right config for letsencrypt

Jeff Dyke jeff.dyke at gmail.com
Sun Feb 2 16:49:17 UTC 2020 

since i do this through haproxy, it will be a little different, but where
ever port 80 is open to you can have a block that does the following
so in the http block of haproxy i send it to a backend when it meets
these requirements.

acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
redirect scheme https code 301 unless letsencrypt-request
 use_backend letsencrypt-backend if letsencrypt-request

Which sends the request to a local nginx instance (on the live haproxy
server) that can validate the cert b/c server_name = _; I generate these
regularly, so my setup is a little different, but

server {
  listen 8888 proxy_protocol;
  server_name _;
  charset utf-8;
  set_real_ip_from {{ servers.lb.master.ip }};
  set_real_ip_from {{ servers.lb.slave.ip }};
  real_ip_header proxy_protocol;
  root /var/www/html;
  location ~ /.well-known {
    allow all;
  }
  deny all;
}

in a regular, single server nginx setup, i use the following block:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name example.com www.example.com;
  location ~ /.well-known {
    allow all;
  }
  return 301 https://www.example.com$request_uri;
}

So it will only redirect if its not a lets encrypt request.  HAProxy may
mean nothing to you, but it shows an alternate configuration.  And of
course Francis is correct, you need 80 open.

HTH
Jeff
On Sun, Feb 2, 2020 at 5:49 AM Francis Daly <francis at daoine.org> wrote:

> On Fri, Jan 31, 2020 at 10:33:31PM +0100, bagagerek wrote:
>
> Hi there,
>
> > I followed the manual but I can't seem tot get it right. I've forwarded
> port
> > 8081 on my router.
>
> If you want letsencrypt to use the "http" challenge, you must let incoming
> traffic in on port 80 (and, presumably, send it to nginx).
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200202/6d7f8ad3/attachment.htm>

More information about the nginx mailing list