All renewal attempts failed. The following certs could not be renewed: (failure)

Help
1

Hello,

My SSL certificate has expired and I want to renew it. I'm trying to renew it by this

certbot renew --dry-run

command but it gives me below error.

My domain is: meeting.thegatewaydigital.in

I ran this command:
certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/meeting.thegatewaydigital.in.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for meeting.thegatewaydigital.in
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on [::]:80, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on [::]:443, ignored
Waiting for verification...
Cleaning up challenges
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on [::]:80, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on [::]:443, ignored
Attempting to renew cert (meeting.thegatewaydigital.in) from /etc/letsencrypt/renewal/meeting.thegatewaydigital.in.conf produced an unexpected error: Failed authorization procedure. meeting.thegatewaydigital.in (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: : Invalid response from http://meeting.thegatewaydigital.in/.well-known/acme-challenge/wMU7PzzUYjouf--RF-C7cYDk6Bb5ie1pqvzuIWm4wzk: 502. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Can anyone help me with this please ?

2

Worth updating certbot if you can but the problem is your web application is intercepting the request to http://meeting.thegatewaydigital.in/.well-known/acme-challenge/wMU7PzzUYjouf--RF-C7cYDk6Bb5ie1pqvzuIWm4wzk: instead of letting it pass through the file system (where certbot is presumably writing the file). So in general you need a location rule to allow /.well-known/acme-challenge through. I believe current versions of certbot will configure such a thing in nginx but I don't know for sure. People often have to set this up themselves.

Your versions of Ubuntu, nginx and certbot are all old, so you should strongly consider moving your application to current versions if you can.

4 Likes
3

Thanks for the quick response @webprofusion

I have a location rule mentioned in Nginx config., below are the details:

server_tokens off;

server {
  listen 80;
  listen [::]:80;
  server_name meeting.thegatewaydigital.in;

  return 301 http://$server_name$request_uri; #redirect HTTP to HTTPS

}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name meeting.thegatewaydigital.in;

   # ssl_certificate /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem;
   # ssl_certificate_key /etc/letsencrypt/live/meeting.thegatewaydigital.in/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # HSTS (comment out to enable)
    #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  access_log  /var/log/nginx/bigbluebutton.access.log;

  location / {
    root   /var/www/bigbluebutton-default;
    index  index.html index.htm;
    expires 1m;
  }

  location /.well-known/acme-challenge/ {
    root /var/www/bigbluebutton-default/.well-known/acme-challenge;
  }

  # Include specific rules for record and playback
  include /etc/bigbluebutton/nginx/*.nginx;
}
1 Like
4

I think (?) your rule only matches the server on port 443 (https) and whereas you need it to work for http.

3 Likes
5

Visiting http://meeting.thegatewaydigital.in directly results in some error page from a proxy server other than nginx. You'll need to fix this first.

4 Likes
6

It was giving an error because I had commented the SSL certificate path in nginx config. Can you please check now ?

7

I'm getting 404 error for this URL:

http://meeting.thegatewaydigital.in/.well-known/acme-challenge/hL79f0iQeuIldH-wSws6H3xiug2xIFTR7OVXvfTzYNo:

8

I still get the proxy error on the home page.

2 Likes
9

Can you please try to open it on Firefox or Brave Browser?

It gives 404 error.

10

Have you fixed this problem yet? If not, please show result of this command so we can help resolve it: nginx -T. Please put 3 backtick characters before and after the output like this:
```
output of: nginx -T
```

3 Likes
11

Here is the output of nginx -T :

nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on [::]:80, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "meeting.thegatewaydigital.in" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

worker_rlimit_nofile 10000;

events {
	worker_connections 4000;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/bbb-html5-loadbalancer.conf:
upstream poolhtml5servers {
  zone poolhtml5servers 32k;
  least_conn;
  server 127.0.0.1:4100 fail_timeout=5s max_fails=3;
  server 127.0.0.1:4101 fail_timeout=5s max_fails=3;
  server 127.0.0.1:4102 fail_timeout=5s max_fails=3;
  server 127.0.0.1:4103 fail_timeout=5s max_fails=3;
  server 127.0.0.1:4104 fail_timeout=5s max_fails=3;
  server 127.0.0.1:4105 fail_timeout=5s max_fails=3;
  server 127.0.0.1:4106 fail_timeout=5s max_fails=3;
  server 127.0.0.1:4107 fail_timeout=5s max_fails=3;
}


# configuration file /etc/nginx/sites-enabled/bigbluebutton:
server_tokens off;

server {
  listen 80;
  listen [::]:80;
  server_name meeting.thegatewaydigital.in;

  return 301 https://$server_name$request_uri; #redirect HTTP to HTTPS

}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name meeting.thegatewaydigital.in;

   ssl_certificate /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/meeting.thegatewaydigital.in/privkey.pem;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 10m;
   ssl_protocols TLSv1.2 TLSv1.3;
  # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384$
   ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
   ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;

    # HSTS (comment out to enable)
    #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  access_log  /var/log/nginx/bigbluebutton.access.log;
  location / {
    root   /var/www/bigbluebutton-default;
    index  index.html index.htm;
    expires 1m;
  }

  location /.well-known/acme-challenge/ {
    root /var/www/bigbluebutton-default/.well-known/acme-challenge;
  }

  # Include specific rules for record and playback
  include /etc/bigbluebutton/nginx/*.nginx;
}

# configuration file /etc/bigbluebutton/nginx/bbb-html5.nginx:
location @html5client {
  # proxy_pass http://127.0.0.1:4100; # use for development
  proxy_pass http://poolhtml5servers; # use for production
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";
}

location /html5client/locales {
  alias /usr/share/meteor/bundle/programs/web.browser/app/locales;
}

location /html5client/compatibility {
  alias /usr/share/meteor/bundle/programs/web.browser/app/compatibility;
}

location /html5client/resources {
  alias /usr/share/meteor/bundle/programs/web.browser/app/resources;
}

location /html5client/svgs {
  alias /usr/share/meteor/bundle/programs/web.browser/app/svgs;
}

location /html5client/fonts {
  alias /usr/share/meteor/bundle/programs/web.browser/app/fonts;
}

location /html5client/wasm {
  types {
    application/wasm wasm;
  }
  gzip_static on;
  alias /usr/share/meteor/bundle/programs/web.browser/app/wasm;
}

location /html5client {
  gzip_static on;
  alias /usr/share/meteor/bundle/programs/web.browser;
  try_files $uri @html5client;
}


# configuration file /etc/bigbluebutton/nginx/demo.nginx:
         # Forward request to /demo to tomcat.  This is for
         # the BigBlueButton api demos.
       location /demo {
           proxy_pass         http://127.0.0.1:8080;
           proxy_redirect     default;
           proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

        # Allow 30M uploaded presentation document.
           client_max_body_size       30m;
           client_body_buffer_size    128k;

           proxy_connect_timeout      90;
           proxy_send_timeout         90;
           proxy_read_timeout         90;

           proxy_buffer_size          4k;
           proxy_buffers              4 32k;
           proxy_busy_buffers_size    64k;
           proxy_temp_file_write_size 64k;

           include    fastcgi_params;
       }


# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/bigbluebutton/nginx/greenlight-redirect.nginx:
location = / {
  return 307 /b;
}

# configuration file /etc/bigbluebutton/nginx/greenlight.nginx:
# Routes requests to Greenlight based on the '/b' prefix.
# Use this file to route '/b' paths on your BigBlueButton server
# to the Greenlight application. If you are using a different
# subpath, you should change it here.

location /b {
  proxy_pass          http://127.0.0.1:5000;
  proxy_set_header    Host              $host;
  proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_http_version  1.1;
}

location /b/cable {
  proxy_pass          http://127.0.0.1:5000;
  proxy_set_header    Host              $host;
  proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_set_header    Upgrade           $http_upgrade;
  proxy_set_header    Connection        "Upgrade";
  proxy_http_version  1.1;
  proxy_read_timeout  6h;
  proxy_send_timeout  6h;
  client_body_timeout 6h;
  send_timeout        6h;
}

# Allow larger body size for uploading presentations
location ~ /preupload_presentation$ {
  client_max_body_size 30m;

  proxy_pass          http://127.0.0.1:5000;
  proxy_set_header    Host              $host;
  proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_http_version  1.1;
}

# Only needed if using presentations and deployed at a relative root (ex "/b")
# If deploying at "/", delete the section below

location /rails/active_storage {
  return 301 /b$request_uri;
}

# configuration file /etc/bigbluebutton/nginx/learning-dashboard.nginx:
location /learning-analytics-dashboard/ {
    alias /var/bigbluebutton/learning-dashboard/;
    autoindex off;
}


# configuration file /etc/bigbluebutton/nginx/loadbalancer.nginx:
# If you run this BBB node behind a proxy loadbalancer set the hostname of
# the loadbalancer here. This will be used to add CORS headers so requesting
# slides and API calls won't fail
set $bbb_loadbalancer_node '';

