the http section:

http {
        location /.well-known/acme-challenge/Iurj9ChNH9JNHUtLUxc_6A0Yo4HS8AoEshvPTx_JXo0 {
           default_type "text/plain";
           return 200 Iurj9ChNH9JNHUtLUxc_6A0Yo4HS8AoEshvPTx_JXo0.DyD11cIvsF3VQsyoJH3me_in7zC0mwIq5myzx10Pa3c;   
        }
...
   server {
        ....
}

We get a 404 error :( The

question is how to make nginx respond with a 200 code when /etc/letsencrypt/le_http_01_cert_challenge.conf is connected to the beginning of the http section? Or how to make certbot put the config in the server section?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

ky0, 2020-07-02
@ky0

Your config listens on port 443, and LE checks via HTTP, without encryption.

A

aliubko, 2020-07-03
@aliubko

add section with port 80

server {
    listen 80;
    server_name SITE_Name;

    location /.well-known/acme-challenge {
        allow all;
        root /var/www/html;
    }
}