DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st June 2022
pseudostem pseudostem is offline
Port Guard
 
Join Date: Jun 2021
Posts: 37
Default nginx configuration issues

Hello,

I have not used nginx in a very long time. I had to set up a quick and dirty email server. I used iredmail.org for the setup.

OpenBSD 7.1 AMD64

Everything works fine. However, I have to setup ssl certs for web access (not for email) because some of my users browsers do not simply allow them to proceed to webmail with self signed certificates. I am done trying to troubleshoot this over the phone. In short - letsencrypt required.

I did not use acme-client and /etc/acme.conf because there were some readymade step by step directions (sigh). So I ended up useing certbot from packages.

Code:
$doas certbot certonly --webroot --dry-run -w /opt/www/ -d mail.mydomain.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mail.mydomain.com
Type: unauthorized
Detail: My.IP.V4.Add: Invalid response from https://mail.mydomain.com/.well-know...WDdv-QWCctwug: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

Where do I start looking?
Reply With Quote
  #2   (View Single Post)  
Old 21st June 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I have never used certbot. I have used the OpenBSD native acme-client with the native httpd server.

But OpenBSD developer Solene has a nginx configuration file for acme. See https://dataswamp.org/~solene/2019-0...ginx-acme.html
Maybe that helps
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 21st June 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

An "offical Nginx document" describes how to use certbot : https://www.nginx.com/blog/using-fre...pt-with-nginx/

Did you check the package readme of the OpenBSD certbot package for any clues? See /usr/local/share/doc/pkg-readmes
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 22nd June 2022
pseudostem pseudostem is offline
Port Guard
 
Join Date: Jun 2021
Posts: 37
Default

Thank you!
Quote:
Originally Posted by J65nko View Post
An "offical Nginx document" describes how to use certbot : https://www.nginx.com/blog/using-fre...pt-with-nginx/
As stated in the link:
$doas certbot --nginx requires nginx plugin for certbot which is not installed on OpenBSD

Quote:
Originally Posted by J65nko View Post
Did you check the package readme of the OpenBSD certbot package for any clues? See /usr/local/share/doc/pkg-readmes
No pkg-readmes for certbot unfortunately

Quote:
Originally Posted by J65nko View Post
But OpenBSD developer Solene has a nginx configuration file for acme. See https://dataswamp.org/~solene/2019-0...ginx-acme.html
Maybe that helps
It definitely does help. Unfortunately I think my problem is with URL rewrite and that because of URL rewrites I am unable to serve .well-known from my domain. And I do not understand what's happening there.

Not OpenBSD specific, but I'll post my nginx.conf hoping for a heads up.
Reply With Quote
  #5   (View Single Post)  
Old 22nd June 2022
pseudostem pseudostem is offline
Port Guard
 
Join Date: Jun 2021
Posts: 37
Default

Whenever I got to ns1.mydomain.com or to mail.mydomain.com the webpage redirects to https://{ns1|mail}.mydomain.com/mail/
Hence I believe this more to be of an nginx related problem rather than certbot. I do not know how to serve a particular folder using nginx.

relevant bits of my config files:

$cat /etc/nginx/nginx.conf
http {
include /etc/nginx/conf-enabled/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}

$cat /etc/nginx/sites-available/00-default-ssl.conf (00-default.conf redirects to https)
listen 443 ssl http2;
server_name _;
root /var/www/htdocs;
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/ssl.tmpl;
include /etc/nginx/templates/iredadmin.tmpl;
include /etc/nginx/templates/roundcube.tmpl;
include /etc/nginx/templates/sogo.tmpl;
include /etc/nginx/templates/netdata.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
include /etc/nginx/templates/stub_status.tmpl;

$cat /etc/nginx/templates/misc.tmpl
location ~ ^/.well-known/ {
allow all;
access_log off;
log_not_found off;
autoindex off;
#root /var/www/html;
}
location ~ /\. { deny all; }

$cat /etc/nginx/templates/roundcube.tmpl
location = /mail {
return 301 /mail/;
}

location ~ ^/mail/(.*\.php)$ {
include /etc/nginx/templates/hsts.tmpl;
include /etc/nginx/templates/fastcgi_php.tmpl;
fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail/$1;
}

location ~ ^/mail/(.*) {
alias /opt/www/roundcubemail/$1;
index index.php;
}
Reply With Quote
  #6   (View Single Post)  
Old 22nd June 2022
pseudostem pseudostem is offline
Port Guard
 
Join Date: Jun 2021
Posts: 37
Default

Done! Thank you J65nko.

For some strange reason nginx is not chrooted to /var/www on my system and that is what made me go all over the place. Your reply and Solene's post helped. Instead of /acme in nginx.conf, it had to be /var/www/acme (because no chroot)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[6.8] nginx + TLSv1.3 CiotBSD OpenBSD Packages and Ports 1 18th October 2020 07:22 PM
Nginx news frcc News 2 19th December 2019 02:04 PM
snmpd vs. net-snmp configuration issues MatthiasKoch OpenBSD General 3 28th April 2016 07:01 AM
non-chroot nginx/php-fpm Oko OpenBSD Packages and Ports 1 25th December 2015 12:06 PM
openbsd 5.1 and nginx barti OpenBSD General 2 1st October 2012 05:51 PM


All times are GMT. The time now is 03:32 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick