letsencrypt django webroot

Question

I am trying to setup my nginx and django to be able to renew certificates. However something goes wrong with my webroot-plugin

in nginx:

location ~ /.well-known {
    allow all;
}

But when I run the renewal command:

./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/home/sult/huppels -d huppels.nl -d www.huppels.nl

However it seems that the cert renewal wants to retrieve a file from my server cause i get the following error.

The following errors were reported by the server:

Failed authorization procedure. www.huppels.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.huppels.nl/.well-known/acme-challenge/some_long_hash [51.254.101.239]: 400

How do i make this possible with nginx or django?

Answer 1

I have my Django app running with gunicorn. I followed the instructions here.

I made sure to include the proper location blocks:

location /static  {
    alias /home/user/webapp;
}

location / {
    proxy_pass http://127.0.0.1:8000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Making sure to include any template location alias as well.

I set the .well-known location block like this;

location /.well-known {
    alias /home/user/webapp/.well-known;
}

Pointing it directly do the root of the webapp instead of using the allow all.

I did have to make sure that I only used the non ssl block until the certificate was generated then I used a different nginx config based on h5bps nginx configs.

Note: Make sure you have proper A records for you domain pointing to www if you are going to use h5bp to redirect to www.