I had working Let's encrypt certificates some months ago (with the old letsencrypt client).
The server I am using is nginx.
Certbot is creating the .well-known folder, but not the acme-challenge folder
Now I tried to create new certificates via ~/certbot-auto certonly --webroot -w /var/www/webroot -d domain.com -d www.domain.com -d git.domain.com
But I always get errors like this:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: git.domain.com
Type: unauthorized
Detail: Invalid response from
http://git.domain.com/.well-known/acme-challenge/ZLsZwCsBU5LQn6mnzDBaD6MHHlhV3FP7ozenxaw4fow:
"<.!DOCTYPE html>
<.html lang='en'>
<.head prefix='og: http://ogp.me/ns#'>
<.meta charset='utf-8'>
<.meta content='IE=edge' http-equiv"
Domain: www.domain.com
Type: unauthorized
Detail: Invalid response from
http://www.domain.com/.well-known/acme-challenge/7vHwDXstyiY0wgECcR5zuS2jE57m8I3utszEkwj_mWw:
"<.html>
<.head><.title>404 Not Found</title></head>
<.body bgcolor="white">
<.center><.h1>404 Not Found</h1></center>
(Of course the dots inside the HTML tags are not really there)
I have looked for a solution, but didn't found one yet.
Does anybody know why certbot is not creating the folders?
Thanks in advance!
The problem was the nginx configuration.
I replaced my long configuration files with the simplest config possible:
server {
listen 80;
server_name domain.com www.domain.com git.domain.com;
root /var/www/domain/;
}
Then I was able to issue new certificates.
The problem with my long configuration files was (as far as I can tell) that I had the these lines:
location ~ /.well-known {
allow all;
}
But they should be:
location ~ /.well-known/acme-challenge/ {
allow all;
}
Now the renewal works, too.
I had a similar issue. My problem was, that I had this rule:
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
these lines where canceling every acces to any directory starting with a "." (point)
For some strange reason (I think the certbot script changed in some way), I was not able in any way to renew the certificates. I found this thread that finally helped me after almost 4 hours of research:
https://community.letsencrypt.org/t/solved-invalid-response-403-forbidden/64170/13
hope it helps somebody else.
The trick is to add this in the apache config :
DocumentRoot /var/lib/letsencrypt/http_challenges
<Directory /var/lib/letsencrypt/http_challenges>
Allow from All
</Directory>
Hope it works for someone else!
Related
I am trying to configure Nginx to proxy pass to Gunicorn.
My django project can be found at /home/justin/project/jobzumo
Start by creating and opening a new server block in Nginx’s sites-available directory:
sudo nano /etc/nginx/sites-available/jobzumo
Within this file I've entered the following:
server{
listen 80;
server_name 142.93.184.125;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/justin/project;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
When I go to 142.93.184.125 I see the default django rocket ship, so I think that means everything is working. However, when I go to 'jobzumo.com' (associated domain), I see the default 'Welcome to nginx!' page.
I know I have both the IP and domain name in my ALLOWED_HOSTS settings and have pointed the domain nameservers at my server. So, do I need to add this domain to this file? The tutorial I was following said either or should do the job. If adding the domain to this file is not what I have to do, can you mention that, so at least I know I'll have to start looking elsewhere. Thanks for any help.
You probably still have the default site in available sites in nginx which is causing the issue. I just had the same problem and the following two commands solved the issue:
sudo unlink /etc/nginx/sites-enabled/default
sudo service nginx restart
if you stopped your gunicorn daemon you might need to restart it and then run the second command above it should do the trick.
I've been searching for a while now but didn't manage to find anything that fits my needs. I don't need hotlinking protection, as much as I'd like to prevent people from directly accessing my files. Let's say:
My website.com requests website.com/assets/custom.js, that'd work,but I'd like visitors which directly visit this file to get a 403 status code or something. I really have no idea if it's possible, and I don't have any logical steps in mind..
Regards !
You can use nginx referer module: http://nginx.org/en/docs/http/ngx_http_referer_module.html.
Something like this:
server {
listen 80;
server_name website.com;
root /var/www/website.com/html ;
location /assets/ {
valid_referers website.com/ website.com/index.html website.com/some_other_good_page.html ;
if ($invalid_referer) {
deny all;
}
}
}
This config guard assets directory. But remember, that not guaranteed and worked only for browser - any body can emulate valid request with curl or telnet. For true safety you need use dynamic generated pages with dynamic generated links.
You do not need to create the variable $invalid_referer as this is set by the nginx module.
If you nginx powered development instances are showing up in Google search results, there is a quick and easy way to prevent search engines from crawling your site. Add the following line to the location block of your virtualhost configuration file for the block that you want to prevent crawling.
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
You can simply deny access to any folder or file just by putting these lines with your folders' name
location ~ /(no_access_folder|folder_2)
{
deny all;
return 403;
}
I have a DV server with MediaTemple and recently had their support enable ngnix webserver. I have been integrating their ProCDN with Super Cache on the WordPress sites on the DV.
I noticed on this domain convoyofhope.eu that the CDN is working properly, but if you view the site on Firefox the fontface isn´t working because of the cross-domain issue. I found this site that seems to solve the problem http://www.red-team-design.com/firefox-doesnt-allow-cross-domain-fonts-by-default
My question is, in the site it says:
Also, if you are using nginx as your webserver you will need to include the code below in your virtual host file:
location ~* \.(eot|otf|ttf|woff)$ {
add_header Access-Control-Allow-Origin *;
}
I am just not sure where I put this on my server. I checked the vhost for convoyofhope.eu but I didn´t see where I would add that to make this work. Thanks for any feedback.