# configuration file /etc/bigbluebutton/nginx/notes.nginx:
# https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
location /pad/p/ {
    rewrite /pad/p/(.*) /p/$1 break;
    rewrite ^/pad/p$ /pad/p/ permanent;
    proxy_pass http://127.0.0.1:9001/p;
    proxy_pass_header Server;
    proxy_redirect /p /pad/p;
    proxy_set_header Host $host;
    proxy_buffering off;

    proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
    proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
    proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
    proxy_http_version 1.1;

    auth_request /bigbluebutton/connection/validatePad;
    auth_request_set $auth_status $upstream_status;
}

location /pad {
    rewrite /pad/(.*) /$1 break;
    rewrite ^/pad$ /pad/ permanent;
    proxy_pass http://127.0.0.1:9001/;
    proxy_pass_header Server;
    proxy_redirect / /pad/;
    proxy_set_header Host $host;
    proxy_buffering off;
}

location /pad/socket.io/socket.io.js {
    rewrite /pad/socket.io/socket.io.js /socket.io/socket.io.js break;
    proxy_pass http://127.0.0.1:9001/;
    proxy_set_header Host $host;
    proxy_buffering off;
}

location /pad/socket.io {
    rewrite /pad/socket.io/(.*) /socket.io/$1 break;
    proxy_pass http://127.0.0.1:9001/;
    proxy_redirect / /pad/;
    proxy_set_header Host $host;
    proxy_buffering off;
    proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
    proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
    proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
    proxy_set_header Host $host;  # pass the host header
    proxy_http_version 1.1;  # recommended with keepalive connections
    # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";

    auth_request /bigbluebutton/connection/checkAuthorization;
    auth_request_set $auth_status $upstream_status;
}

location /static {
    rewrite /static/(.*) /static/$1 break;
    proxy_pass http://127.0.0.1:9001/;
    proxy_set_header Host $host;
    proxy_buffering off;
}

# configuration file /etc/bigbluebutton/nginx/playback.nginx:
location /playback/presentation/2.3 {
  root /var/bigbluebutton;
  try_files $uri /playback/presentation/2.3/index.html;
}

# configuration file /etc/bigbluebutton/nginx/presentation-slides.nginx:
#
# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
#
# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
#
# This program is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free Software
# Foundation; either version 3.0 of the License, or (at your option) any later
# version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along
# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
#

# Have nginx serve the presentation slides instead of tomcat as large files
# causes tomcat to OOM. (ralam sept 20, 2018)

        location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/svg\/(?<page_num>\d+)$ {
		default_type image/svg+xml;
                alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/svgs/slide$page_num.svg;
                if ($bbb_loadbalancer_node) {
                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
                }
        }

        location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/slide\/(?<page_num>\d+)$ {
                alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/slide-$page_num.swf;
                if ($bbb_loadbalancer_node) {
                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
                }
        }

        location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/thumbnail\/(?<page_num>\d+)$ {
		default_type image/png;
                alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/thumbnails/thumb-$page_num.png;
                if ($bbb_loadbalancer_node) {
                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
                }
        }

        location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/textfiles\/(?<page_num>\d+)$ {
		default_type text/plain;
                alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/textfiles/slide-$page_num.txt;
                if ($bbb_loadbalancer_node) {
                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
                }
        }



# configuration file /etc/bigbluebutton/nginx/presentation.nginx:
#
# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
#
# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
#
# This program is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free Software
# Foundation; either version 3.0 of the License, or (at your option) any later
# version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along
# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
#

        location /playback/presentation/playback.html {
                return 301 /playback/presentation/0.81/playback.html?$query_string;
                # If you have recordings from 0.9.0 beta versions and are sure
                # that you will never want to play recordings made with
                # BigBlueButton 0.81, comment the line above and uncomment the
                # following line:
                #return 301 /playback/presentation/0.9.0/playback.html?$query_string;
        }

        location /playback/presentation/2.0/playback.html {
                return 301 /playback/presentation/2.3/$arg_meetingId?$query_string;
        }

        location /playback/presentation {
                root    /var/bigbluebutton;
                index  index.html index.htm;
        }

        location /presentation {
                root    /var/bigbluebutton/published;
                index  index.html index.htm;
        }

# configuration file /etc/bigbluebutton/nginx/sip.nginx:
location /ws {
        proxy_pass https://10.0.0.199:7443;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 6h;
        proxy_send_timeout 6h;
        client_body_timeout 6h;
        send_timeout 6h;

	auth_request /bigbluebutton/connection/checkAuthorization;
	auth_request_set $auth_status $upstream_status;
}


# configuration file /etc/bigbluebutton/nginx/web.nginx:
	# Handle request to bbb-web running within a SpringBoot Tomcat embedded servlet container.  This is for BBB-API and Presentation.
	location /bigbluebutton {
		proxy_http_version 1.1;

		location /bigbluebutton {
			proxy_pass         http://127.0.0.1:8090;
	       		proxy_redirect     default;
        	        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

                    # Workaround IE refusal to set cookies in iframe
                    add_header P3P 'CP="No P3P policy available"';
                    if ($bbb_loadbalancer_node) {
                        add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
                        add_header 'Access-Control-Allow-Credentials' 'true' always;
                    }
		}


		location ~ "^\/bigbluebutton\/presentation\/(?<prestoken>[a-zA-Z0-9_-]+)/upload$" {
			# Grails can't handle CORS OPTION preflight requests correctly -> lets do this in nginx
			if ($request_method = 'OPTIONS') {
				add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
				add_header 'Access-Control-Allow-Credentials' 'true' always;
				add_header 'Content-Type' 'text/plain; charset=utf-8';
				add_header 'Content-Length' 0;
				return 204;
			}
			proxy_pass         http://127.0.0.1:8090;
			proxy_redirect     default;
			proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

			# Workaround IE refusal to set cookies in iframe
			add_header P3P 'CP="No P3P policy available"';
			if ($bbb_loadbalancer_node) {
				add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
				add_header 'Access-Control-Allow-Credentials' 'true' always;
			}

			# high limit for presentation as bbb-web will reject upload if larger than configured
			client_max_body_size       1000m;
			client_body_buffer_size    128k;

			proxy_connect_timeout      90;
			proxy_send_timeout         90;
			proxy_read_timeout         90;

		        proxy_buffer_size          4k;
		        proxy_buffers              4 32k;
		        proxy_busy_buffers_size    64k;
		        proxy_temp_file_write_size 64k;

		        include    fastcgi_params;

			proxy_request_buffering off;

			# Send a sub-request to allow bbb-web to refuse before loading
			# If file is larger than configured bbb-web will return with code 403 and Header: x-file-too-large = 1
			auth_request /bigbluebutton/presentation/checkPresentation;
			error_page 403 = @error403;
			auth_request_set $file_too_large_header $upstream_http_x_file_too_large;

		}

		location /bigbluebutton/presentation/download {
			return 404;
		}

		location ~ "^/bigbluebutton/presentation/download\/[0-9a-f]+-[0-9]+/[0-9a-f]+-[0-9]+$" {
			if ($arg_presFilename !~ "^[0-9a-f]+-[0-9]+\.[0-9a-zA-Z]+$") {
				return 404;
			}
			proxy_pass         http://127.0.0.1:8090$uri$is_args$args;
			proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
			# Workaround IE refusal to set cookies in iframe
			add_header P3P 'CP="No P3P policy available"';
			if ($bbb_loadbalancer_node) {
				add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
			}
		}

		location = /bigbluebutton/presentation/checkPresentation {
			proxy_pass         http://127.0.0.1:8090;
	       		proxy_redirect     default;
        	        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

			proxy_set_header        X-Presentation-Token $prestoken;
			proxy_set_header        X-Original-URI $request_uri;
			proxy_set_header	Content-Length "";
			proxy_set_header	X-Original-Content-Length $http_content_length;

			# high limit for presentation as bbb-web will reject upload if larger than configured
			client_max_body_size       1000m;
			client_body_buffer_size    128k;

			proxy_pass_request_body off;
			proxy_request_buffering off;

		}

		# To check connection authentication, include:
		#   auth_request /bigbluebutton/connection/checkAuthorization;
		#   auth_request_set $auth_status $upstream_status;
		#
		# and make sure to add sessionToken param in the request URI
		location = /bigbluebutton/connection/checkAuthorization {
			internal;
			proxy_pass               http://127.0.0.1:8090;
			proxy_pass_request_body  off;
			proxy_set_header         Content-Length "";
			proxy_set_header         X-Original-URI $request_uri;
		}

		location = /bigbluebutton/connection/legacyCheckAuthorization {
			internal;
			proxy_pass               http://127.0.0.1:8090;
			proxy_pass_request_body  off;
			proxy_set_header         Content-Length "";
			proxy_set_header         X-Original-URI $request_uri;
		}

		location = /bigbluebutton/connection/validatePad {
			internal;
			proxy_pass               http://127.0.0.1:8090;
			proxy_pass_request_body  off;
			proxy_set_header         Content-Length "";
			proxy_set_header         X-Original-URI $request_uri;
		}

        location ~ "^/bigbluebutton\/textTrack\/(?<textTrackToken>[a-zA-Z0-9]+)\/(?<recordId>[a-zA-Z0-9_-]+)\/(?<textTrack>.+)$" {
            # Workaround IE refusal to set cookies in iframe
            add_header P3P 'CP="No P3P policy available"';
            if ($bbb_loadbalancer_node) {
                add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
            }

            # Allow 30M uploaded presentation document.
            client_max_body_size       30m;
            client_body_buffer_size    128k;

            proxy_connect_timeout      90;
            proxy_send_timeout         90;
            proxy_read_timeout         90;

            proxy_buffer_size          4k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;

            include    fastcgi_params;

            proxy_request_buffering off;

            # Send a sub-request to allow bbb-web to refuse before loading
            auth_request /bigbluebutton/textTrack/validateAuthToken;

            default_type text/plain;
            alias    /var/bigbluebutton/captions/$recordId/$textTrack;

        }

        location = /bigbluebutton/textTrack/validateAuthToken {
            internal;
            proxy_pass         http://127.0.0.1:8090;
            proxy_redirect     default;
            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

            proxy_set_header        X-textTrack-token $textTrackToken;
            proxy_set_header        X-textTrack-recordId $recordId;
            proxy_set_header        X-textTrack-track $textTrack;
            proxy_set_header        X-Original-URI $request_uri;
        }

	}

	location @error403 {
            if ($file_too_large_header = '1') {
                    return 413;
            }

            return 403;
	}

# configuration file /etc/bigbluebutton/nginx/webrtc-sfu.nginx:
location /bbb-webrtc-sfu {
    auth_request /bigbluebutton/connection/checkAuthorization;
    auth_request_set $auth_status $upstream_status;
    # Extra variables are annotated by bbb-web as custom headers
    auth_request_set $user_id $sent_http_user_id;
    auth_request_set $meeting_id $sent_http_meeting_id;
    auth_request_set $voice_bridge $sent_http_voice_bridge;

    proxy_pass http://127.0.0.1:3008;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    # Following custom headers are used by bbb-webrtc-sfu
    proxy_set_header User-Id $user_id;
    proxy_set_header Meeting-Id $meeting_id;
    proxy_set_header Voice-Bridge $voice_bridge;
    proxy_read_timeout 6h;
    proxy_send_timeout 6h;
    client_body_timeout 6h;
    send_timeout 6h;
}


# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {
	listen 80 ;
	listen [::]:80 ;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name meeting.thegatewaydigital.in; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/meeting.thegatewaydigital.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
12

Thanks. You have a duplicate server block for meeting.thegatewaydigital.in in your sites-enabled/default config file. You posted earlier the server block for that in your bigbluebutton config file so I think you should comment out the one in the default config. Run nginx -t (small t this time) and if good do a restart of nginx. Let us know what happens.

The extra server block in default looks like this:

server {
	listen 80 ;
	listen [::]:80 ;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name meeting.thegatewaydigital.in; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/meeting.thegatewaydigital.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
5 Likes
13

I am. I still get the 502 proxy error. And Let's Encrypt is reporting the same 502 error.

If the proxy is doing some kind of filtering, you need to exclude the /.well-known/acme-challenge/ request path from the filtering.

4 Likes
14

Thanks for the quick response @MikeMcQ .

I have commented out the duplicate server block for meeting.thegatewaydigital.in and restarted nginx server.

Below is the ouput of nginx -t :

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now, I'm getting below error by running certbot renew --dry-run :

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/meeting.thegatewaydigital.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for meeting.thegatewaydigital.in

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: meeting.thegatewaydigital.in
  Type:   unauthorized
  Detail: 202.131.103.237: Invalid response from http://meeting.thegatewaydigital.in/.well-known/acme-challenge/tWGsuDA1lERe0KhUzqAzmJPRUu68HZARugHLiSN-cv8: 502

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate meeting.thegatewaydigital.in with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
15

You must have a working HTTP site before you can use HTTP authentication to obtain a cert.

Let's have a look at:

  1. the remaining HTTP server block
  2. renewal config file:
    /etc/letsencrypt/renewal/meeting.thegatewaydigital.in.conf
  3. the LE logs file:
    /var/log/letsencrypt/letsencrypt.log
3 Likes
17

Thanks @rg305

Please have a look at following files:

  1. /etc/nginx/sites-enabled/default (I have commented out the duplicate server block):
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

##########

#server {
#	listen 80 ;
#	listen [::]:80 ;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

#	root /var/www/html;

	# Add index.php to the list if you are using PHP
#	index index.html index.htm index.nginx-debian.html;
#    server_name meeting.thegatewaydigital.in; # managed by Certbot


#	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
#		try_files $uri $uri/ =404;
#	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


#    listen [::]:443 ssl ipv6only=on; # managed by Certbot
#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/meeting.thegatewaydigital.in/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

