由于 let’s encrypt 签发的证书有效期只有 90 天，并且有的服务没有绑定目录，是通过 proxy_pass 转发的其他服务，就导致在更新证书的时候经常会出问题。

之前为了更新证书都是修改配置文件，证书更新完成之后再把配置文件换回去，但是，一直这个做法总是比较麻烦。查看 acme 的日志就会发现，其实是文件访问失败了。：

[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200 
server: nginx
date: Tue, 16 Jan 2024 16:21:11 GMT
content-type: application/json
content-length: 1309
boulder-requester: 1023612387
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE
x-frame-options: DENY
strict-transport-security: max-age=604800

'
[Wed 17 Jan 2024 12:21:12 AM CST] code='200'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{
  "identifier": {
    "type": "dns",
    "value": "c.oba.by"
  },
  "status": "invalid",
  "expires": "2024-01-23T16:21:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA",
      "token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
      "validationRecord": [
        {
          "url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "80",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        },
        {
          "url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "443",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        }
      ],
      "validated": "2024-01-16T16:21:06Z"
    }
  ]
}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] status='invalid
invalid'
[Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403'
[Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404'
[Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404
[Wed 17 Jan 2024 12:21:12 AM CST] pid
[Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip.
[Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns
[Wed 17 Jan 2024 12:21:12 AM CST] dns_entries
[Wed 17 Jan 2024 12:21:12 AM CST] skip dns.
[Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err
[Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log

访问：https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw这个文件的时候 404 了。对应的 nginx 配置文件为：

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

http 直接 301到了 https，那么反问 challenge 文件就会访问到对应的 https 端口下，而这个端口下同样没有这个文件。

那么要解决就需要让 nginx 能够正常的提供/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw访问权限。

之前尝试添加过 location 解决，但是依然失败，再次尝试：

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

不过这次把 location 提到最开始的位置了：

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }

再次尝试更新证书就 ok 了，为了保险 https 配置下也可以加入这个路径，对应路径/home/wwwroot/c.oba.by/.well-known如果不存在的话需要重新创建。

[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in: /usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer
[Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in: /usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key
[Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in: /usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer
[Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there: /usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer

The post nginx proxy_pass 条件下的 ssl 证书自动更新 first appeared on obaby@mars.