I'm trying to renew an expired certbot SSL for Nginx on Ubuntu 18. I'm getting... well, various weirdness, but the certbot error is:
Certbot failed to authenticate some domains (authenticator: nginx).
The Certificate Authority reported these problems: Domain:
mysite.co.uk Type: connection Detail: ...: Fetching
http://mysite.co.uk/.well-known/acme-challenge/rx6m9QMdK0h16ZOJYsq5sx_AZbxI4zWGvJ6o_kt3b-A:
Connection reset by peer
I've got the site running on HTTP:
server {
listen 80;
listen [::]:80;
server_name www.mysite.co.uk mysite.co.uk;
root /var/www/html;
}
...the nginx.conf is telling it to keep its PID in /run/nginx.pid, I can start and stop it via service nginx start|stop and everything's good:
curl -I http://www.mysite.co.uk/
HTTP/1.1 200 OK
I'm not clear how this /.well-known/acme-challenge/ thing is supposed to be working - there's certainly no such folder in /var/www/html, but I did read that certbot starts it's own server (??) to manage authentication and it's wise to stop your own while renewing.
So, as root, I do:
cat /run/nginx.pid
> 124876
service nginx stop
lsof -i -P -n | grep LISTEN
> nothing on 80 or 443
cat /run/nginx.pid
> file doesn't exist
certbot certonly --nginx
I know there's a certbot renew command but I'm getting the same results with each, so... anyway. It correctly picks up the domain name from the existing conf, prompts me to renew, and eventually spits out the error above. I also see a couple lines added to nginx error.log:
[notice] 125028#125028: signal process started
[error] 125028#125028: invalid PID number "" in "/run/nginx.pid"
Sure enough, nginx is started and is listening on 80 and 443. I didn't start it. It's also got a new PID. If I try service nginx restart, it fails because it's trying to bind to ports that this other (certbot's ??) Nginx process is already using.
At all times, whether via "proper" nginx or this certbot zombie one, my site is happily returning HTTP 200's to external requests. I've never got a "Connection reset by peer" error myself. Even when I manually created a /var/www/html/.well-known/acme-challenge/test file it's always served it fine.
So.. what in the almighty shenannigans is going on? Why is certbot starting an nginx instance it can't see? Why doesn't it stop it? Is it supposed to be creating something in /.well-known/acme-challenge/? Is my nginx instance somehow interfering? What should be happening? What am I doing wrong??
Ok, I still don't understand the weirdness with certbot starting its own nginx and not stopping it and mucking up PIDs and all that... but certbot can now see our server and renew the SSL certs. And after two days of IT swearing blind that it wasn't being blocked by a firewall rule... it was the firewall.
Sigh.
Related
I am getting following error whenever I restart my nginx.
nginx: [emerg] cannot load certificate "/etc/ingress-controller/ssl/somefile.pem": PEM_read_bio_X509() failed (SSL: error:0908F066:PEM routines:get_header_and_data:bad end line)\n"
The nginx ingress controller backend is actually reloading and failing during test temp/nginx.conf. This happens a few times until the backend is reloaded successfully and then this error goes away.
Note that somefile.pem contains both cert and key. SSL_Certificate and SSL_Certificate_key in nginx.conf both map to somefile.pem only. Is this the issue?
Also, we see this error only when the kubernetes cluster is heavy.
How do I fix this?
I'm new to networking and I need to add an SSL certificate to my load balancer. For that, I'm using Certbot.
Instructions: https://certbot.eff.org/instructions?ws=haproxy&os=ubuntufocal
Basically it says to login to the server using SSH and then install certbot
Then, to run this command
sudo certbot certonly --standalone
It tells me to temporarily stop my web server to get the certificate, so I ran:
sudo service ssh stop
After running the certbot command I get the following error:
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
So I ran:
sudo netstat -tulpn | grep :80
Output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 59283/nginx: master
tcp6 0 0 :::80 :::* LISTEN 59283/nginx: master
Now, If I stop the nginx service with "sudo service nginx stop" and run the above command again I don't get any services listening in port 80. So I retry the Certbot command once more:
sudo certbot certonly --standalone
I get the following error:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: totaldomainoftheworldclub.tech
Type: dns
Detail: no valid A records found for totaldomainoftheworldclub.tech; no valid AAAA records found for totaldomainoftheworldclub.tech
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
And that's it, I don't know what else to do.
If you have trouble with normal validation, you can try using DNS challenge
Please note, that for DNS challenges, the following DNS providers are supported: cloudflare, cloudxns, digitalocean, dnsimple, dnsmadeeasy, gehirn, google, linode, luadns, nsone, ovh, rfc2136, route53, sakuracloud.
You can check how to use DNS challenges and what additional configuration it requires in the certbot docs. But basically, you will need to create some kind API key in your domain DNS server and then provide it to certbot. Then when validating it will automatically add a new DNS record using API for validation purposes.
You can also run DNS challenges in different machines or even in Google Function or AWS lambda. Check certbot-lambda for example.
