search

appsembler / roles

Curated Ansible roles with an emphasis on sane defaults, extensibility, and reusability.
MIT License
0 stars 2 forks source link

letsencrypt Nginx conf looks in wrong folder? #53

Open bryanlandia opened 5 years ago

bryanlandia commented 5 years ago

I wasn't able to get manual certbot authentication working with this location. I think both conditional cases should use alias not root, right? Or, authenticator.sh.j2 is incorrect and should store files at {{letsencrypt_webroot}}/.well-known/acme-challenge?

    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        {% if letsencrypt_alternative_acme_folder == "" %}
          root {{ letsencrypt_webroot }};
        {% else %}
          alias {{ letsencrypt_webroot }}/{{ letsencrypt_alternative_acme_folder }};
        {% endif %}
    }

Command run was certbot certonly --agree-tos -m \"ops@appsembler.com\" --manual --manual-public-ip-logging-ok --preferred-challenges=http --manual-auth-hook /opt/scripts/authenticator.sh -d insights.getyouredge.org

which resulted in a 404 response trying to find /var/www/letsencrypt/.well-known/acme-challenge/foo when the file was stored at /var/www/letsencrypt/foo via the /opt/scripts/authenticator.sh script.

melvinsoft commented 5 years ago

@briandant Sorry the delay here, I think @thraxil is the most indicate to weight here!

@thraxil Can you take a quick look?

thraxil commented 5 years ago

@briandant @melvinsoft I think this is nginx config is correct, but you don't want to use the authenticator script with it if you don't need the alternative folder setting.

The letsencrypt_alternative_acme_folder setting is pretty much just for Tahoe since we use a GCS bucket to store them and GCS won't let you have a folder named .well-known. So we name it acme-challenges-custom-folder and that is within our mounted /var/www/letsencrypt. The nginx alias ensures that an HTTP request for /.well-known/acme-challenge maps to /var/www/letsencrypt/acme-challenges-custom-folder. The difference between root and alias is that root adds the path from the location directive to it and alias ignores it. If we used root in the second clause, it would look in /var/www/letsencrypt/acme-challenges-custom/.well-known/acme-challenge, which would fail. If we used alias in the first clause, it could work as long as letsencrypt_webroot is set to /var/www/letsencrypt/.well-known/acme-challenge, but the typical setup is that letsencrypt_webroot is just set to /var/www/letsencrypt.

If you don't have Tahoe's constraint of needing a non-standard directory name, you shouldn't need to use the manual authenticator script. You should be able to just use letsencrypt_webroot=/var/www/letsencrypt and do a default challenge without using --manual-auth-hook.

briandant commented 5 years ago

@bryanlandia ^^

thraxil commented 5 years ago

Wrong Br[yi]an. Sorry.