recommended nginx configuration causes acme.sh cron to fail certificate renewal

stillgreenmoss

hello!

instance details:

cryptpad version: commit 0f5ffa4ad8d584327552940402a4112795fde039 (HEAD, tag: 2024.3.0)
Host is a Debian 12 virtual machine (only running cryptpad and nothing else)
nginx installed from the default debian repositories
nginx config is the official (simple) template available at cryptpad/docs/example.nginx.conf configured exactly according to the install guide

description:
our cryptpad instance has been running perfectly since we launched it in may of 2024. recently i got the "your certificate will expire in 18 days" email from let's encrypt, and knew that meant auto-renewal was failing

running the acme.sh renewal cron manually reveals this error:

"challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/blahblahblah12345",
      "status": "invalid",
      "validated": "2024-07-27T16:57:43Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "111.fake.ip.111: Fetching http://our.domain.com/.well-known/acme-chall
enge/blahblahblah123456abcdef: Connection refused",
        "status": 400
      },
...

it looks like ~~the acme.sh auto renewal cron~~ let's encrypt is only making an http request. it's possible it would follow redirects if they were there (i'm not sure), but there is no http>https redirect in the official nginx "simple" template, and in any case nginx is not configured to listen on port 80

i've recreated the behavior with curl manually, just as a gut check, and i'm able to reproduce the behavior

this is simple enough for me to fix in our nginx config, but i just wanted to surface here because maybe there's something i'm missing or misunderstanding. if that's not the case and this is in fact a real problem with the nginx template (same issue is present in the "advanced" nginx config as well), then i'm happy to file an issue in github or whatever else y'all would prefer 🙂

thanks so much! cryptpad is an absolute joy to use and i appreciate y'all's work on it so much 🙂

EDIT: i realized that the http request is coming from let's encrypt and not from acme.sh, so fixed that in the issue description

Mathilde

stillgreenmoss hello!

Thanks for reaching out and for your interest in CryptPad!

It seems that's indeed a requirement from Let's Encrypt. I don't think ZeroSSL or some other Certificates Authorities (CA) aim specifically to the 80 port. I prepared some changes for the next release to address this: https://github.com/cryptpad/cryptpad/pull/1582

Have a good day!

stillgreenmoss

amazing! thanks so much mathilde! we've just added those changes to our nginx config and the renewal cron works perfectly now 🙂