<div dir="ltr"><div>Try add in your nginx "vhost" as the first line:<br>Alias /.well-known/acme-challenge /path/to/acme/.well-known/acme-challenge<br>ProxyPassMatch ^/\.well-known !<br><br></div>I have this same error with ProxyPass inside apache vhost which proxying to node application backend. In letsencrypt logs I have this same what you.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2018-04-02 17:38 GMT+02:00 Alex JOST <span dir="ltr"><<a href="mailto:jost+lists@dimejo.at" target="_blank">jost+lists@dimejo.at</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm handling mail for several domains, let's call them <a href="http://a.com" rel="noreferrer" target="_blank">a.com</a>, <a href="http://b.com" rel="noreferrer" target="_blank">b.com</a>,<br>
and <a href="http://c.com" rel="noreferrer" target="_blank">c.com</a>. I have certificates for each of these domains individually<br>
via certbot (letsencrypt) and nginx is happy with all of that.<br>
<br>
Since I initially configured the site to handle mail only for <a href="http://a.com" rel="noreferrer" target="_blank">a.com</a>,<br>
my /etc/postfix/<a href="http://main.cf" rel="noreferrer" target="_blank">main.cf</a> file currently has these two lines:<br>
<br>
smtpd_tls_cert_file = /etc/letsencrypt/live/<a href="http://mail.a.com/fullchain.pem" rel="noreferrer" target="_blank">mail.a.c<wbr>om/fullchain.pem</a><br>
smtpd_tls_key_file = /etc/letsencrypt/live/<a href="http://mail.a.com/privkey.pem" rel="noreferrer" target="_blank">mail.a.c<wbr>om/privkey.pem</a><br>
<br>
But I see that mail test tools are reporting that MX for <a href="http://b.com" rel="noreferrer" target="_blank">b.com</a> and<br>
<a href="http://c.com" rel="noreferrer" target="_blank">c.com</a> are misconfigured due to an SSL name mismatch. Indeed, this is<br>
true!<br>
<br>
So I believe I should generate a multi-site SSL cert. I try this:<br>
<br>
sudo certbot certonly --cert-name postfix --webroot \<br>
--webroot-path /var/www/a-com -d <a href="http://www.a.com" rel="noreferrer" target="_blank">www.a.com</a> -d <a href="http://a.com" rel="noreferrer" target="_blank">a.com</a> -d <a href="http://mail.a.com" rel="noreferrer" target="_blank">mail.a.com</a> \<br>
--webroot-path /var/www/b-com -d <a href="http://www.b.com" rel="noreferrer" target="_blank">www.b.com</a> -d <a href="http://b.com" rel="noreferrer" target="_blank">b.com</a> \<br>
--webroot-path /var/www/c-com -d <a href="http://www.c.com" rel="noreferrer" target="_blank">www.c.com</a> -d <a href="http://c.com" rel="noreferrer" target="_blank">c.com</a><br>
<br>
And that fails with a bunch of errors like this:<br>
<br>
Domain: <a href="http://www.a.com" rel="noreferrer" target="_blank">www.a.com</a><br>
Type: unauthorized<br>
Detail: Invalid response from<br>
<a href="http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg" rel="noreferrer" target="_blank">http://www.a.com/.well-known/<wbr>acme-challenge/IT7-YURAep4bniD<wbr>9zYpKpdRUBQcgCRJ6FflmZzWQGNg</a>:<br>
"<html><br>
<head><title>404 Not Found</title></head><br>
<body bgcolor="white"><br>
<center><h1>404 Not Found</h1></center><br>
<hr><center>"<br>
<br>
I see that the file<br>
<br>
.well-known/acme-challenge/IT<wbr>7-YURAep4bniD9zYpKpdRUBQcgCRJ6<wbr>FflmZzWQGNg<br>
<br>
is being created (and one other file, too) but that nginx reports that<br>
the _directory_<br>
<br>
.well-known/acme-challenge/IT<wbr>7-YURAep4bniD9zYpKpdRUBQcgCRJ6<wbr>FflmZzWQGNg<br>
<br>
doesn't exist.<br>
<br>
Multi-site + letsencrypt + postfix is a subject that has recently<br>
changed quite a bit, so I'm suspecting my web reading is merely<br>
leading me astray. It is also entirely possible I've misunderstood<br>
things about SSL certificates. Any pointers how to generate (or point<br>
to) the certificates that I need to make those who contact my postfix<br>
instance happy with their SSL conversation?<br>
<br>
Thanks!<br>
<br>
</blockquote>
<br></div></div>
You can use 1 directory to create certificates for multiple virtual hosts. Copy the config below to all the virtual host config you want to use in your certificate (or use 'includes').<br>
<br>
user@server:~$ cat /etc/nginx/sites-enabled/a-com<br>
server {<br>
[...]<br>
<br>
location ~ /.well-known {<br>
location ~ /.well-known/acme-challenge/(.<wbr>*) {<br>
root /usr/share/nginx/html;<br>
add_header Content-Type application/jose+json;<br>
}<br>
allow all;<br>
try_files $uri $uri/ =404;<br>
}<br>
}<br>
<br>
<br>
After reloading nginx you can create a new certificate by providing only 1 webroot directory.<br>
<br>
user@server:~$ sudo certbot certonly --cert-name postfix \<br>
--webroot -w /usr/share/nginx/html \<span class=""><br>
-d <a href="http://www.a.com" rel="noreferrer" target="_blank">www.a.com</a> -d <a href="http://a.com" rel="noreferrer" target="_blank">a.com</a> -d <a href="http://mail.a.com" rel="noreferrer" target="_blank">mail.a.com</a> \<br></span>
-d <a href="http://www.b.com" rel="noreferrer" target="_blank">www.b.com</a> -d <a href="http://b.com" rel="noreferrer" target="_blank">b.com</a> \<br>
-d <a href="http://www.c.com" rel="noreferrer" target="_blank">www.c.com</a> -d <a href="http://c.com" rel="noreferrer" target="_blank">c.com</a><span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Alex JOST<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div><div><span style="color:rgb(153,153,153)"><i>Pozdrawiam / Best Regards<br></i></span></div><span style="color:rgb(153,153,153)"><i>Piotr Bracha</i></span><span style="color:rgb(153,153,153)"></span><br><span style="color:rgb(153,153,153)"></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>