404 Error after installing ssl certificate

My domain is: hflswall.com

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): CentOS Linux 7

My hosting provider, if applicable, is: not known in English-speaking countries, so please just ignore

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes, but not cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

I ran this command:
Almost exactly following Certbot Instructions | Certbot, but when running sudo ln -s /snap/bin/certbot /usr/bin/certbot I got an error, then I realized I'm running my Wordpress site on a so-called lighthouse server, so nginx wasn't installed under the default path. Exact outcome as below:

[root@VM-8-8-centos ~]# sudo ln -s /snap/bin/certbot /usr/bin/certbot
[root@VM-8-8-centos ~]# sudo certbot --nginx
ERROR: ld.so: object '/$LIB/libonion.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')
[root@VM-8-8-centos ~]# service nginx status
nginx (pid 2000 1999 1996) already running.
[root@VM-8-8-centos ~]# locate nginx.conf
/www/server/nginx/conf/nginx.conf
/www/server/nginx/conf/nginx.conf.default
/www/server/nginx/src/conf/nginx.conf

Hence, I ran this instead:
sudo certbot --nginx --nginx-server-root /www/server/nginx/conf

Then it worked fine, until I saw --

Which names would you like to activate HTTPS for?
1: wordpress.local

My domain wasn't showing. Then I canceled the process and edited /www/server/nginx/conf/nginx.conf

The original .conf file was:

user  www www;
worker_processes auto;
error_log  /www/wwwlogs/nginx_error.log  crit;
pid        /www/server/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept on;
    }

http
    {
        include       mime.types;
		#include luawaf.conf;

		include proxy.conf;

        default_type  application/octet-stream;

        server_names_hash_bucket_size 512;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile   on;
        tcp_nopush on;

        keepalive_timeout 60;

        tcp_nodelay on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;
		fastcgi_intercept_errors on;

        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        limit_conn_zone $binary_remote_addr zone=perip:10m;
		limit_conn_zone $server_name zone=perserver:10m;

        server_tokens off;
        access_log off;

server
    {
        listen 888;
        server_name phpmyadmin;
        index index.html index.htm index.php;
        root  /www/server/phpmyadmin;

        #error_page   404   /404.html;
        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /www/wwwlogs/access.log;
    }
include /www/server/panel/vhost/nginx/*.conf;
}

I then changed listen 888; server_name phpmyadmin; into listen 80; server_name hflswall.com www.hflswall.com; (I checked that nginx was listening both port 80 and 888 via netstat -nlp | grep nginx)

Back to the certbot, everything worked seemingly fine. (Here, my site was still working.)

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hflswall.com
2: www.hflswall.com
3: wordpress.local
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1, 2
Requesting a certificate for hflswall.com and www.hflswall.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/hflswall.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/hflswall.com/privkey.pem
This certificate expires on 2022-04-24.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for hflswall.com to /www/server/nginx/conf/nginx.conf
Successfully deployed certificate for www.hflswall.com to /www/server/nginx/conf/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://hflswall.com and https://www.hflswall.com

But alas! My site is showing 404 Error now. I check SSL Server Test: hflswall.com (Powered by Qualys SSL Labs) and it shows no problem. Can anyone please help me? I just released my site to the public yesterday and got a hundred users so I'm really frustrated now.

Also, is there a safe way to remove SSL certificate and get my site working?

Was your site previously working on HTTP port 80? Or on port 888? And can you show the contents of /www/server/nginx/conf/nginx.conf again now that Certbot has added the HTTPS site?

Please put three backticks (```) above and below the config file output, so it's better readable.

I'm not sure it's on HTTP port 80 or 888, but since the untouched nginx.conf had

server
    {
        listen 888;
        server_name phpmyadmin;
        index index.html index.htm index.php;
        root  /www/server/phpmyadmin;
        [rest omitted]
}

I suppose it's on port 888?

Now the nginx.conf is

user  www www;
worker_processes auto;
error_log  /www/wwwlogs/nginx_error.log  crit;
pid        /www/server/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept on;
    }

http
    {
        include       mime.types;
		#include luawaf.conf;

		include proxy.conf;

        default_type  application/octet-stream;

        server_names_hash_bucket_size 512;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile   on;
        tcp_nopush on;

        keepalive_timeout 60;

        tcp_nodelay on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;
		fastcgi_intercept_errors on;

        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        limit_conn_zone $binary_remote_addr zone=perip:10m;
		limit_conn_zone $server_name zone=perserver:10m;

        server_tokens off;
        access_log off;

server
    {
        server_name hflswall.com www.hflswall.com;
        index index.html index.htm index.php;
        root  /www/server/phpmyadmin;

        #error_page   404   /404.html;
        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /www/wwwlogs/access.log;
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hflswall.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hflswall.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
include /www/server/panel/vhost/nginx/*.conf;


server
    {
    if ($host = www.hflswall.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = hflswall.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name hflswall.com www.hflswall.com;
    return 404; # managed by Certbot


}}

Thanks for your reply, Osiris.

I'm not sure it's on HTTP port 80 or 888, but since the untouched nginx.conf had

server
    {
        listen 888;
        server_name phpmyadmin;
        index index.html index.htm index.php;
        root  /www/server/phpmyadmin;
        [rest omitted]
}

I suppose it's on port 888?