#}
  1. Renewal config file (/etc/letsencrypt/renewal/meeting.thegatewaydigital.in.conf):
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/meeting.thegatewaydigital.in
cert = /etc/letsencrypt/live/meeting.thegatewaydigital.in/cert.pem
privkey = /etc/letsencrypt/live/meeting.thegatewaydigital.in/privkey.pem
chain = /etc/letsencrypt/live/meeting.thegatewaydigital.in/chain.pem
fullchain = /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 5d4e181d9b06e93a9298af409a0d5c7e
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
  1. LE logs (/var/log/letsencrypt/letsencrypt.log):
2022-07-29 10:19:46,732:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-07-29 10:19:47,169:DEBUG:certbot._internal.main:certbot version: 1.29.0
2022-07-29 10:19:47,169:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2192/bin/certbot
2022-07-29 10:19:47,169:DEBUG:certbot._internal.main:Arguments: ['--dry-run', '--preconfigured-renewal']
2022-07-29 10:19:47,169:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-07-29 10:19:47,176:DEBUG:certbot._internal.log:Root logging level set at 30
2022-07-29 10:19:47,177:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/meeting.thegatewaydigital.in.conf
2022-07-29 10:19:47,196:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f8a8b257c40> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f8a8b257c40>
2022-07-29 10:19:47,196:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2022-07-29 10:19:47,196:DEBUG:certbot._internal.cli:Var server={'dry_run', 'staging'} (set by user).
2022-07-29 10:19:47,196:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2022-07-29 10:19:47,196:DEBUG:certbot._internal.cli:Var server={'dry_run', 'staging'} (set by user).
2022-07-29 10:19:47,196:DEBUG:certbot._internal.cli:Var account={'server'} (set by user).
2022-07-29 10:19:47,215:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-07-10 11:06:32 UTC.
2022-07-29 10:19:47,215:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-07-29 10:19:47,215:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2022-07-29 10:19:47,516:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f8a8b104b80>
Prep: True
2022-07-29 10:19:47,518:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f8a8b104b80>
Prep: True
2022-07-29 10:19:47,518:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f8a8b104b80> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f8a8b104b80>
2022-07-29 10:19:47,519:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2022-07-29 10:19:47,528:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/62260594', new_authzr_uri=None, terms_of_service=None), 4b59ac6324b8ff71f73aa88336559135, Meta(creation_dt=datetime.datetime(2022, 7, 27, 6, 37, 10, tzinfo=<UTC>), creation_host='Resumex', register_to_eff=None))>
2022-07-29 10:19:47,529:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2022-07-29 10:19:47,531:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2022-07-29 10:19:48,379:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 822
2022-07-29 10:19:48,380:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jul 2022 04:49:48 GMT
Content-Type: application/json
Content-Length: 822
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "nJNeTSExVBg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-aaron-ari/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-07-29 10:19:48,383:DEBUG:certbot._internal.display.obj:Notifying user: Simulating renewal of an existing certificate for meeting.thegatewaydigital.in
2022-07-29 10:19:48,412:DEBUG:acme.client:Requesting fresh nonce
2022-07-29 10:19:48,412:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2022-07-29 10:19:48,670:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-07-29 10:19:48,671:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jul 2022 04:49:48 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002OzxGTIflQkACn3ILfH9JJmryOLYxnpRj_FBaxcGDJlk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-07-29 10:19:48,671:DEBUG:acme.client:Storing nonce: 0002OzxGTIflQkACn3ILfH9JJmryOLYxnpRj_FBaxcGDJlk
2022-07-29 10:19:48,672:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "meeting.thegatewaydigital.in"\n    }\n  ]\n}'
2022-07-29 10:19:48,677:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MjI2MDU5NCIsICJub25jZSI6ICIwMDAyT3p4R1RJZmxRa0FDbjNJTGZIOUpKbXJ5T0xZeG5wUmpfRkJheGNHREpsayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "XFjayWESmIg04DSTyRDpQ_NQyDC_rGADuVVF5LjE1CEFotfzRJdm0Ck5X2EMhr_MQcMqD1GpL2RLPQ1eGMrsv7ZjOdlk2-IEWqQWxRozvK2DmogjSDMNWD-0fe8jcscFT4mxQA3lhKkN1DqH4fTKETFIbE1VVxlCOMtRjsVWSZ9wFsjS6BvVb-XJZUwKvfbw26oX6ewg7rhUe0vIPqWMsUEnxkr6ucgk84ssejekp58GSSKya98XZob-t-w1C0pi9wHHDpn9eQHS6-5Jeybs4jtMej0BHrx5iRn5oT7TNY00At4OR-O3w7OuDcBYGj6n-Y_Z2wiB3gDzcKa00rgF2A",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1lZXRpbmcudGhlZ2F0ZXdheWRpZ2l0YWwuaW4iCiAgICB9CiAgXQp9"
}
2022-07-29 10:19:48,963:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 364
