Letsencrypt validation not working with GeoIP

Ddutuka · 2 Jan

Hello community,
i setup GeoIP successfully but letsencrypt validation also get blocked by GeoIP, adding new or renewing SSL doesnt work.

To make it work, i have to comment out (disable) letsencrypt validation (line 34-39) in common/location-wo.conf and put these lines before another include rules in sites-available/domain.

Letsencrypt validation works with this work around, but i have to edit this for every domains. Is there any way to make it work for all existing domains and new domain without editing every single domain conf file?

Or can Wordops handle Letsencrypt validation with highest priority (level) in the next update, so that it can work out of the box.

Thank you.

Mmarty · 3 Jan

dutuka i setup GeoIP successfully...

How? If you provide the changes you made someone may be able to suggest a fix/workaround/better approach.

Ddutuka · 5 Jan

My final solution to allow letsencrypt challenging for geoIP is:

Create file GeoIP.conf in conf.d folder, then add following lines:


geoip_country /usr/share/GeoIP/GeoIP.dat;
# Allow letsenrypt validation acme_challenge for geoIP
map $request_uri $acme_challenge {
    default yes;
    ~^/.well-known/acme-challenge/ yes;        
    }

Create geoip_allow_ssl_ace.conf in /etc/nginx/common/ , then add following lines:


 # Allow letsenrypt validation acme_challenge for geoIP

    if ($acme_challenge = yes) {
    set $allowed_country yes;
    }

Reload nginx: service nginx reload
Then create SSL enabled site: wo site create domain -wp -le
Letsencrypt validation is not blocked by GeoIP now.

Ddutuka · 5 Jan

Since GeoIP is not activated in Wordops by default, this is a custom config, but this solution might be useful in future if we can can activate GeoIP as a Wordops option.

portofacil · 7 Jan

dutuka Default should be no, right?

Ddutuka · 13 Jan

it depends on your needs, for letsencrypt challenging i let default yes, everything else default no

portofacil · 14 Jan

I mean, this block:

map $request_uri $acme_challenge {
    default yes;
    ~^/.well-known/acme-challenge/ yes;        
    }

Is equivalent to this pseudocode:

$default = 'yes';
$acme_challenge = $default;
if $request_uri matches "^/.well-known/acme-challenge/" {
    $acme_challenge = 'yes'
}

I.e., your logic does not have a no state but only the default 'yes' outside and inside the match; it doesn't matter what, $acme_challenge will always be equal to yes.

If this is the expected behaviour, then the entire block is unnecessary.

Ddutuka · 15 Jan

Thats correct for my use case since i have another GeoIP blocks, which already include default no, it then also block requests to ~^/.well-known/acme-challenge/ , hence adding or renewing SSL stop working.

After adding

map $request_uri $acme_challenge { default yes; ~^/.well-known/acme-challenge/ yes; }

on top of other blocking rules, adding or renewing SSL works again.

Ddutuka · 15 Jan

oh i see, default yes is not needed, this also works:

map $request_uri $acme_challenge { ~^/.well-known/acme-challenge/ yes; }

I dont set no state because LetsEncrypt keeps adding/changing countries for validating SSL, so all requests (only) to /.well-known/acme-challenge/ are allowed by default.

portofacil · 17 Jan

dutuka Okay, then.