Nginx incompatibility between Roundcube and Let's Encrypt

[vetetix]

On my Yunohost server, with plain default configuration files, Let's Encrypt certificate renewing failed with "yunuhost domain cert-renew" :

# yunohost domain cert-renew mail.domain.tld
Succès ! La configuration a été mise à jour pour le service « dnsmasq »
Erreur : Wrote file to /tmp/acme-challenge-public/H3fu6Dom6wx_YvaJSEn-wvo3FDvsdd5Tz0wPGDGa7xg, but couldn't download http://mail.domain.tld/.well-known/acme-challenge/H3fu6Dom6wx_YvaJSEn-wvo3FDvsdd5Tz0wPGDGa7xg
Erreur : Certificate renewing for mail.domain.tld failed !
Erreur : Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 382, in certificate_renew
    _fetch_and_enable_new_certificate(domain, staging)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 567, in _fetch_and_enable_new_certificate
    'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] La signature du nouveau certificat a échoué

Erreur : [Errno 22] La signature du nouveau certificat a échoué

In nginx error.log:

2018/03/16 22:05:05 [error] 6858#0: *7 access forbidden by rule, client: IP_ADDRESS, server: mail.domain.tld, request: "GET /.well-known/acme-challenge/abdcaieaieaie HTTP/1.1", host: "mail.domain.tld"

By removing (temporarily renaming) the roundcube.conf configuration file and reloading nginx configuration, certificate renewing worked as expected.

I suspect some "deny all" rule in the file is the source of the problem.

[JimboJoe]

Hi, It should be solved as soon as this core PR gets released.

[vetetix]

Thanks, that's indeed the fix I was looking for.