Nginx + Certbot • universal HTTP challenge solution
Update your server configuration with Certbot / Letscrypt snippets for your Nginx server. Automate SSL certificate challenges by including simple snippets.
Filter by Category
Filter by Author
Update your server configuration with Certbot / Letscrypt snippets for your Nginx server. Automate SSL certificate challenges by including simple snippets.
Contents
If you are using CentOS or AWS Amazon Linux, you can create the file under /etc/nginx/snippets/letsencrypt-acme-challenge.conf
What this snippet does, it checks if current URI navigation pattern matches /.well-known/acme-challenge/
and maps root directory to /var/www/letsencrypt
the folder which we have previously created.
#############################################################################
# Configuration file for Let's Encrypt ACME Challenge location
# This file is already included in listen_xxx.conf files.
# Do NOT include it separately!
#############################################################################
#
# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
# on all our sites (HTTP), including all subdomains.
# This is required by ACME Challenge (webroot authentication).
# You can check that this location is working by placing ping.txt here:
# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
# And pointing your browser to:
# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
#
# Sources:
# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
#
#############################################################################
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
location ^~ /.well-known/acme-challenge/ {
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
# Current specification requires "text/plain" or no content header at all.
# It seems that "text/plain" is a safe option.
default_type "text/plain";
# This directory must be the same as in /etc/letsencrypt/cli.ini
# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
# there to "webroot".
# Do NOT use alias, use root! Target directory is located here:
# /var/www/common/letsencrypt/.well-known/acme-challenge/
root /var/www/letsencrypt;
}
# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
return 404;
}
Inside of the Nginx config file under, we add snippet for all port 80 requests to handle our Letscrypt / Certbot challenge.
http {
# other stuff
# our code
server {
listen 80;
listen [::]:80;
charset utf-8;
# our snippet
include snippets/letsencrypt-acme-challenge.conf;
}
}
Now for any virtual host we are using, we can insert our snippet include file. If we are running first-time creation for our domain, SSL might require to comment out include lines that try to load SSL certificate, which is not yet created. So Nginx, reload operation might fail.
server {
listen 443 ssl http2;
server_name wojtek.ch www.wojtek.ch;
#our snippet
include snippets/letsencrypt-acme-challenge.conf;
# our SSL config
include snippets/wojtek.ch/ssl.conf;
include snippets/wojtek.ch/ssl-params.conf;
# other config for your virtual host website
}
Now we can check our setup by running test, dry-run mode. You need to be careful because there is a limit of fail challenge request (5 per hour). So you want to be sure that everything goes smoothly 🙂
certbot certonly --webroot -d wojtek.ch -d www.wojtek.ch --dry-run
After executing the command, we’ll be asked to provide webroot directory which in our case is /var/www/letsencrypt
Subscribe to receive updates about new articles.
Caching resources of our application or website is very important. We want to deliver content to the user in the shortest possible time.