<div dir="ltr">For each domain in my nginx config I have:<div><br></div><div>```</div><div><div> location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {</div><div> default_type text/plain;</div><div> return 200 "my-unique-identifier";</div><div> }</div></div><div>```</div><div><br></div><div>See <a href="https://hlandau.github.io/acme/userguide#web-server-configuration-challenges">https://hlandau.github.io/acme/userguide#web-server-configuration-challenges</a></div><div><br></div><div>But I don't directly expose nginx to the world. I have HAProxy in front of it (allows for more flexibility). That config has:</div><div><br></div><div>```</div><div># Irrelevant to discussion things removed<br><div>frontend proxy</div><div> bind <a href="http://45.63.16.142:80">45.63.16.142:80</a></div><div> # if the client didn't request HTTPS, make them request HTTPS</div><div> redirect scheme https code 308 if !{ ssl_fc }</div></div><div><br></div><div><div>frontend proxy-ssl</div><div> bind <a href="http://45.63.16.142:443">45.63.16.142:443</a> ssl crt /var/lib/acme/live/<a href="http://itcouldbe9.com/haproxy">itcouldbe9.com/haproxy</a></div><div> default_backend default-server</div><div><br></div><div>backend default-server</div><div> server server1 <a href="http://10.10.10.2:80">10.10.10.2:80</a></div></div><div>```</div><div><br></div><div>I just renewed my cert yesterday and had no problem. </div><div><br></div><div>P.S. Kyle, I was looking forward to your SALT presentation Tuesday, but I have had something else come up so I'll have to miss it :(</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 11, 2017 at 9:22 AM, Kyle Brieden <span dir="ltr"><<a href="mailto:kyle@txmoose.com" target="_blank">kyle@txmoose.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I run my Nextcloud instance at home and use a LE cert to encrypt it. I had it running on 80 and 443 to the world, with 80 doing a hard 301 to 443 for everything. That broke cert renewals for whatever reason, so I had to add an exception for the /.well-known/* path for LE. Later, I started running an OpenVPN instance on port 80, because the work firewall ONLY allows 80 and 443 out. Once I stopped PAT'ing 80 to my nginx server, the next renewal broke.<br>
<br>
Short story is this: For whatever reason, LE servers *must* be able to reach your site at 80 and 443. I assume this has something to do with issuing a cert for a site that currently does not have a cert? I never really thought about it much.<br>
<br>
This block appears in my HTTP server block, with the first location block appearing in my HTTPS block as well.<br>
<br>
location ~ ^/.well-known/acme-challenge/* {<br>
allow all;<br>
}<br>
<br>
# enforce https<br>
location ~ / {<br>
return 301 https://$server_name:$request_<wbr>uri;<br>
}<br>
<br>
As far as remedy, every 2 and a half months, I jump onto my router, switch the PAT from 80 -> OpenVPN to 80 -> nginx server, do the LE cert renewal, then switch it back. I will make it a more sane process later, but for now... well <a href="https://xkcd.com/1205/" rel="noreferrer" target="_blank">https://xkcd.com/1205/</a><br>
---<br>
Very respectfully,<br>
Kyle Brieden<div class="HOEnZb"><div class="h5"><br>
<br>
On 10-05-2017 20:40, DJ-Pfulio wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Anyone else having trouble renewing let's encrypt certs?<br>
<br>
Apache2 on Ubuntu 16.04.<br>
<br>
Failing tls-sni-01 challenge.<br>
<br>
I have 2 sites on the same machine. Both have renewed 3 times without<br>
issues. Today, they both failed. The script that always worked before:<br>
<br>
#!/bin/sh<br>
export PATH=/usr/local/sbin:/usr/loca<wbr>l/bin:/usr/sbin:/usr/bin:/sbin<wbr>:/bin<br>
/usr/bin/letsencrypt renew<br>
<br>
<br>
<br>
I've been through the log file(s). Not anything useful, just:<br>
<br>
FailedChallenges: Failed authorization procedure. <a href="http://site.domain.com" rel="noreferrer" target="_blank">site.domain.com</a><br>
(tls-sni-01): urn:acme:error:connection :: The server could not connect<br>
to the client to verify the domain :: Failed to connect to<br>
50.xx.xx.xx:443 for tls-sni-01 challenge<br>
<br>
DNS is correct.<br>
Site is up on 443, but not on 80.<br>
I opened the site to everyone. Normally, only allow a few specific subnets.<br>
<br>
Ideas?<br>
______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/li<wbr>stinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/li<wbr>stinfo</a></blockquote>
</div></div><br>______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">James Sumners<br><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a> (technical profile)<br><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a> (personal site)<br><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a> (music)</div>
</div>