I am trying to generate an ssl certificate on an AWS EC2 nano machine configured with a NGINX server.
My NGINX configuration file is as follows:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name my_server_name.com;
}
When I check my Nginx configuration with the following command :
nginx -t
this error is returned:
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/default:22 nginx: configuration file /etc/nginx/nginx.conf test failed
Of course, when I try to go further in generating the SSL certificate with the following command:
certbot certonly --dry-run
the following error is returned:
Error while running nginx -c /etc/nginx/nginx.conf -t.
What changes/commands do I need to make to generate the SSL certificate ?
I have modified my Nginx configuration file in a thousand ways, without success.
Assuming you have installed NGINX correctly on your machine, for Certbot to take into account your configuration, you must first move (or delete) the default one located here:
/etc/nginx/sites-enabled/
for this, you will need these 2 commands:
cd /etc/nginx/sites-enabled/
rm default
Once these 2 commands are done, you have to switch off the NGINX server to generate the SSL certificate, using this command:
service nginx stop
Now you can restart your command and generate the SSL certificate with :
certbot certonly
Related
I'm using 'Oracle Cloud'.
I created a VM(Computer instance) on Oracle Cloud with CentOS 8. And I installed NginX, and it works well when I test it with 'http://mydeal.servername.com'.
To make NginX service with HTTPS, I also installed certbot(Let's Encrypt) and created certificate, using the following command.
sudo certbot --standalone -d mydeal.servername.com certonly
Result files were like below.
Cert : /etc/letsencrypt/live/mydeal.servername.com/fullchain.pem;
Key : /etc/letsencrypt/live/mydeal.servername.com/privkey.pem;
I added http and https to firewall service list like below.
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
And I created test index.html like below.
sudo -i
mkdir /var/www
mkdir /var/www/mydeal
echo "MyDeal at Oracle Cloud" > /var/www/mydeal/index.html
And I created https settings, including http redirection, in /etc/nginx/conf.d/my.conf file.
server {
listen 80;
server_name my.servername.com;
location / {
root /var/www/mydeal;
index index.html;
try_files $uri /index.html;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydeal.servername.com;
ssl_certificate /etc/letsencrypt/live/mydeal.servername.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydeal.servername.com/privkey.pem;
location / {
root /var/www/mydeal;
index index.html;
try_files $uri /index.html;
}
}
Finally, when I start nginx server with the following command, it works well.
sudo -i
sudo nginx
But, when I start nginx server with the following command, it gives error "500 Internal Server Error" on the browser screen.
sudo systemctl enable nginx
sudo systemctl start nginx
I can not find any differences b/w 2 start procedures.
How I can debug this problem?
My domain was showing as not secure on google chrome.
I logged as root to my server ran this command:
certbot certificates
It produced this output: The certbot cerificate was valid.
Found the following certificates:
Certificate Name: xyz.com
Domains: xyz.com www.xyz.com
Expiry date: 2022-01-14 (valid: 58 days)
Certificate path: /etc/letsencrypt/live/xyz.com/fullchain.pem
Private key path: ....
However, the website was showing as NOT secure.
After this I ran :
sudo systemctl restart nginx
Then the website became secure.
What can I do so that I do not need to restart nginx everytime the certificate renews?
I am using Nginx 1.14.0 on ubuntu 18.04.5
The version of my client is : certbot 0.31.0
You do not need to restart Nginx, but you do need to tell Nginx that the certificate has changed so that it can reload it. Using nginx -s reload (and probably sudo systemctl reload nginx would work too).
This can be combined with the certbot renewal command, for example:
certbot renew --post-hook "nginx -s reload"
I am "newbie" I installed a "nginx" and "https" with this tutorial:
https://www.supinfo.com/articles/single/3558-installer-certificat-ssl-nginx-avec-let-s-encrypt.
my domains worked well and were accessible in https but I turned off my server too long and left the certificate expired.
now I can not renew my certificates because the command line does not work if the certificate has expired how to do it? Thank you
the error message
Attempting to renew cert from /etc/letsencrypt/renewal/info.fr.conf produced an unexpected error: Failed authorization procedure. info.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://info.fr/.well-known/acme-challenge/PwznYVREcdpBsSMDPhP_lp3s1bqbidN83z1lyNXm3Yc: Connection refused. Skipping.
Remove you letsencrypt folder and try to reinstall certificates like a first time
sudo rm -rf /etc/letsencrypt
this is the easiest way
If prev way is not for you:
Comment out all strings that use certificates
Change line listen *:443 ssl; to listen *:80;
Restart nginx
service nginx restart
Try to renew certificates
Again change line listen *:80 to listen *:443 ssl;
Uncomment all lines that use certificates
Restart nginx again
I have a problem with nginx. I tried different solutions, but for me nothing work.
That is my error:
4 root#BANANAS ~ # sudo service nginx restart :(
Restarting nginx: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] still could not bind()
nginx.
Can you help me?
Probably other process is using specified port:
sudo netstat -tulpn
Get the PID of the process that already using 443. And send signal with kill command.
sudo kill -2 <PID>
sudo service nginx restart
Aternatively you can do:
sudo fuser -k 443/tcp
Make sure you dont use old syntax:
server {
listen :80;
listen [::]:80;
}
The above syntax will cause
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Correct syntax:
server {
listen 80;
listen [::]:80 ipv6only=on;
}
or
server {
listen [::]:80;
}
Both above syntax will achieve the same thing, listening on both ipv4 and ipv6.
Another way (from my experience) is just force quit the process that running on that port 443
sudo fuser -k 443/tcp
or if you running on port 80 just change the port to
sudo fuser -k 80/tcp
Hope it helps someone who had the same issue
Alternative using lsof:
Find the PID & kill the process which running on port 443
sudo kill -9 $(lsof -t -i :443)
Thank you for the answer.
After running
sudo netstat -tulpn
I realised that I had apache2 running on port 80. This was probably done after I used Certbot to install SSL on the server.
I removed Apache2 and the server was up and running.
apt remove apache2
This did the trick! Thank you again.
First, we have to check how many services run on port 80. To check that, you could run the following command:
sudo netstat -plant | grep 80
This would show you which service exactly is listening on port 80 and then you can make a decision whether you want to have that service as is or have Nginx instead.
If it is Apache, you will need to decide whether you want to use Apache or Nginx.
If you only want to have Nginx, you need to stop Apache first:
sudo systemctl stop apache2 && sudo systemctl start nginx
I received the above error due to accidentally repeating the listen directive twice within the same server block as follows:
server {
listen [::]:443 ssl ipv6only=off;
listen 443 ssl;
...
}
changing it to:
server {
listen 443 ssl;
...
}
or
server {
listen [::]:443 ssl ipv6only=off;
...
}
resolved the problem when restarting the server: sudo service nginx start
When I killed the nginx process bind to 80 & 443 ports, the process always reappeared with new PID.
It helped me to temporarily comment this line in /etc/nginx/nginx.conf, restart nginx and then uncomment the line back:
worker_processes auto;
In my case, running Ubuntu 20.04, I bounced the server, and Apache2 was set to automatically start.
$ sudo lsof -i -P -n | grep LISTEN
This showed Apache2 running on port 80, and was causing a conflict. I shut it down with
$ sudo systemctl stop Apache2
And then started nginx with
$ sudo systemctl start nginx
If using a virtual machine, you may just need to restart the virtual machine. I was having the same issues yesterday and I could not get Nginx to start using any of the methods in this post. So I started the virtual machine up this morning, checked the running processes, and I see Nginx running on port 80. I even viewed the status of Nginx yesterday with systemctl and it said failed, but today it is active. Not sure what happened here, but it could be worth a try.
I have trying to add proxy_set_header in my nginx.conf file. When I try to add proxy_pass and invoke the URL it throws 502 Bad Gateway nginx/1.11.1 error.
Not sure how to resolve this error:
upstream app-server {
# connect to this socket
server unix:///tmp/alpasso-wsgi.sock; # for a file socket
}
server {
server_name <name>;
listen 80 default_server;
# Redirect http to https
rewrite ^(.*) https://$host$1 permanent;
}
server {
server_name <name>;
listen 443 ssl default_server;
recursive_error_pages on;
location /azure{
proxy_pass http://app-server;
}
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/server.crt;
ssl_verify_client optional;
}
Had similar problem with proxy_pass, if your Linux server is using SELINUX then you may want to try this.
$ setsebool -P httpd_can_network_connect true
Refer to Warren's answer: https://unix.stackexchange.com/questions/196907/proxy-nginx-shows-a-bad-gateway-error
502 is sent when your upstream is not reachable.
Try to switch on error log and you might see failed to connect to upstream,
for this you need to check whether your upstream server is running or not, sudo service upstream status, and try to switch that on.
Nginx proxy with unix socket troubleshooting:
Check nginx conf:
nginx -t
Check socket:
netstat --protocol=unix -nlp | grep alpasso-wsgi.socket
Check is app working:
curl --unix-socket /tmp/alpasso-wsgi.sock http:/your-path-on-app
(Must be html code on screen output)
If not, check your app. If yes:
Check nginx error log
sudo tail -f /var/log/nginx/error.log
In case you get a nginx permissions error, check nginx user rights for socket:
Determine which username nginx use:
ps aux | grep nginx
And, for example, if nginx user is www-data, give to www-data user required rights. Add www-data user to required group:
sudo usermod -a -G your-socket-file-group www-data
and check permissions of a socket file,
or use ACL:
sudo setfacl -R -m u:www-data:rwX /path-to-your-unix-socket
sudo setfacl -Rd -m u:www-data:rwX /path-to-your-unix-socket
Im my opinion, ACL is better for security. Because you give rights to nginx only to one file, not for all files which belongs to group.