Validation failed with nginx webserver

Hi, until today I use IIS as a webserver and CtW worked very fine. Now I use nginx as a webserver with a basic http listener. IIS is no longer installed. If I request a certificate over CtW, the validation fails. It looks like CtW do not create the .well-known directory. The configcheck or the validation file is not created even I create the folders manually. http://www.domain.tld is accessible from public. I also set the site root directory in CtW to the nginx root directory. Without any success.

Log https://hasteb.in/raw/odemojay

Does anyone know why the file is not created?

Thanks a lot

It should certainly be possible to get this working, I haven’t tried nginx in quite a while but it’s just a web server at the end of the day, so there’s nothing special about nginx specifically.

As you are consuming port 80 with nginx you will no longer be able to use the built in http challenge server (it tries to listen on port 80 as well, but nginx will be holding that exclusively), you can disable the http challenge server under settings so that the app doesn’t even try to use it.

As noted the app should create a file called ‘configcheck’ under the /.well-known/acme-challenge/ path of your website, as determined by the site root directory you have specified, so the first thing to figure out is why doesn’t it create that file. I’m assuming you are using the very latest version of Certify.

Delete your manually created .well-known folder and instead click ‘Test’, this will create the .well-known/acme-challenge/configcheck path and configcheck file.
e.g.

Note that ‘Perform challenge response config checks’ is enabled.

If the folder doesn’t get created when you click test then either:

  • the certify background service doesn’t have permission to write to that folder
  • or, much more likely, your Site Root Directory is incorrect.

If you can’t resolve this step (testing the config check file creation) then you definitely won’t get any further, so this is the part you need to fix first.

Once you have the app creating the ‘configcheck’ file (which is a text file with no .txt extension) you have to try browsing to http://yourdomain/.well-known/acme-challenge/configcheck - if that returns Extensionless File Config Test - OK then you are good to go and http validation will work.

If not, then you need to figure out what’s going wrong - the most likely thing is that you have the wrong site root or your server is configured to serve a 404 etc page instead of allows the request through.

Thanks for you reply.

That was also my assumption


Yes, nginx is listen on Port 80 and http challenge server is disabled (but I think it’s not necessary because CTW proccess a fallback )

Yes, I use 5.1.12.0


I get a error on Test and folder and file is not created. Theye are also not created If I click Request Certificate.

That’s interesting, so according to the code this error message should only fire if an IIS Site ID has previously been set (in the internal settings of the managed certificate).

If this used to point to an IIS site you’ll need to create a new managed certificate instead of trying to re-use the old one. You could alternatively try to edit the database directly but I think it would be much easier just to add a new managed certificate and copy your settings.

Maybe this happens, because I previously used the IIS. On the certificate configuration tab the Select Site (optional) property was empty, I assumed that it’s fine, but with your information I select (No IIS Site Selected) manually. This drops the domain and I add it again. Now, it works. A potential fix can be, that if the IIS Site is no longer available, the Select Site option get automatically the (No IIS Site Selected) value without deleting the domains.

1 Like

Thanks, glad you got it working. It’s fairly common for IIS sites to get deleted (or change Site Id) but it’s not common for IIS to be removed altogether, as in this case.

Yes, that’s true. Thanks for your support.

1 Like