I am getting following error whenever I restart my nginx.
nginx: [emerg] cannot load certificate "/etc/ingress-controller/ssl/somefile.pem": PEM_read_bio_X509() failed (SSL: error:0908F066:PEM routines:get_header_and_data:bad end line)\n"
The nginx ingress controller backend is actually reloading and failing during test temp/nginx.conf. This happens a few times until the backend is reloaded successfully and then this error goes away.
Note that somefile.pem contains both cert and key. SSL_Certificate and SSL_Certificate_key in nginx.conf both map to somefile.pem only. Is this the issue?
Also, we see this error only when the kubernetes cluster is heavy.
How do I fix this?
Related
I am trying to forward a post request that i get :
https://user:pass#somedomain.zz/abc/cccc
when i am trying to forward in nginx the request, and put a new url with the user name password the same way i got it nginx not allow me to put it in the conf.d folder and thinks its a port this is the error
nginx: [emerg] invalid port in upstream "zz:ff#newdomain.com" in /etc/nginx/conf.d/logs.conf:4 nginx: configuration file /etc/nginx/nginx.conf test failed
I'm trying to renew an expired certbot SSL for Nginx on Ubuntu 18. I'm getting... well, various weirdness, but the certbot error is:
Certbot failed to authenticate some domains (authenticator: nginx).
The Certificate Authority reported these problems: Domain:
mysite.co.uk Type: connection Detail: ...: Fetching
http://mysite.co.uk/.well-known/acme-challenge/rx6m9QMdK0h16ZOJYsq5sx_AZbxI4zWGvJ6o_kt3b-A:
Connection reset by peer
I've got the site running on HTTP:
server {
listen 80;
listen [::]:80;
server_name www.mysite.co.uk mysite.co.uk;
root /var/www/html;
}
...the nginx.conf is telling it to keep its PID in /run/nginx.pid, I can start and stop it via service nginx start|stop and everything's good:
curl -I http://www.mysite.co.uk/
HTTP/1.1 200 OK
I'm not clear how this /.well-known/acme-challenge/ thing is supposed to be working - there's certainly no such folder in /var/www/html, but I did read that certbot starts it's own server (??) to manage authentication and it's wise to stop your own while renewing.
So, as root, I do:
cat /run/nginx.pid
> 124876
service nginx stop
lsof -i -P -n | grep LISTEN
> nothing on 80 or 443
cat /run/nginx.pid
> file doesn't exist
certbot certonly --nginx
I know there's a certbot renew command but I'm getting the same results with each, so... anyway. It correctly picks up the domain name from the existing conf, prompts me to renew, and eventually spits out the error above. I also see a couple lines added to nginx error.log:
[notice] 125028#125028: signal process started
[error] 125028#125028: invalid PID number "" in "/run/nginx.pid"
Sure enough, nginx is started and is listening on 80 and 443. I didn't start it. It's also got a new PID. If I try service nginx restart, it fails because it's trying to bind to ports that this other (certbot's ??) Nginx process is already using.
At all times, whether via "proper" nginx or this certbot zombie one, my site is happily returning HTTP 200's to external requests. I've never got a "Connection reset by peer" error myself. Even when I manually created a /var/www/html/.well-known/acme-challenge/test file it's always served it fine.
So.. what in the almighty shenannigans is going on? Why is certbot starting an nginx instance it can't see? Why doesn't it stop it? Is it supposed to be creating something in /.well-known/acme-challenge/? Is my nginx instance somehow interfering? What should be happening? What am I doing wrong??
Ok, I still don't understand the weirdness with certbot starting its own nginx and not stopping it and mucking up PIDs and all that... but certbot can now see our server and renew the SSL certs. And after two days of IT swearing blind that it wasn't being blocked by a firewall rule... it was the firewall.
Sigh.
I'm new to networking and I need to add an SSL certificate to my load balancer. For that, I'm using Certbot.
Instructions: https://certbot.eff.org/instructions?ws=haproxy&os=ubuntufocal
Basically it says to login to the server using SSH and then install certbot
Then, to run this command
sudo certbot certonly --standalone
It tells me to temporarily stop my web server to get the certificate, so I ran:
sudo service ssh stop
After running the certbot command I get the following error:
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
So I ran:
sudo netstat -tulpn | grep :80
Output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 59283/nginx: master
tcp6 0 0 :::80 :::* LISTEN 59283/nginx: master
Now, If I stop the nginx service with "sudo service nginx stop" and run the above command again I don't get any services listening in port 80. So I retry the Certbot command once more:
sudo certbot certonly --standalone
I get the following error:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: totaldomainoftheworldclub.tech
Type: dns
Detail: no valid A records found for totaldomainoftheworldclub.tech; no valid AAAA records found for totaldomainoftheworldclub.tech
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
And that's it, I don't know what else to do.
If you have trouble with normal validation, you can try using DNS challenge
Please note, that for DNS challenges, the following DNS providers are supported: cloudflare, cloudxns, digitalocean, dnsimple, dnsmadeeasy, gehirn, google, linode, luadns, nsone, ovh, rfc2136, route53, sakuracloud.
You can check how to use DNS challenges and what additional configuration it requires in the certbot docs. But basically, you will need to create some kind API key in your domain DNS server and then provide it to certbot. Then when validating it will automatically add a new DNS record using API for validation purposes.
You can also run DNS challenges in different machines or even in Google Function or AWS lambda. Check certbot-lambda for example.
I'm getting the following error on Postman after creating my own self-signed SSL certificate and making the necessary configurations in Kubernetes and Ingress Nginx:
Error: Exceeded maxRedirects. Probably stuck in a redirect loop https:\\...
Chrome seems to work fine and the connection is secure, but Postman returns this error when making any type of request.
The steps I followed for making my connection secure are the following:
Created a self-signed certificate
Created a ca-cert issuer from Kubernetes cert-manager
Configured ingress by adding the following lines inside the ingress config file:
- tls:
- hosts:
- example.dev
secretName: dev-sc-secret
cert-manager.io/issuer: ca-cert-issuer
I've set the settings of the certificate to trusted, and added the certificate to Postman.
Anybody has any ideas?
Thanks in advance.
I'm trying to configure my reverse proxy through nginx using this tutorial, but when I go to restart the nginx server, it throws the following error message:
nginx[12681]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
I checked out the port using netstat, and I have the following result
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
What does this mean? When I go to my domain name, it redirects to the Centos page instead of an nginx page I should be getting. How can I configure the file to get it to redirect to nginx?
Edit:
Added httpd status
httpd.service disabled
mysql.service enabled
my_api.service enabled
nginx.service disabled
I get the above errors when I try to start nginx using systemctl
Running netstat -luntp as root showed that nginx had spawned a master process and a worker. Killing those processes solved the issue