2022-07-29 10:19:48,964:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 29 Jul 2022 04:49:48 GMT
Content-Type: application/json
Content-Length: 364
Connection: keep-alive
Boulder-Requester: 62260594
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/62260594/3408125554
Replay-Nonce: 0001taOs0Rqm_r_MBWw21XsAXA0Fkci-gUSqf4T_6ctYgw4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-08-05T04:49:48Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "meeting.thegatewaydigital.in"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3164091774"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/62260594/3408125554"
}
2022-07-29 10:19:48,964:DEBUG:acme.client:Storing nonce: 0001taOs0Rqm_r_MBWw21XsAXA0Fkci-gUSqf4T_6ctYgw4
2022-07-29 10:19:48,965:DEBUG:acme.client:JWS payload:
b''
2022-07-29 10:19:48,968:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3164091774:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MjI2MDU5NCIsICJub25jZSI6ICIwMDAxdGFPczBScW1fcl9NQld3MjFYc0FYQTBGa2NpLWdVU3FmNFRfNmN0WWd3NCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTY0MDkxNzc0In0",
  "signature": "iGxZBxhdHjEhbKjUPZACGO4VeQ25tzSHWUuUPNfW2TT9l9ImvJxtyeSiVYfMKrsMOnH-DV-4ykbF1uIdPLU3R1pdAmvhnNO-iwPUITkH4BpldRcB7SYboUPXkK12izvA04LE_qMLPOKd6zvEtpLSDSLO42TjQPPSoLJMgvDZUPotYvFpE22EQSQFDnYjqM_o26ryBpXfWK3erdYHZ_nWlWFH8yNWsaRmJ62mFlxMbGCVd3k1UDyZMSim4rrFHVS43ImG24rv3cur3nSfKtQAHh5nkl5jNY-dHKdNqGPWki3s__5Ad3mVTjFmOWHfsPc2eScnHzS9lG0LwvW3ITpbIQ",
  "payload": ""
}
2022-07-29 10:19:49,234:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3164091774 HTTP/1.1" 200 830
2022-07-29 10:19:49,235:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jul 2022 04:49:49 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Boulder-Requester: 62260594
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001vY8zaJWhiUh5iriOYiQ1wtqZS8AxpiSSO1mOxCs4O9U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "meeting.thegatewaydigital.in"
  },
  "status": "pending",
  "expires": "2022-08-05T04:49:48Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3164091774/JHXxxQ",
      "token": "VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3164091774/wggbFQ",
      "token": "VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3164091774/TBfDMg",
      "token": "VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY"
    }
  ]
}
2022-07-29 10:19:49,236:DEBUG:acme.client:Storing nonce: 0001vY8zaJWhiUh5iriOYiQ1wtqZS8AxpiSSO1mOxCs4O9U
2022-07-29 10:19:49,237:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-07-29 10:19:49,237:INFO:certbot._internal.auth_handler:http-01 challenge for meeting.thegatewaydigital.in
2022-07-29 10:19:49,261:DEBUG:certbot_nginx._internal.http_01:Generated server block:
[]
2022-07-29 10:19:49,261:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2022-07-29 10:19:49,261:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2022-07-29 10:19:49,261:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/demo.nginx
2022-07-29 10:19:49,262:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/bbb-html5.nginx
2022-07-29 10:19:49,262:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/notes.nginx
2022-07-29 10:19:49,262:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/loadbalancer.nginx
2022-07-29 10:19:49,262:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-mail.conf
2022-07-29 10:19:49,262:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/greenlight-redirect.nginx
2022-07-29 10:19:49,262:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/default
2022-07-29 10:19:49,263:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf
2022-07-29 10:19:49,263:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/greenlight.nginx
2022-07-29 10:19:49,263:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/presentation-slides.nginx
2022-07-29 10:19:49,263:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/playback.nginx
2022-07-29 10:19:49,263:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-http-image-filter.conf
2022-07-29 10:19:49,263:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-http-geoip.conf
2022-07-29 10:19:49,263:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-stream.conf
2022-07-29 10:19:49,264:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/bigbluebutton
2022-07-29 10:19:49,264:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/bbb-html5-loadbalancer.conf
2022-07-29 10:19:49,264:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/sip.nginx
2022-07-29 10:19:49,264:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/web.nginx
2022-07-29 10:19:49,264:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/webrtc-sfu.nginx
2022-07-29 10:19:49,264:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/presentation.nginx
2022-07-29 10:19:49,265:DEBUG:certbot.reverter:Creating backup of /etc/bigbluebutton/nginx/learning-dashboard.nginx
2022-07-29 10:19:49,265:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

