Created
April 28, 2020 06:34
-
-
Save joduplessis/4a11c86fa5c5f91ee91aaf7a9b91d0cc to your computer and use it in GitHub Desktop.
Generating LE certs manually with acme challenges.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################# | |
| # Configuration file for Let's Encrypt ACME Challenge location | |
| # This file is already included in listen_xxx.conf files. | |
| # Do NOT include it separately! | |
| ############################################################################# | |
| # | |
| # This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx | |
| # on all our sites (HTTP), including all subdomains. | |
| # This is required by ACME Challenge (webroot authentication). | |
| # You can check that this location is working by placing ping.txt here: | |
| # /var/www/letsencrypt/.well-known/acme-challenge/ping.txt | |
| # And pointing your browser to: | |
| # http://xxx.domain.tld/.well-known/acme-challenge/ping.txt | |
| # | |
| # Sources: | |
| # https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491 | |
| # | |
| ############################################################################# | |
| # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) | |
| # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel | |
| # other regex checks, because in our other config files have regex rule that denies access to files with dotted names. | |
| location ^~ /.well-known/acme-challenge/ { | |
| # Set correct content type. According to this: | |
| # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 | |
| # Current specification requires "text/plain" or no content header at all. | |
| # It seems that "text/plain" is a safe option. | |
| default_type "text/plain"; | |
| # This directory must be the same as in /etc/letsencrypt/cli.ini | |
| # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter | |
| # there to "webroot". | |
| # Do NOT use alias, use root! Target directory is located here: | |
| # /var/www/common/letsencrypt/.well-known/acme-challenge/ | |
| root /var/www/letsencrypt; | |
| } | |
| # Hide /acme-challenge subdirectory and return 404 on all requests. | |
| # It is somewhat more secure than letting Nginx return 403. | |
| # Ending slash is important! | |
| location = /.well-known/acme-challenge/ { | |
| return 404; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ------------------------------------------------------------------------------------------------ | |
| # Listen on primary IP address | |
| listen 1.2.3.4:80; | |
| listen [::]:80; | |
| # Include location directive for Let's Encrypt ACME Challenge | |
| include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; | |
| # ------------------------------------------------------------------------------------------------ | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generate & install certs | |
| # This will ask to create acme challenge file | |
| # in /var/www/common/letsencrypt/.well-known/acme-challenge/ | |
| certbot certonly --manual -d example.com | |
| # Once done - install it with (instead of manually): | |
| certbot --nginx -d example.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment