При ручном получении / продлении сертификата для домена на сервере с Ngnix может возникнуть ошибка 403 Forbidden при обращении к проверочному файлу:
Make sure your web server displays the following content at http://site.com/.well-known/acme-challenge/xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8 before continuing: xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8.wDLw7SyOVXqZ6Ky635Vc9rgUXobw2uLFgM5S9AukTrk If you don't have HTTP server configured, you can run the following command on the target server (as root): mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge cd /tmp/certbot/public_html printf "%s"xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8.wDLw7SyOVXqZ6Ky635Vc9rgUXobw2uLFgM5S9AukTrk > .well-known/acme-challenge/xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8 # run only once per server: $(command -v python2 || command -v python2.7 || command -v python2.6) -c \ "import BaseHTTPServer, SimpleHTTPServer; \ s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \ s.serve_forever()" ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges Failed authorization procedure. site.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://site.com/.well-known/acme-challenge/xOtn064NspTWyHkbp6EOM140COWK82PW3v7sOf87kM8: "<html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>"
В этом случае в конфиге Nginx необходимо прописать следующий location:
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
После перезапуска Nginx (/etc/init.d/nginx restart
) ошибки доступа к проверочному файлу уже не будет.