Nginx configuration, folder permissions and lets-encrypt

6
votes

I am trying to use certbot and letsencrypt on my Ubuntu 16.0.4 server, so I can install a mail server.

I am running certbot like this:

sudo /opt/letsencrypt/certbot-auto certonly --agree-tos --webroot -w /path/to/www/example -d example.com -d www.example.com

I get the following output from certbot (snippet shown below):

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.example.com/.well-known/acme-challenge/QEZwFgUGOJqqXHcLmTmkr5z83dbH3QlrIUk1S3JI_cg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

This is what my directory structure looks like:

root@yourbox:/path/to/www/example$ ls -la
total 12
drwxr-xr-x 3 example root    4096 Nov  1 10:17 .
drwxr-xr-x 5 root        webapps 4096 Nov  1 10:13 ..
drwxr-xr-x 2 root        root    4096 Nov  1 10:36 .well-known
root@yourbox:/path/to/www/example$ 
root@yourbox:/path/to/www/example$ cd .well-known/
root@yourbox:/path/to/www/example/.well-known$ ls -la
total 8
drwxr-xr-x 2 root        root 4096 Nov  1 10:36 .
drwxr-xr-x 3 example root 4096 Nov  1 10:17 ..
root@yourbox:/path/to/www/example/.well-known$

From above, I can see that the challenge file does not exist - (presumably?) because, it looks like the certbot is unable to write to the folder.

However, I first needed to check that nginx was set up correctly, and that it was serving files from folders starting with a period.

This is the configuration file for nginx for the website (/etc/nginx/sites-available/example):

server {
    # Allow access to the letsencrypt ACME Challenge
    location ~ /\.well-known\/acme-challenge {
        allow all;
    }
}

I manually created a testfile (sudo touch /path/to/www/example/fake) and gave it the correct permissions:

root@yourbox:/path/to/www/example/.well-known/acme-challenge$ ls -l
total 0
-rw-r--r-- 1 example webapps 0 Nov  1 10:45 fake

I then tried to access http://www.example.com/.well-known/acme-challenge/fake from a browser - and got a 404 error.

This means I have two errors:

  1. Nginx is not correctly setup to serve files from the .well-known/acme-challenge folder
  2. The file permissions in the /path/to/www/example folder are wrong, so certbot can't write its automatically generated files to the .well-known/acme-challenge folder.

How may I fix these issues?

2
nginxfile-permissionsubuntu-16.04lets-encryptcertbot
you need to check /etc/hosts file, make sure you have the correct records there, and also, set correct permissions, e.g. chown -R www-data:www-data /path/to/www your Nginx and php-FPM/Apache should work under "www-data" user, for example.user4535610

2 Answers

4
votes

Your Nginx config file has no config to make your /path/to/www/example/ directory web accessible.

Here's a simple configuration which will put your site live and allow LetsEncyrpt to create a valid certificate. Bare in mind port 80 will need to be accessible.

server {
    listen 80;

    server_name www.example.co.uk example.co.uk;

    root /path/to/www/example;

    access_log /var/log/nginx/example.co.uk.log;
    error_log /var/log/nginx/example.co.uk.log;

    index index.html index.htm index.php;

    location ~ /\.well-known\/acme-challenge {
        allow all;
    }

    location / {
        try_files $uri $uri/index.html $uri.html =404;
    }
}

Change your server_name accordingly, or use your /etc/hosts file to configure a local domain.

0
votes

I had the same problem which was caused by the following line:

  location ~ /\. {
        deny all;
    }

i added the following ABOVE the line mentioned above this:

location ~ /\.well-known\/acme-challenge {
        allow all;
    }