I am following a mini-tutorial to install letsencrypt certificates. OS is ubuntu 22.04.
I had already installed nginx, and my own example.com config file to /etc/nginx/sites-available
/etc/nginx/sites-available/example.com
I left the /etc/nginx/sites-available/default unchanged.
I removed the pre-installed certbot
sudo apt remove certbot
Then I installed snap and classic certbot:
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Then I ran
sudo nginx -t
sudo systemctl reload nginx
Then I did
sudo certbot --nginx -d example.com
I accept the agreement, entered my email, and hit return.
Instead of modifying /etc/nginx/sites-available/example.com, /etc/nginx/sites-available/default was modified.
What am I doing wrong?
Related
Install certbot/letsencrypt on Amazon Linux 2 and enable HTTPS on nginx (similar process available for apache)
Install certbot
sudo yum update
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum-config-manager --enable epel
sudo yum install certbot python3-certbot-nginx
certbot --version
Generate certification
Use the following command to generate the certification and automatic let the certbot to modify the nginx configuration to enable https:
sudo certbot --nginx
or if you need only the certification, use the following command:
sudo certbot certonly --nginx
The certification will be created on the folder
/etc/letsencrypt/live/YOUR_SITE_NAME/
for example:
Certification
/etc/letsencrypt/live/www.my-site.com/cert.pem
Private key
/etc/letsencrypt/live/www.my-site.com/privkey.pem
Enable automatic renewal
Use the following command to enable automatic renewal of the certification:
sudo certbot renew --dry-run
Errors i have encourred
If during certification creation an error like the following appears:
"Could not choose appropriate plugin: The requested nginx plugin does
not appear to be installed"
then run the command
sudo yum install certbot python-certbot-nginx
and retry to create the certification.
Notes
For apache, you can use python2-certbot-apache instad of python2-certbot-nginx,
make sure your using the option --apache instead of --nginx during the creation of the certification.
DNS must be configured to point to your macchine, othrewise the check of the certbot will fails.
I wanted to delete my Certbot SSL, I ran "sudo certbot delete" and did it. After when restarting nginx, it gave me this error:
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/fishymine.xyz/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/fishymine.xyz/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file).
How do I fix this?
The problem is that certbot automatically insert config rules when you add a certificate. All of the inserted lines includes "Cerbot" so you can do this to remove these lines :
sudo sed -i '/Certbot/d' /etc/nginx/sites-available/*
sudo sed -i '/Certbot/d' /etc/nginx/sites-enabled/*
then try
sudo nginx -t
sudo certbot --nginx
if you still get an error, you can check the files in /etc/nginx/sites-* manually, or just delete their content if you don't care about the existing config by :
sudo chmod 777 /etc/nginx/sites-enabled/default
sudo echo '' > /etc/nginx/sites-enabled/default
sudo chmod 644 /etc/nginx/sites-enabled/default
sudo chmod 777 /etc/nginx/sites-available/default
sudo echo '' > /etc/nginx/sites-available/default
sudo chmod 644 /etc/nginx/sites-available/default
I am following this guide to install certbot and create ssl cert.
But when I run wget https://dl.eff.org/certbot-auto, error shows:
--2021-07-09 02:16:27-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... xxx.xxx.xx.xxx, xxxx:xxxx:xx::xxx
Connecting to dl.eff.org (dl.eff.org)|xxx.xxx.xx.xxx|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2021-07-09 02:16:27 ERROR 404: Not Found.
How to solve it?
I just came across this page:
https://certbot.eff.org/docs/install.html#certbot-auto
We used to have a shell script named certbot-auto to help people install Certbot on UNIX operating systems, however, this script is no longer supported. If you want to uninstall certbot-auto, you can follow our instructions here.
From https://certbot.eff.org/docs/install.html#certbot-auto
certbot-auto script " is no longer supported. "
SOLUTION :
Follow instructions here :
https://certbot.eff.org/
Example of SOLUTION on Ubuntu :
Cerbot + Nginx :
**install snapd**
sudo apt update
sudo apt install snapd
Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.
sudo snap install core; sudo snap refresh core
Remove certbot-auto and any Certbot OS packages
If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but common examples are sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot.
If you previously used Certbot through the certbot-auto script, you should also remove its installation by following the instructions here.
Install Certbot
Run this command on the command line on the machine to install Certbot.
sudo snap install --classic certbot
Prepare the Certbot command
Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Choose how you'd like to run Certbot
Either get and install your certificates...
Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot --nginx
Or, just get a certificate
If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
sudo certbot certonly --nginx
Test automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration.
You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run
If that command completes without errors, your certificates will renew automatically in the background.
Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.
It works ! enjoy and donate to Certbot and EFF
I have a Django application setup CI/CD via Bitbucket on AWS EC2 via AWS CodeDeploy.
In the AWS CodeDeploy hooks under AfterInstall
hooks:
AfterInstall:
- location: scripts/ngnix.sh
timeout: 6000
runas: ubuntu
and the nginx.sh script is
#!/usr/bin/env bash
mkdir -p /etc/nginx/sites-enabled
mkdir -p /etc/nginx/sites-available
sudo mkdir -p /etc/nginx/log/
sudo unlink /etc/nginx/sites-enabled/*
sudo cp /path_to_app/configs/nginx.conf /etc/nginx/sites-available/app-host.conf
sudo ln -s /etc/nginx/sites-available/app-host.conf /etc/nginx/sites-enabled/app-host.conf
sudo /etc/init.d/nginx stop
sudo /etc/init.d/nginx start
sudo /etc/init.d/nginx status
But every time this script is run via CI/CD pipeline, SSL stops working and the website is not accessible using https.
To re-enable SSL, I have to manually run
sudo certbot --nginx
And re-configure SSL certificate.
What could be the issue for not working of the SSL and how to automate this?
The certbot procures the ssl certificates from Lets Encrypt and keeps those certificates on your machine. You can run the command sudo certbot certificates to see the certificates path.
Found the following certs:
Certificate Name: example.com
Domains: example.com, www.example.com
Expiry Date: 2017-02-19 19:53:00+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
You need to store the the files located at Certificate Path & Private Key Path in a persisted volume so they don't get wiped out everytime you deploy your app. In your case I think these certificate files are getting wiped out and that is the reason you have to run the command sudo certbot --nginx to procure new cerificate.
I'm running nginx on raspberry pi.
I ran update and upgrade commands and then installed nginx.
1. sudo apt-get update
2. sudo apt-get upgrade
3. sudo apt-get install nginx
Started the server
4. sudo /etc/init.d/nginx start
Output
[ ok ] Starting nginx (via systemctl): nginx.service.
When I enter ip address into the browser nothing appears. What could be the problem here?
FIXED
Changed the root in /etc/nginx/sites-available/default
from root /var/www/html;
to root /usr/share/nginx/www;
I also renamed html folder to www because it was missing.
Restarted nginx for the changes to take effect.
sudo systemctl restart nginx