403 response upon first renewal attempt on Nginx webserver

My domain is: htttps://xevion.dev (HSTS domain -> HTTPS only)

I ran this command: certbot --nginx -d xevion.dev -d www.xevion.dev or certbot

It produced this output: GitHub Gist

My web server is: Nginx 1.14.0

The operating system my web server runs is: Ubuntu 18.04.3

My hosting provider is: Digital Ocean

I can login to a root shell on my machine: Yes

The version of my client is: certbot 0.31.0


/var/log/nginx/error.log/

/nginx.conf

/sites-available/xeviondev


I apologize if I’m being super dumb, but I know very little about how Nginx and in general, web servers, work. Ask any information and I will provide you endless configurations and debug logs. I am not in any particular rush to get this server back up, but I would like to know how to fix problems like these myself and not rely on other’s too much. If you know how a beginner to web servers could learn to debug nginx configurations, that would be great.

1 Like
nginx: [warn] conflicting server name "xevion.dev" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.xevion.dev" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "xevion.dev" on [::]:80, ignored
nginx: [warn] conflicting server name "www.xevion.dev" on [::]:80, ignored

This is probably the issue.

You should only have a single port 80 nginx virtualhost with server_name xevion.dev www.xevion.dev;. From the warnings, it looks like you have 3.

This can confuse Certbot because it doesn’t know which one it needs to use to do the Let’s Encrypt validation.

You can use this command to do a full dump of your nginx config, which will allow you to identify where the duplicates are coming from:

nginx -T
1 Like

Weird, I wonder what command I ran originally that didn’t make the server think about the default Nginx server. Running sudo rm /etc/nginx/sites-enabled/default yielded a fix and I was able to run the certbot renewal with sudo certbot --nginx -d xevion.dev -d www.xevion.dev. Gotta love those multiple day bugs that take a single command to fix.

It may just be a case of non-determinism. Either that nginx does not sort the files after it does a readdir (so the order of the files depends on the internal state of your filesystem, e.g. ext4’s tree structures, at that moment), or the same could be true for Certbot’s nginx parsing plugin.

So you might have gotten “lucky” where nginx and Certbot happened to agree on which one to use.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.