I am stumped. I have 2 different domains that I'm trying to install an SSL cert for with Certbot on a Digital Ocean Ubuntu server. Here is the final command I run to obtain the SSL cert:
sudo certbot --nginx -d mydomain1.com -d www.mydomain1.com
I run the exact same command for mydomain1.com and mydomain2.com
Here's what makes no sense. Authentication passes for mydomain1.com but FAILS for mydomain2.com
I'm using identical Nginx Server block config files for both domains. Yes, this includes the root filepath and the server names being identical in the Nginx config file for both.
I have both the config files set to the following:
listen 80;
listen [::]:80;
root /var/www/mydomain2.com;
index index.html index.htm index.nginx-debian.html;
server_name mydomain2.com www.mydomain2.com;
Yes, both config files (for mydomain1.com and mydomain2.com are set to root path of mydomain2.com and server name of mydomain2.com because I need Nginx to serve up the exact same content that I have in that directory. My intention for this was to have mydomain1.com redirect to mydomain2.com but it appears it doesn't work like that which is a separate problem. Right now I'm just trying to validate the SSL cert for mydomain2.com then I'll figure out the redirect.
Thank you in advance for your help.
If I understood the problem correctly, the answer is as follows:
certbot certonly --standalone --preferred-challenges http -d domain1.com -d www.domain1.com
You do not need to modify the nginx default.conf file. use the following method instead.
nano /etc/nginx/sites_available/domain1.com
server {
listen 80;
listen [::]:80;
server_name domain1.com www.domain1.com;
return 301 https://domain1.com\$request_uri;
}
server {
listen 443 ssl;
server_name domain1.com;
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;
}
sites enabled symbolic link
ln -s /etc/nginx/sites-available/domain1.conf /etc/nginx/sites-enabled
The same in domain2.com
Related
I have two sites in folders like:
/var/www/my_site
/var/www/example.com
The first one is served a subdomain of the second one (subdomain.example.com).
I used certbot to enable ssl and https followed the instruction:
https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
Particularly:
sudo certbot --nginx -d example.com -d www.example.com
certbot automatically included the lines below not just for the main domain site, but also for
the ngixn conf of the subdomain: I don't how it could do so, because I also have other subdomains but those nginx configurations were not affected.
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
Nginx fails to serve the subdomain site with this configuration, so I tried to edit the lines by changing the example.com to subdomain.example.com, but did not work:
ssl_certificate /etc/letsencrypt/live/subdomain.example.com/fullchain.pem; # edited manually
How to register a certificate for the subdomain site, so to serve it on https as well ?
Can / Should I use a different ssl certificate, or could use the same one as the main domain?
Can you guide to register manually , e.g. generating / adding the pem files ?
I also want to redirect http to https, but having conflicts between subdomain and main domain.
My domain is: www.nace.network
My web server is (include version): nginx version: nginx/1.15.8
The operating system my web server runs on is (include version): Ubuntu 14.04.6 LTS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0
Recently I was able to renew my certificate for my website, I can access it through www.nace.network but when accessing my site without using the “www” it sends me the “Warning: Potential Security Risk Ahead” alert, in what way could I fix it? this is the content of my nginx file:
server {
listen 8080 default_server;
listen [::]:8080 default_server ipv6only=on;
server_name www.nace.network;
root /home/ubuntu/nace/public; #could maybe change this to dummy location like /nul
location / {
return 301 https://$host$request_uri;
}#location
}#server
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name www.nace.network;
passenger_enabled on;
rails_env production;
root /home/ubuntu/nace/public;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location / {
deny 46.229.168.0;
deny 51.68.152.0;
}#locatoin
location = /50x.html {
root html;
}#location
ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}#server
at the time I renew the certificate with this command :
ubuntu#ip-112-33-0-224:~/letsencrypt$ sudo -H ./letsencrypt-auto certonly --standalone -d nace.network -d www.nace.network
and this was the result
./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
I tried to combine the certificates with the command: certbot certonly -t -n --standalone --expand --rsa-key-size 4096 --agree-tos -d www.nace.network,nace.network
but it throws me the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Attempting to parse the version 0.39.0 renewal configuration file found at /etc/letsencrypt/renewal/www.nace.network.conf with version 0.31.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
What names were configured on the cert ?
Hi again, reviewing you're configs I noticed that you do not have a server name without www.
You can follow this Nginx no-www to www and www to no-www
or simple edit the server name to the one without "www" and then redirect it to www.yourdomain.stuff
I'm trying to automate the setup of certbot + nginx on a server using Ansible.
The first time it runs, there are no letsencrypt certificates (yet). However I create the nginx conf as follows, referencing SSL/cert directories that will be created by certbot
server {
listen 443 ssl;
server_name example.co;
# ...
# SSL
ssl_certificate /etc/letsencrypt/live/example.co/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = example.co) {
return 301 https://$host$request_uri;
}
listen 80;
server_name example.co;
return 404;
}
Then later in the ansible play I run certbot-auto with the --nginx plugin, but I receive an error
> /usr/local/bin/certbot-auto certonly --nginx -n --agree-tos --text -d example.co --email admin#example.co
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.co/fullchain.pem"
It seems that certbot first checks the nginx conf before proceeding (which makes sense) but the conf fails validation since it refers to directories that don't exist. Also, the --nginx plugin (or at least some other plugin) are required so I can't leave it off.
So I'm in a sort of chicken-and-egg situation because -
I can't create the nginx conf before running certbot because certbot tries to validate the nginx conf, and it fails because it references directories that don't exist
I can't run certbot before creating the nginx conf because certbot uses the site's conf to requires new cerificates
The only option i can see is to
create the nginx conf without the #SSL lines
run certbot to get new certs
update the nginx conf file to add in the #SSL lines
This feels messy, but not sure if there's another way?
What's the right order to run this in?
Thanks!
The .conf file surely needs to be there before running certbot. Certbot will then itself write the path to the certificates into the file, so step 3 should not be necessary.
I have the issue with my Nginx configuration, I can't set my server_name.
I tried to build my docker container with Nginx configuration inside.
Body of my Dockerfile.
FROM nginx
RUN rm -rf /etc/nginx/conf.d/*
RUN mkdir /etc/nginx/ssl
RUN chown -R root:root /etc/nginx/ssl
RUN chmod -R 600 /etc/nginx/ssl
COPY etc/ssl/certs/qwobbleprod.crt /etc/nginx/ssl
COPY etc/ssl/certs/app.qwobble.com.key /etc/nginx/ssl
COPY nginx/default.conf /etc/nginx/conf.d/
COPY dist /usr/share/nginx/html
EXPOSE 443
and my Nginx configuration file ->
server {
listen 443 ssl default_server;
root /usr/share/nginx/html;
server_name blabla.com www.blabla.com;
access_log /var/log/nginx/nginx.access.log;
error_log /var/log/nginx/nginx.error.log;
ssl on;
ssl_certificate /etc/nginx/ssl/blabla.crt;
ssl_certificate_key /etc/nginx/ssl/blabla.com.key;
sendfile on;
location / {
try_files $uri /index.html =404;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|html)$ {
expires max;
log_not_found off;
}
}
I tried to build and run my docker container
docker build -t <name> .
docker run -it -p 443:443 <name>
As the result, I have my app on https://localhost:443
but I haven't access to my app through https://blabla.com:443 or https://www.blabla.com:443
I'm a newbie in working with Docker and Nginx, and I have no idea what is wrong.
I will be grateful for any help!
In this case I would expect that you actually need the blabla.com domain and that the dns (Domain Name Service) should point to your external IP address.
You must then configure the router to accept connections on port 443 (what you desire) and point (port forwarding) it to the computer running your docker image on the port that it is actually running on.
It might also be necessary to open firewall settings on the computer docker is running on.
I see you also want to listen to https so you might need some certificates for that.
or if you want to fake it you can edit your hosts file (on mac or linux /etc/hosts) and add an entry like:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 blabla.com
but now blabla.com will only work on your machine...
Hope it helps
i have have trouble with nginx wildcard sub-domains.
I've bought a domain from godaddy. then create host zone in amazone and then created a record set for A(A-IPv4) - for both www.domain.com / domain.com
and in nginx.conf i have the very basic configuration and 1 server file that look like this:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
access_log /var/log/nginx/domain.com.access.log;
error_log /var/log/nginx/domain.com.error.log;
# i tried the following for server name: domain.com *.domain.com/*.domain.com/.domain.com
server_name .domain.com;
root /usr/share/nginx/html/test;
index index.html;
}
when i visit subdomain.domain.com i get Firefox can't find the server at subdomain.domain.com
looking at the access log files nothing got logged it's completely empty.
Thanks
You have to add A-record for subdomains too. And before visiting site in Firefox, try ping - you will see if domain name can be resolved at all.