The default site at /data/nginx/default_host/site.conf does not include the Let's Encrypt configuration at /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf.
The impact of this is that any Let's Encrypt certificate acquisition that would go to the default site cannot succeed. This means only hostnames with active hosts attached can create or renew certificates with Let's Encrypt.
Failure Example 1:
Create a new SSL cert with a hostname that is NOT in use on any hosts
Cert acquisition will fail
Failure Example 2:
Create a new SSL cert with one hostname that IS associated with a working host config, and a hostname that is NOT in use on any host.
Cert acquisition will fail
Success Example:
Create a new SSL cert with one hostname that IS associated with a working host config
Cert acquisition will succeed
The external Let's Encrypt service will attempt to make the challenge HTTP request to each of the domains in the certificate, and if any fail, the certificate is not issued. Those domains in the cert which are not associated with an active host config will fail, and so will the cert.
I suspect this may be related to difficult-to-reproduce errors such as #396 or #250, but it's pretty difficult to be sure.
I'm positive this was not always the case, as I was previously able to request an SSL cert from Let's Encrypt before I had setup the host config. I was also able to include additional hostnames in the Let's Encrypt certs that I was not yet using. Both of these approaches no longer work due to the issue described.
I suspect the fix is as easy as adding this to the default_host site.conf:
include conf.d/include/letsencrypt-acme-challenge.conf;
The default site at
/data/nginx/default_host/site.conf
does not include the Let's Encrypt configuration at/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
.The impact of this is that any Let's Encrypt certificate acquisition that would go to the default site cannot succeed. This means only hostnames with active hosts attached can create or renew certificates with Let's Encrypt.
Failure Example 1:
Failure Example 2:
Success Example:
The external Let's Encrypt service will attempt to make the challenge HTTP request to each of the domains in the certificate, and if any fail, the certificate is not issued. Those domains in the cert which are not associated with an active host config will fail, and so will the cert.
I suspect this may be related to difficult-to-reproduce errors such as #396 or #250, but it's pretty difficult to be sure.
I'm positive this was not always the case, as I was previously able to request an SSL cert from Let's Encrypt before I had setup the host config. I was also able to include additional hostnames in the Let's Encrypt certs that I was not yet using. Both of these approaches no longer work due to the issue described.
I suspect the fix is as easy as adding this to the default_host site.conf: