multi-site SSL certificates

Tue Apr 3 08:31:42 EEST 2018

Try add in your nginx "vhost" as the first line:
Alias /.well-known/acme-challenge /path/to/acme/.well-known/acme-challenge
ProxyPassMatch ^/\.well-known !

I have this same error with ProxyPass inside apache vhost which proxying to
node application backend. In letsencrypt logs I have this same what you.

2018-04-02 17:38 GMT+02:00 Alex JOST <jost+lists at dimejo.at>:

> Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:
>
>> I'm handling mail for several domains, let's call them a.com, b.com,
>> and c.com.  I have certificates for each of these domains individually
>> via certbot (letsencrypt) and nginx is happy with all of that.
>>
>> Since I initially configured the site to handle mail only for a.com,
>> my /etc/postfix/main.cf file currently has these two lines:
>>
>>      smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
>>      smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem
>>
>> But I see that mail test tools are reporting that MX for b.com and
>> c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
>> true!
>>
>> So I believe I should generate a multi-site SSL cert.  I try this:
>>
>>      sudo certbot  certonly  --cert-name postfix  --webroot \
>>        --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com
>> \
>>        --webroot-path /var/www/b-com -d www.b.com -d b.com \
>>        --webroot-path /var/www/c-com -d www.c.com -d c.com
>>
>> And that fails with a bunch of errors like this:
>>
>>      Domain: www.a.com
>>      Type:   unauthorized
>>      Detail: Invalid response from
>>      http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD
>> 9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
>>      "<html>
>>      <head><title>404 Not Found</title></head>
>>      <body bgcolor="white">
>>      <center><h1>404 Not Found</h1></center>
>>      <hr><center>"
>>
>> I see that the file
>>
>>      .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6
>> FflmZzWQGNg
>>
>> is being created (and one other file, too) but that nginx reports that
>> the _directory_
>>
>>      .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6
>> FflmZzWQGNg
>>
>> doesn't exist.
>>
>> Multi-site + letsencrypt + postfix is a subject that has recently
>> changed quite a bit, so I'm suspecting my web reading is merely
>> leading me astray.  It is also entirely possible I've misunderstood
>> things about SSL certificates.  Any pointers how to generate (or point
>> to) the certificates that I need to make those who contact my postfix
>> instance happy with their SSL conversation?
>>
>> Thanks!
>>
>>
> You can use 1 directory to create certificates for multiple virtual hosts.
> Copy the config below to all the virtual host config you want to use in
> your certificate (or use 'includes').
>
> user at server:~$ cat /etc/nginx/sites-enabled/a-com
>   server {
>     [...]
>
>     location ~ /.well-known {
>       location ~ /.well-known/acme-challenge/(.*) {
>         root        /usr/share/nginx/html;
>         add_header  Content-Type application/jose+json;
>       }
>       allow             all;
>       try_files $uri $uri/ =404;
>     }
>   }
>
>
> After reloading nginx you can create a new certificate by providing only 1
> webroot directory.
>
> user at server:~$ sudo certbot  certonly  --cert-name postfix \
>   --webroot -w /usr/share/nginx/html \
>   -d www.a.com -d a.com -d mail.a.com \
>   -d www.b.com -d b.com \
>   -d www.c.com -d c.com
>
> --
> Alex JOST
>

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180403/dc5577c6/attachment-0001.html>