[ale] let's encrypt cert renewals?

James Sumners james.sumners at gmail.com
Thu May 11 09:48:52 EDT 2017


For each domain in my nginx config I have:

```
  location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
    default_type text/plain;
    return 200 "my-unique-identifier";
  }
```

See
https://hlandau.github.io/acme/userguide#web-server-configuration-challenges

But I don't directly expose nginx to the world. I have HAProxy in front of
it (allows for more flexibility). That config has:

```
# Irrelevant to discussion things removed
frontend proxy
  bind 45.63.16.142:80
  # if the client didn't request HTTPS, make them request HTTPS
  redirect scheme https code 308 if !{ ssl_fc }

frontend proxy-ssl
  bind 45.63.16.142:443 ssl crt /var/lib/acme/live/itcouldbe9.com/haproxy
  default_backend default-server

backend default-server
  server server1 10.10.10.2:80
```

I just renewed my cert yesterday and had no problem.

P.S. Kyle, I was looking forward to your SALT presentation Tuesday, but I
have had something else come up so I'll have to miss it :(

On Thu, May 11, 2017 at 9:22 AM, Kyle Brieden <kyle at txmoose.com> wrote:

> I run my Nextcloud instance at home and use a LE cert to encrypt it.  I
> had it running on 80 and 443 to the world, with 80 doing a hard 301 to 443
> for everything.  That broke cert renewals for whatever reason, so I had to
> add an exception for the /.well-known/* path for LE.  Later, I started
> running an OpenVPN instance on port 80, because the work firewall ONLY
> allows 80 and 443 out.  Once I stopped PAT'ing 80 to my nginx server, the
> next renewal broke.
>
> Short story is this:  For whatever reason, LE servers *must* be able to
> reach your site at 80 and 443.  I assume this has something to do with
> issuing a cert for a site that currently does not have a cert?  I never
> really thought about it much.
>
> This block appears in my HTTP server block, with the first location block
> appearing in my HTTPS block as well.
>
> location ~ ^/.well-known/acme-challenge/* {
>         allow all;
>     }
>
>     # enforce https
>     location ~ / {
>         return 301 https://$server_name:$request_uri;
>     }
>
> As far as remedy, every 2 and a half months, I jump onto my router, switch
> the PAT from 80 -> OpenVPN to 80 -> nginx server, do the LE cert renewal,
> then switch it back.  I will make it a more sane process later, but for
> now... well https://xkcd.com/1205/
> ---
> Very respectfully,
> Kyle Brieden
>
>
> On 10-05-2017 20:40, DJ-Pfulio wrote:
>
>> Anyone else having trouble renewing let's encrypt certs?
>>
>> Apache2 on Ubuntu 16.04.
>>
>> Failing tls-sni-01 challenge.
>>
>> I have 2 sites on the same machine.  Both have renewed 3 times without
>> issues.  Today, they both failed. The script that always worked before:
>>
>> #!/bin/sh
>> export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>> /usr/bin/letsencrypt  renew
>>
>>
>>
>> I've been through the log file(s). Not anything useful, just:
>>
>> FailedChallenges: Failed authorization procedure. site.domain.com
>> (tls-sni-01): urn:acme:error:connection :: The server could not connect
>> to the client to verify the domain :: Failed to connect to
>> 50.xx.xx.xx:443 for tls-sni-01 challenge
>>
>> DNS is correct.
>> Site is up on 443, but not on 80.
>> I opened the site to everyone. Normally, only allow a few specific
>> subnets.
>>
>> Ideas?
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170511/f7a5cac5/attachment.html>


More information about the Ale mailing list