toomuchio/plex-nginx-reverseproxy

CertBot automatic renewal fails

sgu222e opened this issue · 2 comments

Observed issue: Trying to use Certbot to renew SSL Cert (only dry run for now, cert has not expired yet), CertBot throws a 401 Unauthorized error trying to access http://plex.domain.com/.well-known/acme-challenge/longkey, this is probably due to the root path redirect to the Plex server being pointed to root path.

Desired Result: Trying to use CertBot to auto renew certificate should work properly.

I was able to resolve this by changing the nginx.conf to ignore calls to /.well-know and pass to the original nginx path where the cert was verified. Might be worth adding to your code for other users.
Code:

location ^~ /.well-known {
alias /usr/share/nginx/html/.well-known;
}

That's expected behavior, the configuration isn't really made with a focus on any one cert provider or renew method (I personally stop nginx and renew then start it again) so including this would tie it to certbot.

I'd expect anybody who is using certbot would configure it as required like you have, so I won't change the config but hopefully in future if somebody has issues with this, will find this issue instead of opening a new one.

Thanks though.

Edit: Just to be clear though in the comments I recommend using letsencrypt to get a free cert since they're pretty much the only ones to offer it, but most people use this configuration so they can run it through CF anyway. In that case you'd just install the CF cert or make a self signed anyway. People probably use certs provided by domain holders as well ect. If we start including stuff like this by default then people have to remove it ties it to one method.

No worries, wanted to just see if it was possible, I figured letsencrypt would be the defacto go to since they are free.
I setup a cron job to check for a new cert nightly, and if it updates to automatically restart nginx for me to minimize downtime.

Thanks for the script btw.