-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.well-known ACME challenge files blocked 403 Forbidden in some Nginx configurations #221
Comments
You should use the following in nginx config location ^~ /.well-known/acme-challenge/ {
# the usual settings
} |
Thank you @riobard. I was trying with location '/.well-known/acme-challenge' { # <-- does not work
default_type "text/plain";
root /tmp/letsencrypt-auto;
} But that didn't do it... I guess nginx keeps processing the other restrictions. Yours seems to do the trick though. |
Hi, my free webhost is blocking the " .well-known too", the dot being the problem. They only give very limited control with htaccess files and the apache configuration is of course locked... So I can't find a workaround. Is there a way to change the challenge URL to something else who doesn't contain a dot? |
After some struggle, here's my working config:
|
Despite plenty of servers/configs where this works fine…
on one where
|
The reason @riobard's version works is because of the order and manner in which nginx works through the location matches. I personally find the way it is documented at nginx.org adds an unnecessary layer of temporal convolution (unless there is some nuance that I have missed when reordering the guts of points 3 and 4 below), so this is my version:
The three biggest sources of confusion I have seen relevant to these kind of issues with Nginx configs are:
I find the following example useful (good to leave all of
|
As detailed towards the end of this [issue for the Let's Encrypt ACME spec](letsencrypt/acme-spec#221).
This repository is deprecated & un-maintained. Closing this issue. If applicable, please move discussion to the replacement IETF owned repo and the mailing list. |
location ^~ /.well-known/acme-challenge/ { |
Hi this is related to Letsencrypt manual authenticator mode with the ACME challenge file having a dot prefix certbot/certbot#730. This can be blocked with 403 Forbidden access by some Nginx configurations which block dot prefix files/folders from web access by default.
i.e.
For a workaround for me, I had to add this to my Nginx vhost
Probably need to document this for folks as to requirements needed for Nginx to allow dot prefix file for
.well-known
requestsnot sure if you just add a curl check of the ACME challenge file for the status code so if it's anything other than 200 status, you can show a more detailed explanation ? i.e. if it's 403 status for the curl header check, say
The text was updated successfully, but these errors were encountered: