Let's Encrypt finalize bad status 403 on the domain where the proxy template is used

Hello everyone,

I can’t renew the Let’s Encrypt certificate on the domain (subdomain) where the proxy template is used


Proxy templates:
#Portfolio_ADMIN.stpl

server {
    listen %ip%:%proxy_port%;
    server_name %domain_idn%;
    return 301 https://%domain_idn%$request_uri;
}

server {
    listen %ip%:%proxy_ssl_port% http2 ssl;
    server_name %domain_idn%;
    ssl_certificate %ssl_pem%;
    ssl_certificate_key %ssl_key%;
    error_log /var/log/%web_system%/domains/%domain%.error.log error;
    gzip on;
    gzip_min_length 1100;
    gzip_buffers 4 32k;
    gzip_types image/svg+xml svg svgz text/plain application/x-javascript text/xml text/css;
    gzip_vary on;

    

    location / {
        proxy_pass http://127.0.0.1:6060;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /error/ {
        alias %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass https://127.0.0.1:6060:/$1;
    }

    location ~ /\.ht {
        return 404;
    }
    location ~ /\.svn/ {
        return 404;
    }
    location ~ /\.git/ {
        return 404;
    }
    location ~ /\.hg/ {
        return 404;
    }
    location ~ /\.bzr/ {
        return 404;
    }

    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
}

#Portfolio_ADMIN.tpl

server {
    listen %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;
    error_log /var/log/%web_system%/domains/%domain%.error.log error;


    location / {
        proxy_pass http://127.0.0.1:6060;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /error/ {
        alias %home%/%user%/web/%domain%/document_errors/;
    }
    location ~ /.well-known {
        allow all;
    }

    location @fallback {
        proxy_pass http://127.0.0.1:6060:/$1;
    }

    location ~ /\.ht {
        return 404;
    }
    location ~ /\.svn/ {
        return 404;
    }
    location ~ /\.git/ {
        return 404;
    }
    location ~ /\.hg/ {
        return 404;
    }
    location ~ /\.bzr/ {
        return 404;
    }

    include %home%/%user%/conf/web/nginx.%domain%.conf*;
}

It would be great if you could help

Hi @Sarvar

The includes you are using for both templates are the wrong ones.

In Portfolio_ADMIN.tpl replace:

    include %home%/%user%/conf/web/nginx.%domain%.conf*;

by:

    include %home%/%user%/conf/web/%domain%/nginx.conf_*;

In Portfolio_ADMIN.stpl replace:

    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;

by:

    include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;

Once it is changed, remember to rebuild your web domain.

Thanks for the answer
I edited the templates, saved them, rebuilt the domain (via v-rebuild-web-domain), but the error still didn’t go away :frowning:

*When I update the SSL certificate using the same template for the sangilov.uz domain, it updates without any problems, but I have the same problem with the subdomain.


#Portfolio_ADMIN.tpl

server {
    listen %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;
    error_log /var/log/%web_system%/domains/%domain%.error.log error;


    location / {
        proxy_pass http://127.0.0.1:6060;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /error/ {
        alias %home%/%user%/web/%domain%/document_errors/;
    }
    location ~ /.well-known {
        allow all;
    }

    location @fallback {
        proxy_pass http://127.0.0.1:6060:/$1;
    }

    location ~ /\.ht {
        return 404;
    }
    location ~ /\.svn/ {
        return 404;
    }
    location ~ /\.git/ {
        return 404;
    }
    location ~ /\.hg/ {
        return 404;
    }
    location ~ /\.bzr/ {
        return 404;
    }

    include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

#Portfolio_ADMIN.stpl

server {
    listen %ip%:%proxy_port%;
    server_name %domain_idn%;
    return 301 https://%domain_idn%$request_uri;
}

server {
    listen %ip%:%proxy_ssl_port% http2 ssl;
    server_name %domain_idn%;
    ssl_certificate %ssl_pem%;
    ssl_certificate_key %ssl_key%;
    error_log /var/log/%web_system%/domains/%domain%.error.log error;
    gzip on;
    gzip_min_length 1100;
    gzip_buffers 4 32k;
    gzip_types image/svg+xml svg svgz text/plain application/x-javascript text/xml text/css;
    gzip_vary on;

    

    location / {
        proxy_pass http://127.0.0.1:6060;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /error/ {
        alias %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass https://127.0.0.1:6060:/$1;
    }

    location ~ /\.ht {
        return 404;
    }
    location ~ /\.svn/ {
        return 404;
    }
    location ~ /\.git/ {
        return 404;
    }
    location ~ /\.hg/ {
        return 404;
    }
    location ~ /\.bzr/ {
        return 404;
    }

    include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

Show the output of these commands:

ls -la /home/*/conf/web/admin.sangilov.uz/
cat /home/*/conf/web/admin.sangilov.uz/nginx.conf
cat /home/*/conf/web/admin.sangilov.uz//nginx.conf_letsencrypt
cat /home/*/conf/web/admin.sangilov.uz/nginx.ssl.conf

ls -la /home/*/conf/web/admin.sangilov.uz/

cat /home/*/conf/web/admin.sangilov.uz/nginx.conf

cat /home/*/conf/web/admin.sangilov.uz//nginx.conf_letsencrypt
image

cat /home/*/conf/web/admin.sangilov.uz/nginx.ssl.conf
image

As I understand it, the nginx.ssl.conf file and the Portfolio_ADMIN.stpl file should be the same?

Edit /home/Savar/conf/web/admin.sangilov.uz/nginx.conf and comment these lines:

    location ~ /.well-known {
        allow all;
    }

So they will look like:

#    location ~ /.well-known {
#        allow all;
#    }

Save the file and restart nginx:

systemctl restart nginx

Now check whether this conf works using this command:

curl -ikL http://admin.sangilov.uz/.well-known/acme-challenge/test

The output should show the text: test.YourLetsEncryptThumbPrint

Thank you very much, it worked :slight_smile:

I deleted the part

location ~ /.well-known {
allow all;
}

from the #Portfolio_ADMIN.tpl file and it worked

1 Like