I
I
Iceforest2021-11-12 13:41:38
Nginx
Iceforest, 2021-11-12 13:41:38

What causes a 404 error when getting a letsencrypt certificate?

Scheme: site ===> 2 nginx balancers ===> app1 and app2
I get a certificate on the server of balancer 1, and on the second balancer, when I receive a certificate, I send it to the first balancer (yes, it's crooked, it's better to do it through rsync or fstab, but this way as is)

When challenge occurs, an error occurs:

Type:   unauthorized
Detail: Invalid response from
http://app.test.ru/.well-known/acme-challenge/Tcz1WXPz5Q-CjQlAIzJ2Y69langzO-zTfjxKF5UDyDk:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"


On balancers 1 2 configs: app.conf and lb1.conf

app.conf

upstream lb {
  server lb1.test.ru;
  server lb2.test.ru;  
                 }

server {
  listen 80;
  server_name app.test.ru;

  location / {
    return 301 https://app.test.ru$request_uri;
             }

  location /.well-known/acme-challenge/ {proxy_pass http://lb;}
  
        }


lb1.conf

upstream backend {
  server app1.test.ru;
  server app2.test.ru;
  check interval=1000 rise=1 fall=2 timeout=1000 type=http;
  check_http_send "GET /status HTTP/1.0\r\n\r\n";
  check_http_expect_alive http_2xx http_3xx;
}

server {
  listen 80;
  server_name app1.test.ru;

  access_log /var/log/nginx/log.access.log themain;
  
  location / {return 201;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name app2.test.ru;

  access_log /var/log/nginx/log.access.log themain;
    
  location / {return 202;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name lb1.test.ru;
  
  location /.well-known/acme-challenge {root /opt/www/acme;}
  
  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://backend;
  }
}


on the second balancers app.conf is the same

lb2.conf

upstream backend {
  server app1.test.ru;
  server app2.test.ru;
  check interval=1000 rise=1 fall=2 timeout=1000 type=http;
  check_http_send "GET /status HTTP/1.0\r\n\r\n";
  check_http_expect_alive http_2xx http_3xx;
}

server {
  listen 80;
  server_name app1.test.ru;

  access_log /var/log/nginx/log.access.log themain;
  
  location / {return 201;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name app2.test.ru;

  access_log /var/log/nginx/log.access.log themain;  
  
  location / {return 202;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name lb2.test.ru;
  
  location /.well-known/acme-challenge {proxy_pass http://lb1.test.ru;}
  
  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://backend;
  }
}


2 servers app1 and app2 (the same):

server {
  listen 80;    

  location / {
    set_real_ip_from unix:;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on;
    proxy_pass http://127.0.0.1:8080;
  }
}

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Alexander Karabanov, 2021-11-13
@karabanov

The chance of success is extremely low. After all, you have two servers, and the token is only on one, how to guess which server the checking bot will come to?
Verify via DNS.

I
Iceforest, 2021-11-15
@Iceforest

solution: deleted the extra app.conf config
, as a result, we got 2 configs:
lb1.conf

upstream backend {
  server app1.test.ru;
  server app2.test.ru;
  check interval=1000 rise=1 fall=2 timeout=1000 type=http;
  check_http_send "GET /status HTTP/1.0\r\n\r\n";
  check_http_expect_alive http_2xx http_3xx;
}

server {
  listen 80;
  server_name app1.test.ru;

  access_log /var/log/nginx/log.access.log themain;

  location / {return 201;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name app2.test.ru;

  access_log /var/log/nginx/log.access.log themain;

  location / {return 202;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name app.test.ru;

  location ~ /.well-known {
    allow all;
    root /opt/www/acme/;}

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://backend;
  }
}

lb2.conf
upstream backend {
  server app1.test.ru;
  server app2.test.ru;
  check interval=1000 rise=1 fall=2 timeout=1000 type=http;
  check_http_send "GET /status HTTP/1.0\r\n\r\n";
  check_http_expect_alive http_2xx http_3xx;
}

server {
  listen 80;
  server_name app1.test.ru;

  access_log /var/log/nginx/log.access.log themain;

  location / {return 201;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name app2.test.ru;

  access_log /var/log/nginx/log.access.log themain;

  location / {return 202;}
  location /status {return 200;}
}

server {
  listen 80;
  server_name app.test.ru;

  location ~ /.well-known {proxy_set_header Host app.test.ru;
    proxy_pass http://lb1.test.ru;}

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://backend;
  }
}

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question