My domain is: api.quickchat.ai
I ran this command: certbot renew
It produced this output: 400 The plain HTTP request was sent to HTTPS port
My web server is (include version): nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 0.40.0
I am running HTTPS on port 80, in that case, how do I go about renewing the certificate? Thank you!
1 Like
Hi @piotrgrudzien
that's a wrong configuration. Change that. Port 80 - http, nothing else.
You can't, if you want to use http validation.
1 Like
Could you briefly explain how I should change the port setup in the Nginx config? Below is excerpt from Nginx conf:
http {
upstream channels-backend {
server localhost:443;
}
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/api.quickchat.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.quickchat.ai/privkey.pem;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;
server {
location / {
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_pass https://channels-backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_ssl_certificate /etc/letsencrypt/live/api.quickchat.ai/fullchain.pem;
proxy_ssl_certificate_key /etc/letsencrypt/live/api.quickchat.ai/privkey.pem;
}
}
}
Daphne is run using command:
command=daphne -u /run/daphne/daphne%(process_num)d.sock -e ssl:443:privateKey=/etc/letsencrypt/live/api.quickchat.ai/privkey.pem:certKey=/etc/letsencrypt/live/api.quickchat.ai/fullchain.pem --access-log - quickchat.asgi:application
1 Like
rg305
February 27, 2021, 5:36pm
4
You say:
But show:
piotrgrudzien:
server localhost:443
So it seems to me that you are running HTTPS on port 443 and nothing on port 80.
If you want to use HTTP authentication, you will need to ensure that TCP port 80 (HTTP) is allowed through the firewalls and can reach your web server.
You don't have to make any changes to the web server.
You can simply just use certbot
in standalone
mode and it will serve the HTTP authentication content directly.
1 Like
That's what you think. That's not what nginx uses.
Use
nginx -T
to see your real configuration.
And
there is no port 80 vHost, you have to create one
additional you may have a wrong port forwarding port 80 extern -> port 443 intern. That's wrong, must be
port 80 extern -> http port intern (normally 80)
port 443 extern -> https port intern (normally 443)
PS: Conclusion: You can have a correct nginx configuration with port 80 and port 443, but a wrong port forwarding port 80 extern -> https port intern blocks http -> you can't create a certificate via http validation.
system
Closed
March 30, 2021, 7:23am
6
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.