Beneth :: Blog - Tag - Letsencrypt - Comments2023-08-31T15:23:27+02:00benethurn:md5:dfdc66ad106323f56392cd470185b1f4DotclearNginx & Letsencrypt: HTTPS for all - benethurn:md5:32ef7536e151f1b96b83a74a7c2137212016-11-04T09:32:21+01:002016-11-04T09:32:21+01:00beneth<p>@<a href="https://blog.beneth.fr/post/2016/10/01/Nginx-Letsencrypt-HTTPS-for-all#c184" rel="ugc nofollow">michael</a> : Hi Michael, and thanks.</p>
<p>You must keep the Nginx ACME challenge virtualhost for renewal process.<br />
But there is no security issue here, because:</p>
<p>1 - Never your certificate key is sent or receive by ACME server (Only a CSR is sent, and only the certificate signature is get back)<br />
2 - Everything is clean after certbot run. (You have no file in /var/www/letsencrypt/.well-known/)<br />
3 - We return 404 with :</p>
<pre> location = /.well-known/acme-challenge/ {
return 404;
}</pre>Nginx & Letsencrypt: HTTPS for all - michaelurn:md5:2d73bc0e5acc2ffb60d4094f29c2c7522016-11-03T19:14:55+01:002016-11-03T19:14:55+01:00michael<p>Thanks for your article, well written and very helpful !<br />
I have one question:<br />
Now your nginx is set up and configured, should we keep the nginx rule to allow the ACME challenge ?</p>
<pre> location ^~ /.well-known/acme-challenge/ {
# Set correct content type.
default_type "text/plain";
root /var/www/letsencrypt;
}</pre>
<p>Is it necessary for certificate renewal ?<br />
If the answer is Yes, what if someone find the key sent by ACME servers ?<br />
Any files in /var/www/letsencrypt are now accessible, isn't it a problem?</p>
<p>Thanks again,<br />
michael.</p>