I am running an owncloud-server with ngnix on Debian 8. I use a ssl-certificate for that domain from letsencrypt.
Now i want to use an autorenewal-script, to run periodically and renew my certs. This works with all domains, except the owncloud.
Actually there is one location block in the nginx-owncloud-config, that prevents letsencrypt from enter the subfolder domain.org/.well-known/acme-challenge:
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
By god, i am no expert in regular expressions and have no clue, how to solve this (and what this expression actually means).
Below that Block i included a location block for the letsecrypt-renewal:
# Letsencrypt auto-renewal
location '/.well-known/acme-challenge' {
default_type text/plain;
root /var/www/;
try_files $uri /$1;
}
I think I tried something like:
location ~ ^/(?:\.(?!well-known/acme-challenge)|autotest|occ|issue|indie|db_|console) {
deny all;
}
...not knowing, if this would affect the expression.
The only way for me is to comment out the "deny all". And it works. Actually i have in mind, to extend the renewal script to stop the server, change the owncloud-conf, restart the server again, fetch the new certs, stop the server again, change the owncloud-conf back und restart the server...
But maybe its more simple. And i may learn something more about regex...
Does anyone have a tip for me?
The location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)
denies access to any URI beginning with /.
such as /.well-known
.
Firstly, do you have any files and directories in the root which begin with a period (other than /.well-known
)?
One option is to make the regex more specific, for example:
location ~ ^/(?:\.ht|autotest|occ|issue|indie|db_|console)
would deny access to any URI beginning with /.ht
.
Another option is to make location '/.well-known/acme-challenge'
take precedence by adding the ^~
modifier. See this document.
location ^~ /.well-known/acme-challenge
This would make the location take precedence over all regex locations. So if the location contained .php
files, they may cease to work.
A final option would be to turn it into a regex location:
location ~ ^/\.well-known/acme-challenge
In which case it would have equal precedence and you could order it above the deny location.