Search code examples
regexnginxowncloudlets-encryptnginx-location

Letsencrypt Renewal + Nginx + owncloud config = failed because of regular expression

I am running an owncloud-server with ngnix on Debian 8. I use a ssl-certificate for that domain from letsencrypt.

Now i want to use an autorenewal-script, to run periodically and renew my certs. This works with all domains, except the owncloud.

Actually there is one location block in the nginx-owncloud-config, that prevents letsencrypt from enter the subfolder domain.org/.well-known/acme-challenge:

location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
  deny all;
}

By god, i am no expert in regular expressions and have no clue, how to solve this (and what this expression actually means).

Below that Block i included a location block for the letsecrypt-renewal:

# Letsencrypt auto-renewal
location '/.well-known/acme-challenge' {
    default_type text/plain;
    root /var/www/;
    try_files $uri /$1;
}

I think I tried something like:

location ~ ^/(?:\.(?!well-known/acme-challenge)|autotest|occ|issue|indie|db_|console) {
  deny all;
}

...not knowing, if this would affect the expression.

The only way for me is to comment out the "deny all". And it works. Actually i have in mind, to extend the renewal script to stop the server, change the owncloud-conf, restart the server again, fetch the new certs, stop the server again, change the owncloud-conf back und restart the server...

But maybe its more simple. And i may learn something more about regex...

Does anyone have a tip for me?

Solution

  • The location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) denies access to any URI beginning with /. such as /.well-known.

    Firstly, do you have any files and directories in the root which begin with a period (other than /.well-known)?

    One option is to make the regex more specific, for example:

    location ~ ^/(?:\.ht|autotest|occ|issue|indie|db_|console)

    would deny access to any URI beginning with /.ht.

    Another option is to make location '/.well-known/acme-challenge' take precedence by adding the ^~ modifier. See this document.

    location ^~ /.well-known/acme-challenge

    This would make the location take precedence over all regex locations. So if the location contained .php files, they may cease to work.

    A final option would be to turn it into a regex location:

    location ~ ^/\.well-known/acme-challenge

    In which case it would have equal precedence and you could order it above the deny location.