My domain is: www.nace.network
My web server is (include version): nginx version: nginx/1.15.8
The operating system my web server runs on is (include version): Ubuntu 14.04.6 LTS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0
Recently I was able to renew my certificate for my website, I can access it through www.nace.network but when accessing my site without using the “www” it sends me the “Warning: Potential Security Risk Ahead” alert, in what way could I fix it? this is the content of my nginx file:
server {
listen 8080 default_server;
listen [::]:8080 default_server ipv6only=on;
server_name www.nace.network;
root /home/ubuntu/nace/public; #could maybe change this to dummy location like /nul
location / {
return 301 https://$host$request_uri;
}#location
}#server
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name www.nace.network;
passenger_enabled on;
rails_env production;
root /home/ubuntu/nace/public;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location / {
deny 46.229.168.0;
deny 51.68.152.0;
}#locatoin
location = /50x.html {
root html;
}#location
ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}#server
at the time I renew the certificate with this command :
ubuntu#ip-112-33-0-224:~/letsencrypt$ sudo -H ./letsencrypt-auto certonly --standalone -d nace.network -d www.nace.network
and this was the result
./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
I tried to combine the certificates with the command: certbot certonly -t -n --standalone --expand --rsa-key-size 4096 --agree-tos -d www.nace.network,nace.network
but it throws me the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Attempting to parse the version 0.39.0 renewal configuration file found at /etc/letsencrypt/renewal/www.nace.network.conf with version 0.31.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
What names were configured on the cert ?
Hi again, reviewing you're configs I noticed that you do not have a server name without www.
You can follow this Nginx no-www to www and www to no-www
or simple edit the server name to the one without "www" and then redirect it to www.yourdomain.stuff
Related
I have two sites in folders like:
/var/www/my_site
/var/www/example.com
The first one is served a subdomain of the second one (subdomain.example.com).
I used certbot to enable ssl and https followed the instruction:
https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
Particularly:
sudo certbot --nginx -d example.com -d www.example.com
certbot automatically included the lines below not just for the main domain site, but also for
the ngixn conf of the subdomain: I don't how it could do so, because I also have other subdomains but those nginx configurations were not affected.
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
Nginx fails to serve the subdomain site with this configuration, so I tried to edit the lines by changing the example.com to subdomain.example.com, but did not work:
ssl_certificate /etc/letsencrypt/live/subdomain.example.com/fullchain.pem; # edited manually
How to register a certificate for the subdomain site, so to serve it on https as well ?
Can / Should I use a different ssl certificate, or could use the same one as the main domain?
Can you guide to register manually , e.g. generating / adding the pem files ?
I also want to redirect http to https, but having conflicts between subdomain and main domain.
I am stumped. I have 2 different domains that I'm trying to install an SSL cert for with Certbot on a Digital Ocean Ubuntu server. Here is the final command I run to obtain the SSL cert:
sudo certbot --nginx -d mydomain1.com -d www.mydomain1.com
I run the exact same command for mydomain1.com and mydomain2.com
Here's what makes no sense. Authentication passes for mydomain1.com but FAILS for mydomain2.com
I'm using identical Nginx Server block config files for both domains. Yes, this includes the root filepath and the server names being identical in the Nginx config file for both.
I have both the config files set to the following:
listen 80;
listen [::]:80;
root /var/www/mydomain2.com;
index index.html index.htm index.nginx-debian.html;
server_name mydomain2.com www.mydomain2.com;
Yes, both config files (for mydomain1.com and mydomain2.com are set to root path of mydomain2.com and server name of mydomain2.com because I need Nginx to serve up the exact same content that I have in that directory. My intention for this was to have mydomain1.com redirect to mydomain2.com but it appears it doesn't work like that which is a separate problem. Right now I'm just trying to validate the SSL cert for mydomain2.com then I'll figure out the redirect.
Thank you in advance for your help.
If I understood the problem correctly, the answer is as follows:
certbot certonly --standalone --preferred-challenges http -d domain1.com -d www.domain1.com
You do not need to modify the nginx default.conf file. use the following method instead.
nano /etc/nginx/sites_available/domain1.com
server {
listen 80;
listen [::]:80;
server_name domain1.com www.domain1.com;
return 301 https://domain1.com\$request_uri;
}
server {
listen 443 ssl;
server_name domain1.com;
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;
}
sites enabled symbolic link
ln -s /etc/nginx/sites-available/domain1.conf /etc/nginx/sites-enabled
The same in domain2.com
I'm trying to automate the setup of certbot + nginx on a server using Ansible.
The first time it runs, there are no letsencrypt certificates (yet). However I create the nginx conf as follows, referencing SSL/cert directories that will be created by certbot
server {
listen 443 ssl;
server_name example.co;
# ...
# SSL
ssl_certificate /etc/letsencrypt/live/example.co/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = example.co) {
return 301 https://$host$request_uri;
}
listen 80;
server_name example.co;
return 404;
}
Then later in the ansible play I run certbot-auto with the --nginx plugin, but I receive an error
> /usr/local/bin/certbot-auto certonly --nginx -n --agree-tos --text -d example.co --email admin#example.co
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.co/fullchain.pem"
It seems that certbot first checks the nginx conf before proceeding (which makes sense) but the conf fails validation since it refers to directories that don't exist. Also, the --nginx plugin (or at least some other plugin) are required so I can't leave it off.
