При ручном получении / продлении сертификата для домена на сервере с Ngnix может возникнуть ошибка 403 Forbidden при обращении к проверочному файлу:
Make sure your web server displays the following content at
http://site.com/.well-known/acme-challenge/xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8 before continuing:
xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8.wDLw7SyOVXqZ6Ky635Vc9rgUXobw2uLFgM5S9AukTrk
If you don't have HTTP server configured, you can run the following
command on the target server (as root):
mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s"xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8.wDLw7SyOVXqZ6Ky635Vc9rgUXobw2uLFgM5S9AukTrk > .well-known/acme-challenge/xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bulkin.me (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://site.com/.well-known/acme-challenge/xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8: "<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>"
В этом случае в конфиге Nginx необходимо прописать следующий location:
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
После перезапуска Nginx (/etc/init.d/nginx restart) ошибки доступа к проверочному файлу уже не будет.