0

I can successfully route traffic from port 80 to HTTPS, and I can also get the Let's Encrypt SSL certificate successfully. But my problem starts when I want to do both.

Whenever my certs are expiring I have to adjust the config to pass the Let's Encrypt challenges. And that's no good.

Here is the config that is passing the challenges successfully 

server { listen 80; listen [::]:80; server_name example.com *.example.com; #for certbot challenges (renewal process) location ~ /.well-known/acme-challenge { allow all; root /data/letsencrypt; } root /data/letsencrypt; index index.html; }

And here is a config that routes the traffic to HTTPS

server { listen 80 default_server; listen [::]:80 default_server; server_name example.com *.example.com; location / { return 301 https://$host$request_uri; } return 444; }

Whenever I start trying to combine them, the routing to HTTPS seems to take over and the challenges break.

It could be also useful to note that I'm using Nginx as a reverse proxy in a Docker environment, so from HTTP, I'm routing to HTTPS, and from there I'm reverse proxying for other services.

Improve this question
1
  • Something like this works for me. Commented Nov 5, 2019 at 13:32

1 Answer 1

Reset to default
1 
server{ listen 80; listen [::]:80; server_name example.com *.example.com; #for certbot challenges (renewal process) location ~ ^/.well-known/acme-challenge { allow all; root /data/letsencrypt; } location / { return 301 https://$host$request_uri ; } }

Should do the trick.

If port 80 and begins with /.well-known/acme-challenge it goes to the challenge.

anything else: 301 to https.

And the priority on checking is first the regex (location ~ ^blablabla) and then the general ( location / { )

If it doesn't work, what's the interaction you are having?

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You can do the same without regex - just with regular location blocks. They are evaluated in the order of longest-to-shortest-match.
Yup, but I prefer to secure the shot, because I don't know what's in his configuration. If I give him a regex, other regex 90% won't interfere. Regular location blocks have less priority. So in case he has other regexes that may match somehow... like this it'll work. Of course your anwer works for sure in my answer.
@flaixman my certs just expired, so I had the chance to test this and it worked great. Thanks!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.