using certbot-auto for nginx - ssl

I have an nginx running.
Now I want my nginx to use SSL:
certbot-auto --nginx -d my.domain.com -n --agree-tos --email admin#mail.com
OUTPUT:
Performing the following challenges:
tls-sni-01 challenge for my.domain.com
Cleaning up challenges
Cannot find a VirtualHost matching domain my.domain.com.
my.domain.com is pointing to the IP of my server. It's its dns name.
What am I doing wrong? I did this already for apache and it was working fine. My nginx is running (and I'm not able to restart it manually after the certbot-auto but this wasn't necessary when I used certbot-auto --apache

In my case, I had to add the "server_name" line because it wasn't in my nginx config so it was giving me the error message "Cannot find a VirtualHost matching domain my.domain.com" when I ran:
certbot --nginx
Make sure this is in your config:
server {
server_name my.domain.com;
....
}

Your are probably missing some Server Blocks (virtual hosts) files in the sites-enabled folder. Check if your config files exist in /etc/nginx/sites-available and /etc/nginx/sites-enabled. If they are not present in the sites-enabled folder, create symbolic links for them:
$ sudo ln -s /etc/nginx/sites-available/my.domain.com /etc/nginx/sites-enabled/
Add your site, check for config errors and restart nginx:
$ sudo certbot --nginx -d my.domain.com
$ sudo nginx -t
$ sudo service nginx restart

Related

How to install lets encrypt ssl in amazon linux AMI?

How to install lets encrypt SSL in amazon Linux AMI.i want to implement the lets encrypt SSL for my domain.
There are a lot of solutions online; I think you have to keep on trying until you find one that works for you. After a lot of experimentation, what worked for me was following the certbot instructions for Apache and CentOS 6. The official link is here, but for consistency:
Run the following commands in the terminal:
Download Certbot
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
Execute Certbot
sudo /usr/local/bin/certbot-auto --apache
If there's an error message, read the warning and run (if you feel comfortable):
sudo /usr/local/bin/certbot-auto --apache --debug
Here, you may be asked to complete some fairly intuitive questions to configure your installation. If not, what worked for me won't work for you. :(
Automate Renewal
Test to see if renewing your certificate works:
sudo /usr/local/bin/certbot-auto renew --dry-run
If so, navigate to your system's crontab (usually somewhere around /etc/crontab/) and add the following code to check (and run, if necessary) and auto-renewal at midnight and noon everyday:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew
Here I will explain how to configure let's encrypt in Linux AMI. I did it successfully in my Linux AMI.i followed the following steps to get it done.
1. SSH into your server.
2. Download certbot (the Let’s Encrypt client need to install for renew and install ssl): **wget https://dl.eff.org/certbot-auto** then **chmod a+x certbot-auto**
3. Run certbot to fetch your certificates.follow the below code
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d YOUR_DOMAIN [Replace your Domain in YOUR_DOMAIN placeholde]
4. while generating it will ask you the recover or support email please add your email.
5. certbot will place your certs in the following paths…
Certificate: /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
Full Chain: /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
Private Key: /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
6. Go to your apache config where you created a virtual host it can be either in httpd.conf or conf.d.
7. Add the virtual host for 443 port
<VirtualHost *:443>
ServerAdmin ADMIN_EMAIL
ServerName YOUR_DOMAIN
ServerAlias www.YOUR_DOMAIN
DocumentRoot "YOUR FOLDER PATH"
AllowEncodedSlashes On
ErrorLog "/var/log/httpd/YOUR_DOMAIN_error.log"
CustomLog "/var/log/httpd/YOUR_DOMAIN-sslaccess.log" common
<Directory YOUR FOLDER PATH>
DirectoryIndex index.php
Options -Indexes
AllowOverride All
</Directory>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
</VirtualHost>
You need to install Certbot if you are running CentOS 7 or 8 since Certbot-auto is deprecated and doesn't work beyond CentOS 6.
You can check which CentOS you are running by using the following command.
rpm -E %{rhel}
And use this tutorial from amazon to install Certbot in Amazon Linux
sudo yum update
sudo yum install -y certbot python2-certbot-apache
If you get "Package not found" error, then try the Prepare to Install section from the same blog.
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*

ssl installation on apache ubuntu16.0.4

My hosting (instance) is on EC2 and domain is on Nominalia. I am using ubuntu16.0.4 and Laravel 5.4, I have generated CSR, key file, certificate file and kept on root of server that is /var/www/html
Now I have to place
<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /var/www/html/sitename.com.crt
SSLCertificateKeyFile /var/www/html/sitename.com.key
SSLCertificateChainFile /var/www/html/intermediate-ca.crt
</VirtualHost>
I am not getting where I shall keep it. I tried to keep in /etc/apache2/sites-enabled/000-default.conf or /etc/apache2/sites-enabled/default-ssl.conf or /etc/apache2/sites-available/default-ssl.conf but it did not work and I am getting errors
In chrome
This site can’t be reached
and in Mozilla
Secure Connection Failed
Site is working without https
I also tried to keep both "VirtualHost *:443" and "VirtualHost *:80" in /etc/apache2/sites-enabled/000-default.conf but it also did not work. In this case, I am getting "This site can’t be reached"
There are lot of articles that I am reading from few days but not getting how to do final setting so that my site start working after I successfully placed all certificate files.
Recently Chrome stoped accepting self-signed Certificates. You can save a lot of effort using Let's Encrypt SSL Certificates. They are free, but valid for 90 days only. But you can configure auto renewal process, so you don't need to worry, because all things happens behind scenes.
Installation on Ubuntu it's simple:
1. Add repository to apt
sudo add-apt-repository ppa:certbot/certbot
After complete, update apt-get:
sudo apt-get update
2. Install Certbot
Certbot is a client tool for managing certificates from Let's Encrypt.
Run:
sudo apt-get install python-certbot-apache
3. Set up SSL Certificate
sudo certbot --apache -d sitename.com
If your domain could be accessed with www prefix run this command instead:
sudo certbot --apache -d sitename.com -d www.sitename.com
From now Certbot will run automatically via /etc/cron.d to check for expiring certificates.
You can validate process by running:
sudo certbot renew --dry-run.
It's done.
Full documentation for Certbot is here: https://certbot.eff.org/docs/

creating letsencrypt certificate fails

i'm on ubuntu 17.10 . looks like installed certbot successfully.
when i run
sudo certbot --apache -d mywebsite.com -d www.mywebsite.com
i get an error:
root#servername:~# sudo certbot --apache -d mywebsite.ca -d www.mywebsite.ca
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mywebsite.ca
http-01 challenge for www.mywebsite.ca
Enabled Apache rewrite module
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Any idea?
obviously apache is not running, but that's ok, i'm using nginx, so i don't need apache. or do i?
If you are running nginx server, use the nginx plugin (not apache):
sudo certbot --nginx -d mywebsite.com -d www.mywebsite.com

SSL Certs for Plex Media Server using Letstencrypt

I need a little direction here. I want to get https with my hostname that I generated at No-IP working with my Plex Media Server. I can connect through my hostname to my plex media server just fine I just want letsencrypt to generate secure SSL certs for it.
I run the following command:
sudo su -
./certbot-auto --webroot "/var/lib/plexmediaserver/Library/Application Support" -d example.com
and it return the following error:
letsencrypt: error: unrecognized arguments: /var/lib/plexmediaserver/Library/Application Support
If I run the following command:
sudo su -
./certbot-auto certonly --standalone -d example.com
It return the following error:
Failed authorization procedure. example.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested e1b6ab6aa7251a908a0f2fc1dd6a3597.beae34c6504c7db8412d92c3f1885e08.acme.invalid from 1.2.3.4:443. Received certificate containing '*.0beedbf17c2042c089ef5e20952e62c8.plex.direct'
I really don't even know if that is the right webroot or not. I'm at a complete lose as to where to go from here. This is the last step in my puzzle and any direction would be helpful.
Note: This is running on a Rasberry pi 3.
I'm assuming you already have plex setup so I will skip that part, if not look at this link: wesleysinstructions.weebly.com
Go to No-IP (or any other service you want to use for a hostname) and setup a hostname
Login To the dashboard.
On the side bar click "Dynamic DNS"
Select "Hostnames"
On that page click the button "Add Hostname"
​ - Fill that out and you now have a hostname (Note: This takes about 5 minutes to become active)
Install the Dynamic DNS client to link your plex ip address (that is always changing) to your hostname on No-Ip.com
Note: They have instructions on their website on how to do this
On your router port forward 443/80 to where you're hosting plex
Visit portforward.com for instructions regarding your exact router
SSH into your plex server
Install "certbot" by LetsEncrypt
mkdir ~/certs
cd ~/certs
wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto
sudo ./certbot-auto certonly --standalone -d <hostname>
NOTE: This will attempt to verify the host over 443.
If everything goes well you should get a message that looks something like this:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/<hostname>/fullchain.pem. Your cert
will expire on..
Setup a Reverse Nginx proxy to serve your cert.
sudo apt-get update
sudo apt-get install nginx -y
sudo unlink /etc/nginx/sites-enabled/default
sudo nano /etc/nginx/sites-available/reverse
The "reverse" file is setup something like the following:
server {
listen 80;
server_name <hostname>;
rewrite https://$host$request_uri? permanent;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;
#root /usr/share/nginx/html;
#index index.html index.htm;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://127.0.0.1:32400;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Note: This assumes you have the default plex setup where it is using port 32400.
Finish the setup
sudo ln -s /etc/nginx/sites-available/reverse /etc/nginx/sites-enabled/reverse
sudo nginx -t
sudo service nginx restart
Hopefully I didn't type anything wrong. If I did at least this is the setup process you will need to go through.

Letsencrypt certificate for www and non-www domain

I have generated SSL certificate like so:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto certonly --standalone
Then I was asked for email ... and a domain name. I entered example.com
I figured out that I could enter multiple domains to be included in one certificate using different approach. E.g.:
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
I wonder if I could have entered multiple domains when I was promoted for them in a dialog or now I need to regenerate using a different approach?
Do I need to remove previous letsencrypt installation before going new way?
UPDATE -> SOLVED
sudo ./certbot-auto certonly --standalone -d example.com -d www.example.com
You do not need to remove the installed certificate.
You can extend it to your sub-domain if you're using the same domain. Do the following:
sudo certbot certonly --standalone -d example.com -d www.example.com
When prompted for Expanding or Cancelling, reply with E then hit Enter key on your keyboard.
The certificate should be setup successfully.
If you encounter this error: Problem binding to port 80: Could not bind to IPv4 or IPv6, stop Apache by running systemctl stop apache2 then run the above certbot command again.
Once the SSL certificate is successfuly setup, run systemctl restart apache2 to get Apache up and running again.