Default host does not include letsencrypt config

[joshbenner]

The default site at /data/nginx/default_host/site.conf does not include the Let's Encrypt configuration at /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf.

The impact of this is that any Let's Encrypt certificate acquisition that would go to the default site cannot succeed. This means only hostnames with active hosts attached can create or renew certificates with Let's Encrypt.

Failure Example 1:

1. Create a new SSL cert with a hostname that is NOT in use on any hosts
2. Cert acquisition will fail

Failure Example 2:

1. Create a new SSL cert with one hostname that IS associated with a working host config, and a hostname that is NOT in use on any host.
2. Cert acquisition will fail

Success Example:

1. Create a new SSL cert with one hostname that IS associated with a working host config
2. Cert acquisition will succeed

The external Let's Encrypt service will attempt to make the challenge HTTP request to each of the domains in the certificate, and if any fail, the certificate is not issued. Those domains in the cert which are not associated with an active host config will fail, and so will the cert.

I suspect this may be related to difficult-to-reproduce errors such as #396 or #250, but it's pretty difficult to be sure.

I'm positive this was not always the case, as I was previously able to request an SSL cert from Let's Encrypt before I had setup the host config. I was also able to include additional hostnames in the Let's Encrypt certs that I was not yet using. Both of these approaches no longer work due to the issue described.

I suspect the fix is as easy as adding this to the default_host site.conf:

include conf.d/include/letsencrypt-acme-challenge.conf;

[joshbenner]

FWIW, it looks like 404 hosts also do not include it.

[fbhdk]

I am seeing this as well after finding out that a bunch of certs were expired

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: