Current state

nginx/sites-enabled/jellyfin

@@ -3,8 +3,14 @@ server {
     listen [::]:80;
     server_name jellyfin.loadingm.xyz;
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     # Uncomment to redirect HTTP to HTTPS
-    return 301 https://$host$request_uri;
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -18,11 +24,11 @@ server {
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/jellyfin.loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/jellyfin.loadingm.xyz/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/jellyfin.loadingm.xyz/chain.pem;
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
 
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
@@ -36,6 +42,10 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
     add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     location / {
         # Proxy main Jellyfin traffic
         proxy_pass http://jellyfin:8096;