Using location of nginx to solve the problem of renewal of load agent and let’s encrypt certificate


At present, a project uses HTTPS. If the certificate is issued by let’s encrypt. Then it needs to be renewed every three months. useacme.shTo renew a contract, you need to visit the.well-knownDirectory validation.

However, this project does the load, and will reverse proxy the request to the sub server X / Y / Z.

Something like this

server {
        listen       80;
        listen       443;
        ssl on;
        ssl_certificate /path/to/domain.fullchain.cer;
        ssl_certificate_key /path/to/domain.key;
       location / {
           proxy_pass http://newstproxy;
           proxy_set_header Host $host;
           proxy_set_header Connection close;
           proxy_connect_timeout 60s;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

At this time, requests in the. Well known directory will also be forwarded to X / Y / Z. Let’s encrypt failed to renew. How to solve this problem?

At this time, we add a location so that nginx does not follow the reverse proxy rule when it encounters this directory.

location ^~ /.well-known {
        root /PATH/TO/WEB_ROOT;

In this way, the /. Well-known request will go to / path / to / web of this server_ Root /. Well-known, so it’s right to renew.