Let’s Encrypt certbot cannot complete verification due to Nginx server config

Majid Fouladpour asked:

For an application I need the following line in my location block:

rewrite ".*" /server.php break;

This causes certbot fail to verify the domain. To install the SSL cert I commented that line and certbot worked fine. Now, the issue is renewal is automated and will fail if I uncomment the line.

Is there a way to have a dedicated location just for Let’s Encript’s verification? If so, what?

Here is the full block with the problem line commented:

location / { 
    try_files $uri $uri/ =404; 
    fastcgi_pass unix:/run/php/php7.1-fpm.sock;
    include fastcgi_params;
    fastcgi_param USE_INSTANCE 'd1';
    fastcgi_param SCRIPT_FILENAME $request_filename;
    #rewrite ".*" /server.php break; 
}

If you wonder why I am not limiting the match pattern to ~ \.php$, it is because the config belongs to my api.host.com endpoint which will only receive requests that need to be routed to a PHP script.

My answer:


I created a separate location block for certbot.

location /.well-known/acme-challenge/ {
    root /var/www;
    try_files $uri =404;
}

(Note that I use the same document root for every virtual host, which is outside the normal document root, so certbot is never writing anything to the web sites’ actual directories.)


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.