acme.sh can't renew certs, I somewhat understand the cause.

richpav

acme.sh is trying to access /var/www/example.com/htaccess/.well-known/acme-challenge/

There's a rule in /etc/nginx/common/locations-wo.conf to allow access to /var/www/html/.well-known/acme-challenge but not that same directory in every hosted domain's document root directory. Did acme.sh change something? I don't think I did. I don't know enough about how it works to screw it up on my own.

The error I'm seeing is:

[Wed Mar 15 11:03:38 AM JST 2023] status='invalid'
[Wed Mar 15 11:03:38 AM JST 2023] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"5.5.5.5: Invalid response from http://example.com/.well-known/acme-challenge/QQTEullK6S1IBp4kyxxxxxxfZWUBFJyDPf1fs-EOUDQ: 404","status": 403'
[Wed Mar 15 11:03:38 AM JST 2023] errordetail='5.5.5.5: Invalid response from http://example.com/.well-known/acme-challenge/QQTEullK6S1IBp4kyxxxxxxfZWUBFJyDPf1fs-EOUDQ: 404'
[Wed Mar 15 11:03:38 AM JST 2023] example.com:Verify error:5.5.5.5: Invalid response from http://example.com/.well-known/acme-challenge/QQTEullK6S1IBp4kyxxxxxxfZWUBFJyDPf1fs-EOUDQ: 404
[Wed Mar 15 11:03:38 AM JST 2023] Debug: get token url.
[Wed Mar 15 11:03:38 AM JST 2023] GET
[Wed Mar 15 11:03:38 AM JST 2023] url='http://example.com/.well-known/acme-challenge/QQTEullK6S1IBp4kyxxxxxxfZWUBFJyDPf1fs-EOUDQ'
[Wed Mar 15 11:03:38 AM JST 2023] timeout=1
[Wed Mar 15 11:03:38 AM JST 2023] Http already initialized.
[Wed Mar 15 11:03:38 AM JST 2023] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  --trace-ascii /tmp/tmp.6Yxxxxxzhs  -g  --connect-timeout 1'

I tried making this change to locations-wo.conf but I don't know why I'm still getting the same 404 error. I ran nginx -t and wo stack restart.

# letsencrypt validation
#location /.well-known/acme-challenge/ {
#   alias /var/www/html/.well-known/acme-challenge/;
#   allow all;
#   auth_basic off;
#}

# letsencrypt validation
location /.well-known/acme-challenge/ {
   root /var/www/$host/htdocs;
   allow all;
   auth_basic off;
}

The permissions on the directories are 755 and are owned by www-data:www-data

marty

You shouldn't need to change anything - I suspect something else is causing a problem.
Is the website accessible? Has the DNS only just been added? Have any custom redirections or other conf changes been made? Is there any plugin handling redirections or security plugin that could be blocking access?

richpav

marty

For some reason all of the force-ssl-example.com.conf files in /etc/nginx/conf.d have been renamed force-ssh-example.com.conf.disabled. Fixing that fixes the problem, but I still need to keep the changes I made to locations-wo.conf or I can't fetch the URL acme.sh is trying to get.

I was able to create the certs initially and I can regenerate them manually by doing this:

wo site update example.com -le=off 
wo site update example.com -le=on

...and choosing to issue a new certificate, but I'd rather have acme.sh do it. For now it's fixed in a kludgy way but I'll have to worry again in May when the certs expire.

When force-ssl-example.com.conf is enabled, http://example.com serves up the server's default site, which has the root directory /var/www/html/ and if acme.sh were looking there like it's supposed to, everything would be working fine. I don't know why acme.sh is now putting its verification file in /var/www/example.com/htdocs/.well-known/acme-challenge/ instead of /var/www/htm/.well-known/acme-challenge/. I'm not smart enough to have screwed that up by myself, and if acme.sh changed, it doesn't make sense that this isn't happening to anyone else.