A fresh noob needs help for its first certificate

you removed those lines as well, did you?

    ssl_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vpn.exstasi.ovh/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/chain.pem;

put them back.

and

    include snippets/ssl.conf;

as well. (remove “preload” from the hsts header if you didn’t put it there yourself)

From where ?
told you, I am lost completly now.

Recognize this?

You should’ve removed one line. Not five. :smiley:

server {
    listen 943 ssl http2;
    server_name vpn.exstasi.ovh;

    ssl_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vpn.exstasi.ovh/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

location / {
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-Nginx-Proxy true;

      proxy_headers_hash_max_size 512;
      proxy_headers_hash_bucket_size 128; 

      proxy_redirect off;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_connect_timeout 300s;
      proxy_send_timeout 300s;
      proxy_read_timeout 300s;
      send_timeout 10000;

      proxy_pass http://localhost:943;
      proxy_redirect http://localhost:943;
      }

}

(don’t worry, every noob screams at nginx at the beginning)

But I use to acces the vpn without specifying the port, simply with http://vpn.exstasi.ovh
now http://vpn.exstasi.ovh redirects me to tne nginx default page

it doesn’t. it tells you there’s an error, in this line

return 301 https://$host$request_uri:943;

edit it, return 301 https://${host}:943${request_uri};

I don’t get it; not working

server {
  listen 80;
  listen [::]:80;
  server_name vpn.exstasi.ovh;

  return 301 https://${host}:943${request_uri};

  location / {
  proxy_pass http://localhost:943/;
  }
}


server {
listen 943 ssl http2;
server_name vpn.exstasi.ovh;

ssl_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vpn.exstasi.ovh/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/chain.pem;
include snippets/ssl.conf;

location / {
  proxy_set_header X-Forwarded-Proto https;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_set_header X-Nginx-Proxy true;

  proxy_headers_hash_max_size 512;
  proxy_headers_hash_bucket_size 128;

  proxy_redirect off;
  proxy_buffering off;
  proxy_request_buffering off;
  proxy_connect_timeout 300s;
  proxy_send_timeout 300s;
  proxy_read_timeout 300s;
  send_timeout 10000;

  proxy_pass http://localhost:943;
  proxy_redirect http://localhost:943;
  }

}

I’d remove this. I don’t think it’s supposed to do anything anyway.

line removed but still no luck
I am redirected to https://vpn.exstasi.ovh/:943 with a 404 Not Found

the return 301 line is your version or my version?

yours

server {
  listen 80;
  listen [::]:80;
  server_name vpn.exstasi.ovh;

  return 301 https://${host}:943${request_uri};

}


server {
    listen 943 ssl http2;
    server_name vpn.exstasi.ovh;

    ssl_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vpn.exstasi.ovh/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/vpn.exstasi.ovh/chain.pem;
    include snippets/ssl.conf;

location / {
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-Nginx-Proxy true;

      proxy_headers_hash_max_size 512;
      proxy_headers_hash_bucket_size 128;

      proxy_redirect off;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_connect_timeout 300s;
      proxy_send_timeout 300s;
      proxy_read_timeout 300s;
      send_timeout 10000;

      proxy_pass http://localhost:943;
      proxy_redirect http://localhost:943;
      }

}

check /var/log/nginx/error.log

i don’t know, it maybe needs return 301 "https://${host}:943${request_uri}";

master@vps726152:/etc/nginx/sites-available$ sudo tail /var/log/nginx/error.log
2020/03/24 12:48:29 [emerg] 664#664: bind() to 0.0.0.0:943 failed (98: Address already in use)
2020/03/24 12:48:29 [emerg] 664#664: still could not bind()
2020/03/24 12:51:32 [error] 12525#12525: *53255 upstream prematurely closed connection while reading response header from upstream, client: 151.29.206.125, server: vpn.exstasi.ovh, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:943/", host: "vpn.exstasi.ovh"
2020/03/24 12:54:21 [notice] 14724#14724: signal process started
2020/03/24 12:54:21 [emerg] 664#664: bind() to 0.0.0.0:943 failed (98: Address already in use)
2020/03/24 12:54:21 [emerg] 664#664: bind() to 0.0.0.0:943 failed (98: Address already in use)
2020/03/24 12:54:21 [emerg] 664#664: bind() to 0.0.0.0:943 failed (98: Address already in use)
2020/03/24 12:54:21 [emerg] 664#664: bind() to 0.0.0.0:943 failed (98: Address already in use)
2020/03/24 12:54:21 [emerg] 664#664: bind() to 0.0.0.0:943 failed (98: Address already in use)
2020/03/24 12:54:21 [emerg] 664#664: still could not bind()

Anyway, I tried again to sudo certbot --nginx with media.exstasi.ovh which was the initial purpose of my post but I still have the same 404 error.

I have enough trying with no luck. I will reset my VPS and restart from scratch

wait. this error is because you have openvpn access server already listening on that port. you can easily solve it. just remove the nginx proxying and install the LE certificates in it too.

(or use openvpn community, I’d say)

Sorry but I do not understand.

  1. I wanted to install a certificate for media.exstasi.ovh
  2. I wanted to accces the VPN admin page with vpn.exstasi.ovh
    I am really confused now so I think it is better for me to forget everything about it and restart everything step by step or leave it like it is.

You want a certificate for media.exstasi.ovh and for vpn.exstasi.ovh on different ports with different softwares.

Just for ease of use, you have redirector on port 80 that allows you not to use port numbers.

You have to do two things:

  • decouple openvpn and nginx on ssl
  • install a certificate for vpn.exstasi.ovh into openvpn certbot -a nginx -d vpn.exstasi.ovh --deploy-hook "/path/to/install_into_openvpn.sh"

Thanks but I will stop there… I do not acces any more my vpn with the IP adress for example. Everything seems to be broken.

stop, relax. find all listen 943 directives in nginx and change that number, 944 should be fine. then reboot the machine.

thanks a lot but i am done with it for now.

that’s because your nginx config is seriously messed up and nginx and openvpnas fight for control over port 943.

don’t worry too much. you’ll get the config you want, but it takes time and calm. you won’t get there copypasting random tutorials.

removing vpn from nginx worked
i was able to install a certificate on media but now I am facing another challenge
i can’t access any of the app behind muximux because they are not served with https
i am getting crazy !!!