Does order of lines matter in Nginx?

nginx lets-encrypt ssl-certificate-renewal

I have a server file like this

server {
listen 80;
server_name subdomain.example.com;

return 301 https://$server_name$request_uri;

location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
}

Now when I try sudo letsencrypt renew. It throws up and error saying can't find .well-known/acme-challenge. But as soon as I commented the return 301 line restarted the server and It worked.

Now I want to retest it putting the location first and not commenting the return 301 statement but it says certificate not due for renewal.So the question is does order in which the file is read, does it matter? and it won't automatically renew because of this reason for me, those who do renewal how do you handle this situation?


In this case, it isn't so much the ordering (a good explanation of how location and regex is evaluated can be found here: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms).

For things like location blocks, the short version is best match wins, rather than the first match.

In your case, however, order counts because you use return. Per https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#return:

Stops processing and returns the specified code to a client. The non-standard code 444 closes a connection without sending a response header.

The key here is that a return immediately stops processing/evaluation, so what is happening is that nginx isn't looking at anything below return.

So you just need to move that return clause below your location block.

As for testing, I would try adding --test-cert to your commandline (see https://certbot.eff.org/docs/using.html#certbot-command-line-options).

That should avoid the 'problem' you are having when trying to use their production server, which reports you have a valid cert and do not need a new one right now.


You should include your return directive in a location block, then the normal location block matching rules are used:

server {
    listen 80;
    server_name subdomain.example.com;

    location / {
        return 301 https://$server_name$request_uri;
    }

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
}

Related

Does a raid controller use cache in JBOD mode?
InnoDB: The innodb_system data file 'ibdata1' must be writable
How to restrict unauthorized domains pointing to my website's IP address
Are there any established patterns for installing a kill or on/off switch for user cron jobs?
Offline uncorrectable sectors in SSDs being used for ZFS L2ARC?
What exactly is a "transparent reverse proxy"?
Apache 2.4 - Disable HSTS Header [closed]
How does a datacenter protect itself from IP change by the hosted servers?
Dell iDRAC6 virtual console viewer from GNU/Linux command line
Can Windows integrate with LDAP?
How do I copy an image in VMWare?
What is the $hf_mig$ directory for in Windows Server 2003?