-----END CERTIFICATE-----
[Sat Aug 10 12:33:55 CEST 2019] Your cert is in /home/marco/.acme.sh/ggc.world/ggc.world.cer
[Sat Aug 10 12:33:55 CEST 2019] Your cert key is in /home/marco/.acme.sh/ggc.world/ggc.world.key
[Sat Aug 10 12:33:55 CEST 2019] v2 chain.
[Sat Aug 10 12:33:55 CEST 2019] The intermediate CA cert is in /home/marco/.acme.sh/ggc.world
/ca.cer
[Sat Aug 10 12:33:55 CEST 2019] And the full chain certs is there: /home/marco/.acme.sh/ggc.world
/fullchain.cer
[Sat Aug 10 12:33:55 CEST 2019] _on_issue_success
If you haven’t been using acme.sh as root, I think you should probably start again doing everything as root. Otherwise you’re going to need to do some extra configuration with /etc/sudoers to allow your current user to reload nginx automatically.
marco@pc:~/acme.sh$ sudo ./acme.sh --install-cert -d ggc.world --key-file /home/marco/.acme.sh
/ggc.world/ggc.world.key --fullchain-file /home/marco/.acme.sh/ggc.world/fullchain.cer --reloadcmd
"service nginx force-reload"
[Sat Aug 10 12:48:12 CEST 2019] Installing key to:/home/marco/.acme.sh/ggc.world/ggc.world.key
[Sat Aug 10 12:48:12 CEST 2019] Installing full chain to:/home/marco/.acme.sh/ggc.world/fullchain.cer
[Sat Aug 10 12:48:12 CEST 2019] Run reload cmd: service nginx force-reload
[Sat Aug 10 12:48:12 CEST 2019] Reload success
marco@pc:~/acme.sh$
The point of --key-file and --fullchain-file is to install your certificates to another location.
The paths I chose for you were based on your nginx configuration.
The paths you chose just overwrote the originals with themselves.
I am also really not convinced that using sudo ./acme.sh is gonna work out for you in the long run. It is not going to work from cron. I would suggest avoiding the non-root approach.
marco@pc:~/acme.sh$ sudo ./acme.sh --install-cert -d ggc.world \
> --key-file /etc/ssl/private/domain.key \
> --fullchain-file /etc/ssl/certs/chained.pem \
> --reloadcmd "service nginx force-reload"
[Sat Aug 10 12:54:53 CEST 2019] Installing key to:/etc/ssl/private/domain.key
[Sat Aug 10 12:54:53 CEST 2019] Installing full chain to:/etc/ssl/certs/chained.pem
[Sat Aug 10 12:54:53 CEST 2019] Run reload cmd: service nginx force-reload
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
[Sat Aug 10 12:54:53 CEST 2019] Reload error for :
I then modified
marco@pc:/etc/nginx/conf.d$ systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) (Result: exit-code) since Sat 2019-08-10 10:45:34 CEST; 2h 11min ago
Docs: man:nginx(8)
Process: 9674 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload
(code=exited, status=1/FAILURE)
Main PID: 1012 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─1012 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─9527 nginx: worker process
├─9528 nginx: worker process
├─9529 nginx: worker process
├─9530 nginx: worker process
├─9531 nginx: worker process
├─9532 nginx: worker process
├─9533 nginx: worker process
└─9534 nginx: worker process
Aug 10 12:56:52 pc systemd[1]: nginx.service: Control process exited, code=exited status=1
Aug 10 12:56:52 pc systemd[1]: Reload failed for A high performance web server and a reverse proxy
server.
Aug 10 12:57:11 pc systemd[1]: Reloading A high performance web server and a reverse proxy server.
Aug 10 12:57:11 pc nginx[9664]: nginx: [emerg] PEM_read_bio_X509_AUX("/etc/ssl/certs
/chained.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED
CERTIFICATE)
Aug 10 12:57:11 pc systemd[1]: nginx.service: Control process exited, code=exited status=1
Aug 10 12:57:11 pc systemd[1]: Reload failed for A high performance web server and a reverse proxy
server.
Aug 10 12:57:22 pc systemd[1]: Reloading A high performance web server and a reverse proxy server.
Aug 10 12:57:22 pc nginx[9674]: nginx: [emerg] PEM_read_bio_X509_AUX("/etc/ssl/certs
/chained.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED
CERTIFICATE)
Aug 10 12:57:22 pc systemd[1]: nginx.service: Control process exited, code=exited status=1
Aug 10 12:57:22 pc systemd[1]: Reload failed for A high performance web server and a reverse proxy
server.
marco@pc:/etc/nginx/conf.d$
PS: I also modified the port in /etc/nginx/conf.d/default.conf
@_az I entered as root (su -) and reinstalled as root acme.sh:
root@pc:~/acme.sh# apt-get install socat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed
socat
0 to upgrade, 1 to newly install, 0 to remove and 7 not to upgrade.
Need to get 342 kB of archives.
After this operation, 1,034 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu bionic/main amd64 socat amd64 1.7.3.2-2ubuntu2 [342 kB]
Fetched 342 kB in 10s (33.5 kB/s)
Selecting previously unselected package socat.
(Reading database ... 116435 files and directories currently installed.)
Preparing to unpack .../socat_1.7.3.2-2ubuntu2_amd64.deb ...
Unpacking socat (1.7.3.2-2ubuntu2) ...
Setting up socat (1.7.3.2-2ubuntu2) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
root@pc:~/acme.sh# ./acme.sh --install
[Sat 10 Aug 13:18:50 CEST 2019] Installing to /root/.acme.sh
[Sat 10 Aug 13:18:50 CEST 2019] Installed to /root/.acme.sh/acme.sh
[Sat 10 Aug 13:18:50 CEST 2019] Installing alias to '/root/.bashrc'
[Sat 10 Aug 13:18:50 CEST 2019] OK, Close and reopen your terminal to start using acme.sh
[Sat 10 Aug 13:18:50 CEST 2019] Installing cron job
23 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat 10 Aug 13:18:50 CEST 2019] Good, bash is found, so change the shebang to use bash as
preferred.
[Sat 10 Aug 13:18:50 CEST 2019] OK
root@pc:~/acme.sh#
acme.sh automatically sets up a cronjob when you first install it. Any certificates it manages will be automatically renewed. You should be able to see it in the root user’s cron: