Support ACME challenges for unknown virtual hosts

p12tic · p12tic · commit 3928efbe2cc0 · 2025-03-14T01:28:13.000+02:00
Currently any ACME challenge for unknown virtual host returns 503. This
is inconvenient because if the user does not use wildcard certificates,
then the user must match the configuration of certificate renewal script
to what virtual hosts are enabled at the time.

This must be done automatically, because due to short certificate
lifetime the renewal script runs automatically. Additionally, enabling a
previously disabled virtual host forces certificate renewal. Under
certain circumstances this may lead to rate limiting from Let's Encrypt,
because only 5 certificates for exact same set of domains can be issued
per week.

Accordingly, it's worthwhile supporting unknown virtual hosts for the
purposes of passing ACME challenges.
diff --git a/docs/README.md b/docs/README.md
@@ -431,6 +431,8 @@ By default nginx-proxy generates location blocks to handle ACME HTTP Challenge.
 - `false`: do not handle ACME HTTP Challenge at all.
 - `legacy`: legacy behavior for compatibility with older (<= `2.3`) versions of acme-companion, only handle ACME HTTP challenge when there is a certificate for the domain and `HTTPS_METHOD=redirect`.
 
+By default nginx-proxy generates a location block to handle ACME HTTP Challenge for unknown virtual hosts as well. This can be disabled by setting global `ACME_HTTP_CHALLENGE_LOCATION` environment variable to `false`.
+
 ### Diffie-Hellman Groups
 
 [RFC7919 groups](https://datatracker.ietf.org/doc/html/rfc7919#appendix-A) with key lengths of 2048, 3072, and 4096 bits are [provided by `nginx-proxy`](https://github.com/nginx-proxy/nginx-proxy/dhparam). The ENV `DHPARAM_BITS` can be set to `2048` or `3072` to change from the default 4096-bit key. The DH key file will be located in the container at `/etc/nginx/dhparam/dhparam.pem`. Mounting a different `dhparam.pem` file at that location will override the RFC7919 key.
diff --git a/nginx.tmpl b/nginx.tmpl
@@ -858,6 +858,22 @@ server {
     ssl_reject_handshake on;
         {{- end }}
 
+        {{- $acme_http_challenge := $globals.config.acme_http_challenge }}
+        {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
+        {{- $acme_http_challenge_enabled := false }}
+        {{- if (not $acme_http_challenge_legacy) }}
+            {{- $acme_http_challenge_enabled = parseBool $acme_http_challenge }}
+        {{- end }}
+        {{- if (or $acme_http_challenge_legacy $acme_http_challenge_enabled) }}
+    location ^~ /.well-known/acme-challenge/ {
+        auth_basic off;
+        allow all;
+        root /usr/share/nginx/html;
+        try_files $uri =404;
+        break;
+    }
+        {{- end }}
+
         {{- if (exists "/usr/share/nginx/html/errors/50x.html") }}
     error_page 500 502 503 504 /50x.html;
     location /50x.html {
diff --git a/test/test_acme-http-challenge-location/test_acme-http-challenge-location-enabled-is-default.py b/test/test_acme-http-challenge-location/test_acme-http-challenge-location-enabled-is-default.py
@@ -31,4 +31,4 @@ def test_unknown_domain_acme_challenge_location_default_enabled(docker_compose,
         f"http://web-unknown.nginx-proxy.tld/{acme_challenge_path}",
         allow_redirects=False
     )
-    assert r.status_code == 503
+    assert r.status_code == 200
diff --git a/test/test_acme-http-challenge-location/test_acme-http-challenge-location-legacy.py b/test/test_acme-http-challenge-location/test_acme-http-challenge-location-legacy.py
@@ -17,4 +17,4 @@ def test_unknown_domain_acme_challenge_location_legacy(docker_compose, nginxprox
         f"http://web-unknown.nginx-proxy.tld/{acme_challenge_path}",
         allow_redirects=False
     )
-    assert r.status_code == 503
+    assert r.status_code == 200
diff --git a/test/test_ssl/test_nohttp.py b/test/test_ssl/test_nohttp.py
@@ -3,11 +3,10 @@ def test_web2_http_is_connection_refused(docker_compose, nginxproxy):
     assert r.status_code == 503
 
 
-def test_web2_http_is_connection_refused_for_acme_challenge(
-    docker_compose, nginxproxy, acme_challenge_path
-):
+def test_web2_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path):
+    # By default, ACME challenges are handled in all cases
     r = nginxproxy.get(f"http://web2.nginx-proxy.tld/{acme_challenge_path}", allow_redirects=False)
-    assert r.status_code == 503
+    assert r.status_code == 200
 
 
 def test_web2_https_is_forwarded(docker_compose, nginxproxy):

Original file line number	Diff line number	Diff line change
`@@ -31,4 +31,4 @@ def test_unknown_domain_acme_challenge_location_default_enabled(docker_compose,`
`31`	`31`	`f"http://web-unknown.nginx-proxy.tld/{acme_challenge_path}",`
`32`	`32`	`allow_redirects=False`
`33`	`33`	`)`
`34`		`- assert r.status_code == 503`
	`34`	`+ assert r.status_code == 200`
Original file line number	Diff line number	Diff line change
`@@ -17,4 +17,4 @@ def test_unknown_domain_acme_challenge_location_legacy(docker_compose, nginxprox`
`17`	`17`	`f"http://web-unknown.nginx-proxy.tld/{acme_challenge_path}",`
`18`	`18`	`allow_redirects=False`
`19`	`19`	`)`
`20`		`- assert r.status_code == 503`
	`20`	`+ assert r.status_code == 200`