All geek questions in one place

Error enabling automatic encryption (Nginx)

I am trying to configure greenlock-express to run behind a nginx proxy.

Here is my nginx configuration

... # redirect server { listen 80; listen [::]:80; server_name mydomain.com; location / { return 301 https://$server_name$request_uri; } } # serve server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name mydomain.com; # SSL settings ssl on; ssl_certificate C:/path/to/mydomain.com/fullchain.pem; ssl_certificate_key C:/path/to/mydomain.com/privkey.pem; # enable session resumption to improve https performance ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; # enables server-side protection from BEAST attacks ssl_prefer_server_ciphers on; # disable SSLv3(enabled by default since nginx 0.8.19) since it less secure then TLS ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ciphers chosen for forward secrecy and compatibility ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) resolver 8.8.8.8 8.8.4.4; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate C:/path/to/mydomain.com/chain.pem; # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; # added to make handshake take less resources keepalive_timeout 70; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass https://127.0.0.1:3001/; proxy_redirect off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ...

I have a node server running on port 3000 (http) and port 3001 (https). Everything else seems to work, but the certificates are not renewed and do not expire after 3 months.

If I close nginx and start the node server on port 80 (http) and port 443 (https), it will renew the certificates.

I made sure that .well-known/acme-challenge redirected to the node server, i.e. when i go to url http http(s)://mydomain.com/.well-known/acme-challenge/randomstr , I get the following answer:

 { "error": { "message": "Error: These aren't the tokens you're looking for. Move along." } }
+5
source share
3 answers

An easy way to separate webroot for ACME authentication.

Create a webroot directory for ACME authentication.

 C:\www\letsencrypt\.well-known

In the nginx configuration, set the webroot for ACME authentication to the previously created directory.

http://example.com/.well-known/acme-challenge/token → C: /www/letsencrypt/.well-known/acme-challenge/token

 server { listen 80; listen [::]:80; server_name mydomain.com; location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root C:/www/letsencrypt; } location / { return 301 https://$server_name$request_uri; } }

Restart nginx.

You can change your webroot to certbot to get authentication again.

 certbot certonly --webroot -w C:\www\letsencrypt\ -d exapmle.com --dry-run

First check it out by adding the --dry-run option. Otherwise, there may be problems with limiting the number of authentication attempts.

+3
source

The error you see is that when a token is placed in your

Webroot / .well known / acme call / marker

Then Lets Encrypt tries to verify that from the Internet. going to http: //yourdomain/.well-known/acme-challenge/token , he gets a 404 error - the page was not found. That is why I cannot be sure. If you put the file there yourself, is it accessible from the Internet?

If you're interested, there are several automatic ways to renew your SSL without restarting your nginx. Most nginx users seem to prefer the webroot plugin: first get a new certificate using something like:

 certbot certonly --webroot -w /path/to/your/webroot -d example.com --post-hook="service nginx reload"

Then configure the cron job to run certbot to renew once or twice a day; it will only trigger the post hook when it really renews the certificate. You can also use the --pre-hook flag if you prefer to stop nginx to run certbot offline.

Theres also a complete nginx plugin that you can activate with --nginx . It is still being checked, so experiment at your own risk and report any errors.

Note: the post-hook flag will take care of reloading the nginx update of your certificates

+1
source

You can follow the link on my blog to set up Let Encrypt Certificate in your Apache Server for Java application http://www.javadream.in/lets-encrypt-certificate-in-java/

0
source

Source: https://habr.com/ru/post/1275761/

More articles:


All Articles