So I'm in a sort of chicken-and-egg situation because -
I can't create the nginx conf before running certbot because certbot tries to validate the nginx conf, and it fails because it references directories that don't exist
I can't run certbot before creating the nginx conf because certbot uses the site's conf to requires new cerificates
The only option i can see is to
create the nginx conf without the #SSL lines
run certbot to get new certs
update the nginx conf file to add in the #SSL lines
This feels messy, but not sure if there's another way?
What's the right order to run this in?
Thanks!
The .conf file surely needs to be there before running certbot. Certbot will then itself write the path to the certificates into the file, so step 3 should not be necessary.
Is it possible to create my own SSL Certificate that is trusted in browsers? so if a user enter my website they dont need to trust my website. Just like be professional websites?
i'm using nginx.
You can't create one because you are not a certification authority trusted by browsers.
What you can do though is getting a free one from Let'sEncrypt. You have to renew it every 90 days but you can make this on a cronjob quite easily
If you want to create your own certificate authority, I can't help you. But if you just want a free SSL Certificate, that is pretty easy: You can use Letsencrypt.
For example if you have SSH Access to your server, you can use Certbot.
Then just download it for your distribution and type:
./certbot-auto certonly --webroot -w /var/www/your_web_root -d yourdomain.com
Then all you need to do is changing your nginx site config so it supports SSL.
You can look at my example on github:
https://github.com/NLDev/dotfiles/blob/master/nginx.conf
This config scores an A+ on the SSL-Labs test.
Or you can use this stripped down version:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://example.com$request_uri;
location ~ /.well-known {
allow all;
}
}
server {
listen 443 ssl default_server;
root /var/www/example.com/public_html;
index index.html index.htm index.php;
server_name example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
location ~ /.well-known {
allow all;
}
}
Replace example.com with your domain and change
/var/www/example.com/public_html;
to your webroot.
You can create your own self-signed certificate, but it is not trusted by browsers due to absence of root certificate in the browser list. Browsers will only trust on preinstalled trusted root certificate which are issued by third-party certificate authorities.
Each browser uses a different set of certificate authority (CA) certificates. You can check the trusted root certificates for the major browsers.
Firefox: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
Chrome: http://www.chromium.org/Home/chromium-security/root-ca-policy
Opera: https://certs.opera.com/
iOs: https://support.apple.com/kb/ht5012
You should get an SSL certificate from trusted certificate authority that recognized by browsers. To install an SSL on your nginx server, you can follow this quick guideline - https://www.ssl2buy.com/wiki/how-to-install-ssl-certificate-on-nginx-server
I need a little direction here. I want to get https with my hostname that I generated at No-IP working with my Plex Media Server. I can connect through my hostname to my plex media server just fine I just want letsencrypt to generate secure SSL certs for it.
I run the following command:
sudo su -
./certbot-auto --webroot "/var/lib/plexmediaserver/Library/Application Support" -d example.com
and it return the following error:
letsencrypt: error: unrecognized arguments: /var/lib/plexmediaserver/Library/Application Support
If I run the following command:
sudo su -
./certbot-auto certonly --standalone -d example.com
It return the following error:
Failed authorization procedure. example.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested e1b6ab6aa7251a908a0f2fc1dd6a3597.beae34c6504c7db8412d92c3f1885e08.acme.invalid from 1.2.3.4:443. Received certificate containing '*.0beedbf17c2042c089ef5e20952e62c8.plex.direct'
I really don't even know if that is the right webroot or not. I'm at a complete lose as to where to go from here. This is the last step in my puzzle and any direction would be helpful.
Note: This is running on a Rasberry pi 3.
I'm assuming you already have plex setup so I will skip that part, if not look at this link: wesleysinstructions.weebly.com
Go to No-IP (or any other service you want to use for a hostname) and setup a hostname
Login To the dashboard.
On the side bar click "Dynamic DNS"
Select "Hostnames"
On that page click the button "Add Hostname"
- Fill that out and you now have a hostname (Note: This takes about 5 minutes to become active)
Install the Dynamic DNS client to link your plex ip address (that is always changing) to your hostname on No-Ip.com
Note: They have instructions on their website on how to do this
On your router port forward 443/80 to where you're hosting plex
Visit portforward.com for instructions regarding your exact router
SSH into your plex server
Install "certbot" by LetsEncrypt
mkdir ~/certs
cd ~/certs
wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto
sudo ./certbot-auto certonly --standalone -d <hostname>
NOTE: This will attempt to verify the host over 443.
If everything goes well you should get a message that looks something like this:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/<hostname>/fullchain.pem. Your cert
will expire on..
Setup a Reverse Nginx proxy to serve your cert.
sudo apt-get update
sudo apt-get install nginx -y
sudo unlink /etc/nginx/sites-enabled/default
sudo nano /etc/nginx/sites-available/reverse
The "reverse" file is setup something like the following:
server {
listen 80;
server_name <hostname>;
rewrite https://$host$request_uri? permanent;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;
#root /usr/share/nginx/html;
#index index.html index.htm;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://127.0.0.1:32400;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Note: This assumes you have the default plex setup where it is using port 32400.
Finish the setup
sudo ln -s /etc/nginx/sites-available/reverse /etc/nginx/sites-enabled/reverse
sudo nginx -t
sudo service nginx restart
Hopefully I didn't type anything wrong. If I did at least this is the setup process you will need to go through.