24

I'm not able to get nginx to return the files I've put in /var/www/letsencrypt.

nginx/sites-available/mydomain.conf

server {
  listen 80 default_server;
  listen [::]:80 default_server ipv6only=on;
  server_name my-real-domain.com;

  include /etc/nginx/snippets/letsencrypt.conf;

  root /var/www/mydomain;
  index index.html;
  location / {
    try_files $uri $uri/ =404;
  }
}

nginx/snippets/letsencrypt.conf

location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  root /var/www/letsencrypt;
}

I run this command: certbot certonly --webroot -w /var/www/letsencrypt/ -d my-real-domain.com

But the page that certbot tries to access is always an 404.

DEBUGGING

$ echo hi > /var/www/letsencrypt/hi
$ chmod 644 /var/www/letsencrypt/hi

Now I should be able to curl localhost/.well-known/acme-challenge/hi, but that does not work. Still 404. Any idea what I'm missing?

martins
  • 9,669
  • 11
  • 57
  • 85
  • You could try In case you still want to : https://stackoverflow.com/a/53134710/5985566 – PKumar Nov 03 '18 at 19:22
  • Cross-site duplicate: https://serverfault.com/questions/876137/how-to-set-up-http-based-domain-validation-on-nginx-how-to-reroute-specifically – tripleee May 13 '22 at 12:12

3 Answers3

27

Option root /var/www/letsencrypt/; tells to nginx "this is base directory", so final path will be /var/www/letsencrypt/.well-known/acme-challenge/.

So, you have 2 options:

  1. Change your path, for example to

    $ echo hi > /var/www/letsencrypt/.well-known/acme-challenge/hi

  2. Change behavior of nginx, so nginx will treat it as alias:

    location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  rewrite /.well-known/acme-challenge/(.*) /$1 break;
  root /var/www/letsencrypt;
}

And don't forget make killall -1 nginx to reload config

bukkojot
  • 1,526
  • 1
  • 11
  • 16
  • What does `killall -1` do? – mwfearnley Jun 01 '20 at 12:11
  • 5
    Instead of `killall -1 nginx` to reload config. You can do `sudo nginx -t` to verify the config and if that returns successful, the perform a `sudo service Nginx restart` – m4l490n Jun 06 '20 at 22:31
  • 1
    `killall -1` send signal `SIGHUP`, which means "reload your config ASAP" for most daemons (not for all). All running daemons with specified name (nginx in our case) will reload configs. This good practice, when you have multiple instances of nginx (or any other daemon), with different configs. In my usually setup `nginx -t` or `service Nginx restart` will do nothing, as nginx can be in different directories, even not in `$PATH` and system knows nothing about it. – bukkojot Jun 12 '20 at 09:23
  • 1
    But you still want to test your config before reloading, so you need to know where those binaries are anyways. It would be safer to loop over the binaries and call `NGINX_BIN -t && NGINX_BIN -s reload`. – DylanYoung Jun 16 '21 at 15:46
  • what about using `systemctl restart nginx`? – fp007 Oct 19 '21 at 12:28
1

It seems that the Synology Nginx configuration now has a rule for acme-challenge. Put your file in /var/lib/letsencrypt/.well-known/acme-challenge and there is no need to reload Nginx as the configuration stay unchanged.

See /etc/nginx/nginx.conf for details.

enguerran
  • 3,193
  • 3
  • 26
  • 42
0

It's because you are using root and not alias, i have this as working solution:

            listen       80;
                    location /.well-known/acme-challenge {
                            alias /var/www/acme;
                    }
                    location / {
                            return 301 https://$host$request_uri;
                    }
Peter Vangsgaard
  • 1