Now the nginx.conf is

user  www www;
worker_processes auto;
error_log  /www/wwwlogs/nginx_error.log  crit;
pid        /www/server/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept on;
    }

http
    {
        include       mime.types;
		#include luawaf.conf;

		include proxy.conf;

        default_type  application/octet-stream;

        server_names_hash_bucket_size 512;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile   on;
        tcp_nopush on;

        keepalive_timeout 60;

        tcp_nodelay on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;
		fastcgi_intercept_errors on;

        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        limit_conn_zone $binary_remote_addr zone=perip:10m;
		limit_conn_zone $server_name zone=perserver:10m;

        server_tokens off;
        access_log off;

server
    {
        server_name hflswall.com www.hflswall.com;
        index index.html index.htm index.php;
        root  /www/server/phpmyadmin;

        #error_page   404   /404.html;
        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /www/wwwlogs/access.log;
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hflswall.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hflswall.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
include /www/server/panel/vhost/nginx/*.conf;


server
    {
    if ($host = www.hflswall.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = hflswall.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name hflswall.com www.hflswall.com;
    return 404; # managed by Certbot

}}

Thanks for your reply, Osiris.

And was your previously working site also PHPMyAdmin? Or did it have other content?

It's a wordpress site. I'm a novice and I've never visited the PHPMyAdmin panel actually. (I simply couldn't access it; it said something like couldn't connect to server when my site was working properly.)

Hmm, so your site wasn't a PHPMyAdmin site, but you reconfigured your nginx configuration in such a way, Certbot was lead to believe the server {} section of the previously, probably non-functional, PHPMyAdmin site, was your actual website. And based on that, probably incorrect information, it generated the HTTPS website.

So I would recommend to revert your current dysfunctional nginx configuration and try again:

• First, undo the Certbot installation step by running: sudo certbot --nginx rollback
• Then, undo your own modification to nginx.conf. Don't forget to reload nginx after any configuration file modification!
• After that, check that your website is working again
• Edit the correct server {} section (probably somewhere in a configuration file in /www/server/panel/vhost/nginx/) and reload nginx after your modification, so the modified configuration file is actually loaded.
• Make sure your website is still functional
• Run sudo certbot --nginx again: you should be able to install the already issued certificate without requiring to re-issue a new certificate.

Thank you! I found a file /www/server/panel/vhost/nginx/wordpress.local.conf, and it's

server {
    listen 80 default_server;
    server_tokens off;
    server_name wordpress.local;
    keepalive_timeout 5;
    client_max_body_size 50m;
    root /usr/local/lighthouse/softwares/wordpress;
    index index.php index.html;
    include /www/server/panel/vhost/nginx/proxy/wordpress.local/*.conf;
    #REWRITE-START URL [some non-English omitted]
    include /www/server/panel/vhost/rewrite/wordpress.local.conf;
    #REWRITE-END
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    #[some non-English omitted]
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    #[some non-English omitted]
    location ~ \.well-known{
        allow all;
    }

    access_log  /www/wwwlogs/wordpress.local.log;
    error_log  /www/wwwlogs/wordpress.local.error.log;
}

So should I add my domain name after server_name wordpress.local; like server_name wordpress.local hflswall.com www.hflswall.com;? Anything else I should edit in this file?
I'll try out your solution later this day. I really appreciate your help!

It looks like it. You can see the parameter default_server, so this would be your default virtualhost in nginx. But that's not something Certbot can work with, it requires the actual hostnames.

So yes, indeed, you should add the other two hostnames to that server_name directive.

No, not regarding Certbot anyway, should be fine like this.

Currently, I still see a redirect to HTTPS with the 404 file not found error. Did you rollback the modifications made by Certbot with sudo certbot --nginx rollback ?

Thank you! My site is working on HTTP now. I just have another question -- since my nginx.conf is actually /www/server/panel/vhost/nginx/wordpress.local.conf, how should I run sudo certbot --nginx? Without specifying a path, it checks /etc/nginx/nginx.conf which doesn't exist. If I run sudo certbot --nginx --nginx-server-root /www/server/panel/vhost/nginx, it checks /www/server/panel/vhost/nginx/nginx.conf which is also incorrect.

You could try using --webroot instead.

OR

Use:
sudo certbot --nginx --nginx-server-root /www/server/panel/vhost/nginx
After creating a link from:
/www/server/panel/vhost/nginx/nginx.conf
to:
/www/server/panel/vhost/nginx/wordpress.local.conf

As for your second solution, do I need to create a symbolic link or a hard link? There's not a nginx.conf under /www/server/panel/vhost/nginx. I did ln -s /www/server/panel/vhost/nginx/nginx.conf /www/server/panel/vhost/nginx/wordpress.local.conf, and it gives ln: failed to create symbolic link '/www/server/panel/vhost/nginx/wordpress.local.conf': File exists. Should I do vice versa? Thank you!

Edit: My /www/server/panel/vhost/nginx/wordpress.local.conf is only part of an nginx configuration file, and my nginx.conf is actually in /www/server/nginx/conf. How should I do it?

Make is a symbolic link and point to the main file.

Like:
ln -s /www/server/nginx/conf /www/server/panel/vhost/nginx/nginx.conf

OR
ln -s /www/server/nginx/conf /etc/nginx/nginx.conf
[even less steps]

Sorry, I'm new to this and I don't get it. My base nginx.conf is in /www/server/nginx/conf, and I'm running my Wordpress site so from my panel I see that the configuration file is actually /www/server/panel/vhost/nginx/wordpress.local.conf.

Previously I reconfigured /www/server/nginx/conf/nginx.conf by mistake. I think I should make changes to wordpress.local.conf. How can ln -s /www/server/nginx/conf /www/server/panel/vhost/nginx/nginx.conf do the work?

You don't need to symbolic link anything, @rg305 overlooked the fact your Wordpress config file gets included from nginx.conf already.

You should run Certbot just like you did before, but before you do that this time, you need to add the hostnames of your site to your Wordpress configuration file instead of nginx.conf.

Thank you! I made it via my host company's instruction doc & its panel in the end.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.