It would generally go in the nginx configuration file that has the server block for that host:
server {
listen 80;
server_name convoyofhope.eu;
...
location ~* \.(eot|otf|ttf|woff)$ {
add_header Access-Control-Allow-Origin *;
}
...
}
On RHEL related distributions, this would be on the file system somewhere under /etc/nginx/. Your particular distribution may vary.
On MediaTemple, in your Plesk control panel, go to Websites & Domains (tab) -> Web Server Settings then scroll down to "Additional nginx directives". Place your location… directive in the text box there.
I got a new slice off slicehost, for the purposes of playing around and learning nginx and more about deployment generally. I installed a ruby app on there (which i'll call app1) which uses passenger. I made it the default app to use for that server with the following server block in my nginx config:
server {
listen 80;
server_name <my server ip>;
root <path to app1 public folder>;
passenger_enabled on;
}
This works fine. However, i want to try a few different apps out on this slice, and so thought i would set it up like so:
http:///app1
http:///app2
etc. I thought i would be able to do that by adding a location block, and moving the app1 specific stuff into it like so:
server {
listen 80;
server_name <my server ip>;
location ^~ /app1 {
root <path to app1 public folder>;
passenger_enabled on;
}
}
However, on doing this (and restarting nginx of course), going to the plain ip address gives the 'welcome to nginx' message (which i'd expect). But, going to /app1 gives an error message:
404 Not Found
The requested URL /app1 was not found on this server.
This is distinct from the error message i get when i go to another path on that ip, eg /foo:
404 Not Found
nginx/0.8.53
So, it's like nginx knows about that location but i've not set it up properly. Can anyone set me straight? Should i set up different server blocks instead of using locations? I'm sure this is simple but can't work it out.
Cheers, max
What you're after is name virtual hosting. The idea is that each domain is hosted on the same IP, and nginx chooses the virtualhost to serve based on the Host: header in the HTTP request, which is sent by the browser.
To use name virtual hosting, use the domain you want to serve instead of your server's IP for the server_name directive.
server {
listen 80;
server_name app1.com;
location / {
root /srv/http/app1/public;
passenger_enabled on;
}
}
Then, to host more apps on the same box, just declare a separate server { } block for each one.
server {
listen 80;
server_name app2.com;
location / {
root /srv/http/app2/public;
passenger_enabled on;
}
}
I'm using unicorn instead of passenger, but the vhost part of the structure is the same for any backend.
The global nginx config (which on its own hosts nothing): https://github.com/benhoskings/babushka-deps/blob/master/nginx/nginx.conf.erb
The template wrapper for each virtualhost: https://github.com/benhoskings/babushka-deps/blob/master/nginx/vhost.conf.erb
The details of the unicorn virtualhost: https://github.com/benhoskings/babushka-deps/blob/master/nginx/unicorn_vhost.common.erb
I fail to see the real problem here tho,
in order for you to figure that out
you need to view the nginx log files on most systems at:
/var/log/nginx/
and open the relevant access file here(might be error.log)
in there you can see what url nginx exactly tried to access and why did it fail.
What I really think is happening, that you got the root path wrong,
maybe it should be alias instead because
if you are proxifying the connection to another app, it might get the
"app1" word in the url instead of a direct one.
so please try:
server {
listen 80;
server_name <my server ip>;
location /app1 {
alias <path to app1 public folder>;
passenger_enabled on;
}
}
and see weather it works and also try to view the logs first to really determine whats the problem.
I think its just a slight syntax problem:
location ~ ^/app1 { ...
should work, or a little more efficient:
location = /app1 { ...
One problem is that your Rails app probably wasn't designed to run from a subdirectory. Passenger has a directive that will fix this:
passenger_base_uri /app1;
However, running Rails apps in subdirectories is somewhat non-standard. If you can, a better option may be to set up subdomains using nginx's virtual hosts.
It seems that you want to host more apps on the same server with base uri. Try this:
root /srv/http/;
passenger_base_uri /app_1;
passenger_base_uri /app_2
Also under /srv/http, create 2 symlinks:
ln -s /srv/http/app_1 /srv/http/app1/public
ln -s /srv/http/app_2 /srv/http/app2/public
The app1 can be accessed under: http://domain.com/app_1.
Here is more for reading: http://www.modrails.com/documentation/Users%20guide%20Nginx.html#deploying_rack_to_sub_uri
I've seen some limited resources on checking for cookies with Nginx, but I couldn't really find the answer I was looking for, hopefully some of you Nginx masters can give me a hand.
Essentially I have a vhost that I'd like to redirect to a different domain unless the user has a cookie, here is what I've created:
server {
listen 80;
server_name example.com;
if ($http_cookie ~* "dev_cookie" ) {
root /home/deploy/apps/example/current/public;
passenger_enabled on;
rack_env production;
break;
}
rewrite ^/(.*) http://beta.example.com/$1 permanent;
}
But it doesn't seem to work, I get the error:
[emerg]: "root" directive is not allowed here in /opt/nginx/conf/nginx.conf:45
I'm not sure how to proceed here, any ideas guys?
That makes sense.
I would define another virtual host (beta.example.com) with that different root folder
and upon encountering cookie - do a rewrite
You can't set different roots for a domain conditionally, but you can redirect (rewrite) to another domain conditionally
This guy's example helped me a bit ago
http://nicknotfound.com/2009/01/12/iphone-website-with-nginx/