Blog

acme.sh can not renew the nginx server certification

If you have redirect port 80 to 443 at nginx.conf using 301 code, acme.sh renew certification will failed as

Cannot find config file for domain cloudzhong.top

can not find the config file for domain

I have already solved this issue by another post

ACME.sh Can not renew certification

But the solution do have issue, that I need change the nginx config file manually each time . so it can not automatically renew the certification, this is not acceptable , So I find another way to solve this , here is the new solution:

Do not Use 301 return code , use an html to do the redirect.

For nginx 80 port , add 

 server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  unki.net;
        root         /usr/share/nginx/html;
        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }
        location ^~ /wordpress/ {
                return 403;
        }
    }

server_name need change to domainname, and root directive maybe is also needed.

and forbidden wordpress folder by return 403

and remove the below redirect code from 80 block.

return 301 https://$host$request_uri;

This is the reason that acme.sh failed.

add index.html under root folder.

here is the content:

<!DOCTYPE html>
<html>
<head>
        <meta http-equiv="refresh" content="0;url=https://cloudzhong.top">
        <title>it is redirectling...</title>
</head>
<body>
    <p>if this page did not redirect , please click <a href="https://cloudzhong.top">Here</a></p>
</body>
</html>

This is the automatically redirect html ,which will works same as return 301 when access domain name by http.

Then I can successfully renew the certification automatically.

and also run the following command:

acme.sh --install-cert -d cloudzhong.top \
--key-file       /etc/ssl/certs/cloudzhong.top.key  \
--fullchain-file /etc/ssl/certs/fullchain.cer \
--reloadcmd     "systemctl restart nginx"

This will install the certification to the corresponding folder for program to not use the default user folder.

and here reloadcmd is important , after certification is renewed, reloadcmd will be executed, thus the corresponding program will use the new certification. Thus , all the service will works normally.

each time cron job runs ,if certification can be renewed. it will automatically install the new generated certification to the corresponding folder and reloadcmd, so this is perfect.

Tags:

Leave a Reply