jamezpolley
commented
4 years ago Certbot works with nginx by creating a new vhost config which looks a bit like this:
server {
listen 80
.....
}This fails on RTK as Nginx doesn't listen on port 80, varnish does. Varnish forwards the request to Nginx on :8000 which doesn't know how to handle the request.
Couple of possible ways to handle this:
- There's a third-party certbot plugin which attempts to munge the varnish config to serve the challenge files; but the author notes that it's not well tested, makes many assumptions, and throws a bunch of warnings when the code is analysed. I'd prefer not to use this.
- Certbot has pre/post hooks which could be used to shut down varnish before the renewal and restart it afterwards. I'd prefer to avoid this as it causes a small unnecessary outage at least once per day.
- Certbot supports a
webrootmethod, which writes files into a specified directory. We could use this in conjunction with a small tweak to Nginx config so that Nginx knows that requests for.well-knownshould be served from that directory.
I'm going to go ahead with the third option for now.
mlandauer
In fixing #146 certbot was updated to use the Nginx method to update certs on RightToKnow. However, testing shows that this is not working. Nginx logs show the requests from the LetsEncrypt validation server being received by Nginx and redirected, then refused: