Elixir Phoenix production server has issue with Letsencrypt renewal

Question

I have a site built with Elixir Phoenix frame work. The website runs fine in both dev and prod mode.

When the phoenix server is running in dev mode, I have no issue renewingLet's Encrypt certificate, but when the exact same app is running in prod mode, I keep getting permission error when trying to renew. Please noted that I am talking about the exact same app, on the same FreeBSD server, executed by the same user - both command without sudo. The only difference is MIX_ENV=prod

I also noted that in prod mode, the phoenix server log an 404 error when Letsencrypt is trying to access my priv/static/.well-known/acme-challenge/(some-unique-string) My basic set up for phoenix + letsencrypt is detailed in this blog post

The question is: how is phoenix server treating directory/file permission differently between `prod' and 'dev' mode?

• Using Elixir 1.2.4 and Phoenix 1.1.4

UPDATE:

Folks, since LetsEncrypt and Phoenix framework evolve rapidly, the issue I listed above is no longer an issue if you are using the latest cerbot from LetsEncrypt and Phoenix 1.2.0

This is not necessary an answer to the original questions though.

Answer 1

I've solved it, by using a route, instead of file:

Click to copy

scope "/.well-known", MyApp do
   get "/acme-challenge/:challenge", AcmeChallengeController, :show
end

And a simple controller..

Click to copy

defmodule AcmeChallengeController do
   use MyApp, :controller

   def show(conn, %{"challenge" => "the_random_file_name"}) do
      send_resp(conn, 200, "TheHashInTheFile")
   end

   def show(conn, _) do
      send_resp(conn, 200, "Not valid")
   end
end

This is hardcoded, compiled and faster then sending files, but, it would be also possible to use some kind of key/value store, and manage (add/delete) the the challenges from within the UI without re-deployment.