hi, i either misunderstand something, or it is the certbot service that has invalid assumtions.
two years ago i came to the same conclusion: https://issues.guix.gnu.org/62491#2 Giovanni Biscuolo (CC'd) sent me to guix-devel to discuss this, even though i think the above bug happens because of the same issue i'm seeing locally (the challenge response is saved to the wrong path). a couple of asserts: -------------------- is there anyone here who runs the certbot service successfully on an nginx setup that serves static files to multiple virtual domain names? if yes, can i please see your config? does the config in the guix maintenance repo work without human intervention? https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/bayfront.scm#n58 the symptom in my setup: ------------------------ for completeness, i have pasted my nginx config at the end of my mail. (service certbot-service-type (certbot-configuration (email "att...@lendvai.name") (webroot "/srv/www/") (certificates (list (certificate-configuration (domains '("dwim.hu")) (deploy-hook *certbot-deploy-hook*)) (certificate-configuration (domains '("lendvai.name")) (deploy-hook *certbot-deploy-hook*)))))) the following cmdline gets generated from the above by the certbot service: certbot -v --agree-tos certonly --webroot -w /srv/www/ --cert-name=lendvai.name -d lendvai.name --email att...@lendvai.name --deploy-hook /gnu/store/jz7bm8xclqi02j68mwbrgi44nr29n1xq-lendvai.name-deploy-hook this doesn't work, because the proper wwwroot is /srv/www/lendvai.name all works fine if i fix the `-w /srv/www/lendvai.name` part and run it by hand, because then certbot can generate its challenge response to the right path so that it will be served by nginx at the expected url. or am i supposed to have a separate certbot service instance for each wwwroot that i serve? but then i don't see how it makes sense to have multiple certificates for one wwwroot, though. or is the model here really this flexible: wwwroot 1..n certificate 1..n domain-name? and the only "problem" here is my surprise? and i should have one certbot service instance for each wwwroot? FTR, reading both the manual and the code didn't help me. neither two years ago, nor this time. -- • attila lendvai • PGP: 963F 5D5F 45C7 DFCD 0A39 -- “The real does not die, the unreal never lived. Set your mind right and all will be right. When you know that the world is one, that humanity is one, you will act accordingly. But first of all you must attend to the way you feel, think and live. Unless there is order in yourself, there can be no order in the world.” — Sri Nisargadatta Maharaj (nginx-configuration (extra-content '("charset utf-8;")) (server-blocks (let ((lendvai.name-nginx-config (lambda (domain-name) (nginx-server-configuration (server-name (list domain-name)) (root "/srv/www/lendvai.name") (listen '("80" "443 ssl")) (ssl-certificate (string-append "/etc/letsencrypt/live/" domain-name "/fullchain.pem")) (ssl-certificate-key (string-append "/etc/letsencrypt/live/" domain-name "/privkey.pem")) (locations (list (nginx-location-configuration (uri "/") (body (list "autoindex on;" "disable_symlinks off;" "gzip on;"))))))))) (list (lendvai.name-nginx-config "lendvai.name") (lendvai.name-nginx-config "lendvai.email") (nginx-server-configuration (server-name '("dwim.hu")) (root "/srv/www/dwim.hu") (listen '("80" "443 ssl")) (ssl-certificate "/etc/letsencrypt/live/dwim.hu/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/dwim.hu/privkey.pem") (locations (list (nginx-location-configuration (uri "/") (body (list "autoindex on;" "disable_symlinks off;" "gzip on;"))))))))))
