I am "newbie" I installed a "nginx" and "https" with this tutorial:
https://www.supinfo.com/articles/single/3558-installer-certificat-ssl-nginx-avec-let-s-encrypt.
my domains worked well and were accessible in https but I turned off my server too long and left the certificate expired.
now I can not renew my certificates because the command line does not work if the certificate has expired how to do it? Thank you
the error message
Attempting to renew cert from /etc/letsencrypt/renewal/info.fr.conf produced an unexpected error: Failed authorization procedure. info.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://info.fr/.well-known/acme-challenge/PwznYVREcdpBsSMDPhP_lp3s1bqbidN83z1lyNXm3Yc: Connection refused. Skipping.
Remove you letsencrypt folder and try to reinstall certificates like a first time
sudo rm -rf /etc/letsencrypt
this is the easiest way
If prev way is not for you:
Comment out all strings that use certificates
Change line listen *:443 ssl; to listen *:80;
Restart nginx
service nginx restart
Try to renew certificates
Again change line listen *:80 to listen *:443 ssl;
Uncomment all lines that use certificates
Restart nginx again
Related
I am trying to generate an ssl certificate on an AWS EC2 nano machine configured with a NGINX server.
My NGINX configuration file is as follows:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name my_server_name.com;
}
When I check my Nginx configuration with the following command :
nginx -t
this error is returned:
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/default:22 nginx: configuration file /etc/nginx/nginx.conf test failed
Of course, when I try to go further in generating the SSL certificate with the following command:
certbot certonly --dry-run
the following error is returned:
Error while running nginx -c /etc/nginx/nginx.conf -t.
What changes/commands do I need to make to generate the SSL certificate ?
I have modified my Nginx configuration file in a thousand ways, without success.
Assuming you have installed NGINX correctly on your machine, for Certbot to take into account your configuration, you must first move (or delete) the default one located here:
/etc/nginx/sites-enabled/
for this, you will need these 2 commands:
cd /etc/nginx/sites-enabled/
rm default
Once these 2 commands are done, you have to switch off the NGINX server to generate the SSL certificate, using this command:
service nginx stop
Now you can restart your command and generate the SSL certificate with :
certbot certonly
First of all thank you for your help.
The thing is that I'm having problems applying certbot to my site configured in nginx, I'm not an expert on the subject so I've been guided by a tutorial. Anyway, here are my settings:
clarify that the domain points to the IP and the site is accessible from the internet through port 80
/etc/nginx/conf.d/lexapp.es.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name lexapp.es;
}
The command I try :
sudo certbot --nginx -d lexapp.es
The results I get :
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for lexapp.es
Performing the following challenges:
http-01 challenge for lexapp.es
Waiting for verification...
Challenge failed for domain lexapp.es
http-01 challenge for lexapp.es
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: lexapp.es
Type: unauthorized
Detail: 2a02:4780:1:753:0:3313:4df6:5: Invalid response from
http://lexapp.es/.well-known/acme-
challenge/ebE6_4SJ0B0yOIzWDyoIdWP0q0fZTldwteCaiORiBNo:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I would appreciate any help
My domain was showing as not secure on google chrome.
I logged as root to my server ran this command:
certbot certificates
It produced this output: The certbot cerificate was valid.
Found the following certificates:
Certificate Name: xyz.com
Domains: xyz.com www.xyz.com
Expiry date: 2022-01-14 (valid: 58 days)
Certificate path: /etc/letsencrypt/live/xyz.com/fullchain.pem
Private key path: ....
However, the website was showing as NOT secure.
After this I ran :
sudo systemctl restart nginx
Then the website became secure.
What can I do so that I do not need to restart nginx everytime the certificate renews?
I am using Nginx 1.14.0 on ubuntu 18.04.5
The version of my client is : certbot 0.31.0
You do not need to restart Nginx, but you do need to tell Nginx that the certificate has changed so that it can reload it. Using nginx -s reload (and probably sudo systemctl reload nginx would work too).
This can be combined with the certbot renewal command, for example:
certbot renew --post-hook "nginx -s reload"
I have an NGINX configuration with both HTTP and HTTPS traffic server blocks. Below is the HTTPS server block configuration snippet that is causing the problem.
server {
listen 10.1.1.5:443 default ssl;
listen 10.1.1.6:8080;
server_name myservice.traffic.dns.tmp;
ssl_certificate /etc/config/ssl/myservice.traffic.cert.pem;
ssl_certificate_key engine:name:myservice.traffic;
}
The external SSL server named "engine:name" is used to get the SSL certificate key. Initially, NGINX starts successfully. When the external SSL server goes down, if I try to restart NGINX, the restart fails because NGINX cannot connect with the external SSL server.
nginx: [emerg] ENGINE_load_private_key("385.1") failed
ENGINE_load_private_key:failed loading private key
This creates a "Hard" dependency on an external service.
How could I continue to serve my HTTP traffic even when the SSL external server is down? I would like to make nginx restart to succeed even when the external SSL server is down.
Thanks
I have trying to add proxy_set_header in my nginx.conf file. When I try to add proxy_pass and invoke the URL it throws 502 Bad Gateway nginx/1.11.1 error.
Not sure how to resolve this error:
upstream app-server {
# connect to this socket
server unix:///tmp/alpasso-wsgi.sock; # for a file socket
}
server {
server_name <name>;
listen 80 default_server;
# Redirect http to https
rewrite ^(.*) https://$host$1 permanent;
}
server {
server_name <name>;
listen 443 ssl default_server;
recursive_error_pages on;
location /azure{
proxy_pass http://app-server;
}
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/server.crt;
ssl_verify_client optional;
}
Had similar problem with proxy_pass, if your Linux server is using SELINUX then you may want to try this.
$ setsebool -P httpd_can_network_connect true
Refer to Warren's answer: https://unix.stackexchange.com/questions/196907/proxy-nginx-shows-a-bad-gateway-error
502 is sent when your upstream is not reachable.
Try to switch on error log and you might see failed to connect to upstream,
for this you need to check whether your upstream server is running or not, sudo service upstream status, and try to switch that on.
Nginx proxy with unix socket troubleshooting:
Check nginx conf:
nginx -t
Check socket:
netstat --protocol=unix -nlp | grep alpasso-wsgi.socket
Check is app working:
curl --unix-socket /tmp/alpasso-wsgi.sock http:/your-path-on-app
(Must be html code on screen output)
If not, check your app. If yes:
Check nginx error log
sudo tail -f /var/log/nginx/error.log
In case you get a nginx permissions error, check nginx user rights for socket:
Determine which username nginx use:
ps aux | grep nginx
And, for example, if nginx user is www-data, give to www-data user required rights. Add www-data user to required group:
sudo usermod -a -G your-socket-file-group www-data
and check permissions of a socket file,
or use ACL:
sudo setfacl -R -m u:www-data:rwX /path-to-your-unix-socket
sudo setfacl -Rd -m u:www-data:rwX /path-to-your-unix-socket
Im my opinion, ACL is better for security. Because you give rights to nginx only to one file, not for all files which belongs to group.