404 on new cert after switching to certbot


#1

I switched from letsencrypt to certbot after receiving a fine e-mail that said I had to move away from TLS-SNI-01. Eventhough I don’t have any active domains that use this method - I only had one that is currently running out as apparently I’m too lazy to revoke it, I decided to change nontheless.

I then proceeded to follow this guide: How to stop using TLS-SNI-01 with Certbot

Everything went smooth, however, I haven’t removed letsencrypt from my server yet.
I then proceeded to make a new certificate for a new Mastodon instance that I plan to run. The guide mentioned that I could use the nginx-plugin, so I installed that along with certbot.

For my new certificate I then ran this command: $ certbot --nginx certonly --rsa-key-size 4096 -d domain where domain is irellevant in this context. Again, everything went smooth, but I noticed that I was asked if I wanted to redirect http to https. I chose n, as I’m used to handle this in my nginx configs.

After making the new nginx config file, inserting the paths for the new certificate, I then notice something odd that I’ve never seen before when handling nginx configs - unless I broke something myself. I get the error nginx: [warn] conflicting server name "domain" on 0.0.0.0:443, ignored when I run $ nginx -t to check for syntax errors. I’ve quadrouple checked the config and I don’t have server_name more than once in the two server-blocks I have - one for :80 that redirects to :443 as per usual.

I now also notice that no matter that I set the root to in my nginx config for this domain, I get a 404.

So I’m wondering if certbot does something different compared to letsencrypt and places a broken nginx config file somewhere? I can’t see anything included in the default nginx.conf, or any of the other nginx configs I have.

This is really annoying. I hope you guys can help.

Thanks,


#2

Hi @moso

what’s your domain name?

And share your main config file.


#3

Even though I don’t see how my domain name is relevant, it’s mastodon.moso.io.
In the meantime I’ve tried revoking it, but now I can’t restart my nginx server as the certificate is missing, which just confirms tha there’s a bogus config somewhere.

Nginx config:

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 1024;
        multi_accept on;
        use epoll;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_tokens off;
        autoindex off;

        server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for" '
                        '"$host" sn="$server_name" '
                        'rt=$request_time '
                        'ua="$upstream_addr" us="$upstream_status" '
                        'ut="$upstream_response_time" ul="$upstream_response_length" '
                        'cs=$upstream_cache_status' ;

        access_log /var/log/nginx/access.log main;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

There are no active modules in /etc/nginx/modules-enabled - it’s full of .conf.removed-files.

Inside /etc/nginx/conf.d/ is a default.conf that doesn’t bring any leads as this is basically just an empty config file with some standard settings in it.

And /etc/nginx/sites-enabled is where I symlink my configs from /etc/nginx/sites-available to, and doesn’t contain any non-symlinks (ls -la).


#4

A second set of eyes might see more, please show this file too.

Also show:
grep -Eri 'listen|server_name|ssl_cert' /etc/nginx/sites-enabled/
grep -Ei 'listen|server_name|ssl_cert' /etc/nginx/*


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.