I did a new Nginx webserver installation within a multiserver environment. Trying to get a 100% score on internet.nl for my default website I had a hell of a job accomplishing that. Turned out file acme.vhost was the cruel pit that resulted in "HTTPS redirect" and "IPv4 and IPv6 equal websites" errors as HTTP kept returning 403. Because acme.vhost was handling the servername on port 80 and disabling any root access (to not the default root folder). What is the use of this file?? Besides enabling authentication for acme.sh using the webserver when requesting a certificate for the servername I can't think of any other use. In an Apache installation file acme.conf supplies an alias only for all websites. And all created websites in a Nginx installation get an acme-challenge location. I now disabled file acme.vhost as I use DNS authentication for the servername certificate and let file default handle the servername on port 80 and 443. That way internet.nl is fully satisfied (after adding some extra config in default). Or will this in any way bite me somehow?
The acme.vhost file is used to authenticate LE certs. If I remember correctly, it was used for the hostname. If you use DNS auth for the system hostname, then disabling it should be fine.
So my conclusion of what it's function is was correct. Then why not add the acme-challenge location as a snippet in Nginx and get rid of acme.vhost? Add the snippet in default. That way it won't bite the servername on port 80. And it can also be added in /usr/local/ispconfig/server/conf/nginx_vhost.conf.master instead of the acme-challenge location it now has. That way it's somewhat like the alias under Apache. I do the same with my security.txt script for server-wide deployment.
I've added this in newly created file /etc/nginx/snippets/acme-challenge.conf Code: location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; auth_basic off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } and replaced it everywhere in /usr/local/ispconfig/server/conf/nginx_vhost.conf.master by Code: include /etc/nginx/snippets/acme-challenge.conf; Also added that line in /etc/nginx/sites-available/default After disabling acme.vhost all still seems to be working fine when requesting LE certificates. Including the servername, which now gets handled by the default website.
i like this method over the current acme.vhost.. at least on nginx.. allows me to enable a vhost that will allow the servername on 443. like @remkoh, it had me scratching my head for a while trying to working out what was blocking me from viewing anything using https when trying to get the default vhost working with ssl. don't know if i'll ever actually use a vhost with the servername other than for the ispconfig gui, but it does mean that any attempt to access 443 using the servername will at least display whatever is set for the default vhost.. not just a 403 forbidden.
That is basically similar to what I am doing all this while, and as I said on the other recent thread, so I do agree with that.