I use Nginx on my server and want to serve my application on HTTPS using Let's Encrypt certs. I do the following on a fresh server before the application code gets deployed:
Install Nginx
Write the following nginx configuration file to sites-available, for certbot. Then symlink to sites-enabled and restart nginx
server {
listen 80;
server_name foo.bar.com;
allow all;
location ^~ /.well-known/acme-challenge/ {
proxy_pass http://0.0.0.0:22000;
}
}
Then run certbot
certbot certonly -m foo#bar.com --standalone --http-01-port 22000 --preferred-challenges http --cert-name bar.com -d foo.bar.com --agree-tos --non-interactive
All of the above work fine when run manually.
I use Chef to automate the above process. Certbot gets a 404 the first time I deploy. It works on subsequent deployments though.
Keep a note of the following detail:
The phenomenon happens only when I freshly install Nginx and then run my deploy script through Chef and disappears on subsequent deploys.
I use a custom LWRP to run the above steps in Chef expcept nginx installation. Nginx installation is taken care of by chef_nginx. I've pasted the snippet of the LWRP that runs the above steps.
vhost_file = "#{node['certbot']['sites_configuration_path']}/#{node['certbot']['sites_configuration_file']}"
template vhost_file do
cookbook 'certbot'
source 'nginx-letsencrypt.vhost.conf.erb'
owner 'root'
group 'root'
variables(
server_names: new_resource.sans,
certbot_port: node['certbot']['standalone_port'],
mode: node['certbot']['standalone_mode']
)
mode 00644
only_if "test -d #{node['certbot']['sites_configuration_path']}"
end
nginx_site node['certbot']['sites_configuration_file']
Using certbot in standalone mode on port 22000
How do I make things work even on the first deployment ?
I am trying to run Nginx, but I am getting the error below:
bind() to 0.0.0.0:80 failed (10013: An attempt was made to access a
socket in a way forbidden by its access permissions)
Please provide some help on what changes I need to do to make it working?
I have tried running on ports other than 80 and it works. but I need it to be running on 80.
Note: I am running on Windows 7 with command prompt running as Administrator.
If the port is already in use, you can change the default port of 80 to a different port that is not in use (maybe 8070). In conf\nginx.conf:
server {
listen 8070;
...
}
After startup, you should be able to hit localhost:8070.
tl;dr
netsh http add iplisten ipaddress=::
Faced similar issue. Run the above command in command prompt.
This should free up port 80, and you'd be able to run nginx.
Description:
netsh http commands are used to query and configure HTTP.sys settings and parameters.
add iplisten :
Adds a new IP address to the IP listen list, excluding the port number.
"::" means any IPv6 address.
For more netsh http commands refer the netsh http commands documentation.
Hope this helps!!
You have to be admin or root to bind port 80. Something you can do if you cannot run as root, is that your application listens to other port, like 8080, and then you redirect messages directed to 80 to 8080. If you are using Linux you redirect messages with iptables.
nginx: [emerg] bind() to 0.0.0.0:80 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions)
I got a similar problem, My 80 port was listening to IIS (windows machine). Stopping IIS freed up 80 port.
The problem got resolved...!!
Please check if another Proxy is running under port 80 ---> in my case IIS was running as a reverse proxy, so nginx could not start..
Stopping IIS, and starting of NGXIN solved the problem
My Tomcat server was running on port 80. Changed the port number in conf\nginx.conf file and it started to work.
This is an old question but since I had this problem recently I thought of posting another possible reason in this problem.
If the user is using Docker and has already tried all proposed solutions as stated above and is wondering why port 80 is trying to bind although on your configurations you are overwriting the port to non root port e.g. listen 8080; it seems that the newer NGINX images have a default nginx.conf file in /etc/nginx/conf.d.
Sample:
$ grep -r 80 /etc/nginx/
/etc/nginx/conf.d/default.conf: listen 80;
On my case I removed it on my Dockerfile:
RUN set -x \
&& rm -f /etc/nginx/nginx.conf \
&& rm -f /etc/nginx/conf.d/default.conf
Next step pass from my custom configurations:
COPY ["conf/nginx.conf", "/etc/nginx/nginx.conf"]
I have setup the nginx on my server. It worked fine for port 5000.
Now I want to setup a different server to listen to port 80.
So I have this config, same as the first server
server {
# location /etc/nginx/sites-available/backoffice
# after creating link to sites available by
# sudo ln -s /etc/nginx/sites-available/backoffice /etc/nginx/sites-enabled
listen 80;
server_name backofficeX;
location / {
include proxy_params;
proxy_pass http://unix:/tmp/backoffice_gunicorn.sock;
}
}
It doesn't work and I get the generic 'Welcome to nginx!' message .
The thing is, ITS not working just for port 80 .
When I try port 5008/ 81 / ... it works fine. What Am I missing for port 80?
I tailed the error log and the access log
tail -f /var/log/nginx/error.log
but since there are no errors nothing comes up there
DonĀ“t get mad with me, but I have to ask.
Isn't any other service running at port 80? Like apache...
Maybe you should use a port scanner to discover active ports...
Open your root config and ensure that you have info in error_log. This will log everything.
error_log /var/log/nginx/error.log info;
Reload your configuration using nginx -s reload
Then see the tail of error log...
tail -n 100 /var/log/nginx/error.log
It should give you pointers about what's going on.
Apache often runs on port 80, which might be the reason NGINX is not working.
Turns out what was listening on port 80 was nginx itself!!!
so I entered the default nginx file at /etc/nginx/sites-available/default:
server {
listen 4008; ## changed 80 -> 4008 (no really important what port)