worker_rlimit_nofile 10000;

events {
	worker_connections 4000;
	# multi_accept on;
}

http {
server_names_hash_bucket_size 128;
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

2022-07-29 10:19:49,266:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/bigbluebutton:
server_tokens off;

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name meeting.thegatewaydigital.in;

  return 301 https://$server_name$request_uri; #redirect HTTP to HTTPS

location = /.well-known/acme-challenge/VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY{default_type text/plain;return 200 VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY.12fiqJeO-xcK-I5B5u-2X7EkWMKU3DcM-HaGQe1PYyA;} # managed by Certbot

}
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name meeting.thegatewaydigital.in;

   ssl_certificate /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/meeting.thegatewaydigital.in/privkey.pem;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 10m;
   ssl_protocols TLSv1.2 TLSv1.3;
  # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384$
   ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
   ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;

    # HSTS (comment out to enable)
    #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  access_log  /var/log/nginx/bigbluebutton.access.log;
  location / {
    root   /var/www/bigbluebutton-default;
    index  index.html index.htm;
    expires 1m;
  }

  location /.well-known/acme-challenge/ {
    root /var/www/bigbluebutton-default/.well-known/acme-challenge;
  }

  # Include specific rules for record and playback
  include /etc/bigbluebutton/nginx/*.nginx;
location = /.well-known/acme-challenge/VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY{default_type text/plain;return 200 VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY.12fiqJeO-xcK-I5B5u-2X7EkWMKU3DcM-HaGQe1PYyA;} # managed by Certbot

}

2022-07-29 10:19:50,292:DEBUG:acme.client:JWS payload:
b'{}'
2022-07-29 10:19:50,297:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3164091774/JHXxxQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MjI2MDU5NCIsICJub25jZSI6ICIwMDAxdlk4emFKV2hpVWg1aXJpT1lpUTF3dHFaUzhBeHBpU1NPMW1PeENzNE85VSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8zMTY0MDkxNzc0L0pIWHh4USJ9",
  "signature": "cItuP4GcKXuFAbQHTKgVf5WBLsN-m2c-1MpDut7hR76-bs_CRY6MuvFGFy9jUYx-svhMj5MR_evHMHOfmz1zytJPREOvAmL-XQ6cGdOHQnRsU3QW5Q6OrWrFJVy7ITqIihmzgslbmkyIe7TfH2eMyvaOHtwCq5nLzzAqSzrDx3idwVDomwSvW-ckg28iMPO_VzRm9h9rSTC4XpQFc5HjDVhdA0SFqsEBRWRPg5QM4iuybmNAAeDqS6bP5cMfKbJzkWQTAvMMubM6S6mNmgL4ejqqFLltNZTbknF68WW1N-G_hX9MiIZUe54uQxmBvDE7cA4hnsohbnHtmtcLXqLD7g",
  "payload": "e30"
}
2022-07-29 10:19:50,565:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/3164091774/JHXxxQ HTTP/1.1" 200 193
2022-07-29 10:19:50,566:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jul 2022 04:49:50 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 62260594
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3164091774>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3164091774/JHXxxQ
Replay-Nonce: 0001EXkChBAHB1eFSRFkSOiNtn6ja3iSpY7mlEkPcRwIqeE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3164091774/JHXxxQ",
  "token": "VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY"
}
2022-07-29 10:19:50,567:DEBUG:acme.client:Storing nonce: 0001EXkChBAHB1eFSRFkSOiNtn6ja3iSpY7mlEkPcRwIqeE
2022-07-29 10:19:50,568:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-07-29 10:19:51,569:DEBUG:acme.client:JWS payload:
b''
2022-07-29 10:19:51,573:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3164091774:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MjI2MDU5NCIsICJub25jZSI6ICIwMDAxRVhrQ2hCQUhCMWVGU1JGa1NPaU50bjZqYTNpU3BZN21sRWtQY1J3SXFlRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTY0MDkxNzc0In0",
  "signature": "CWHkoZGQqbOXQ1PcosEYDVDbR_cka0s9hTqjxgc9l3eaQD26ZwdR3tURLmcnOHVgtE_8RjwkLej2q8TV8XxfKIavu7YoVOuBywxk7M3Mx2Z30Z1q9AJxkFF0K8EYw5-z50qq4reZ98NZmMPxf5rrHTLAiUpzj4YTH20w7eSqDTrTxj65WKI_yNgAw3HRWpnn_MXAyUB4Z4-WFTKfJzKOE9cHuG350iaSJvCjzUfcidqJHjO8TbLyFQw0v19dFPSS_VsBhtoWxEXJ6mKhaidAteflvv6MwjpBAEWpAzjZBxloDLN7y6463eV5BqMhNsFbY8ogyyyiYql6ZZlZQCwhsA",
  "payload": ""
}
2022-07-29 10:19:51,837:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3164091774 HTTP/1.1" 200 1092
2022-07-29 10:19:51,838:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jul 2022 04:49:51 GMT
Content-Type: application/json
Content-Length: 1092
Connection: keep-alive
Boulder-Requester: 62260594
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002gs773CugbemUw8JxAQB4PlwZu_XKoxX9b12y8gXYs9M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "meeting.thegatewaydigital.in"
  },
  "status": "invalid",
  "expires": "2022-08-05T04:49:48Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "202.131.103.237: Invalid response from http://meeting.thegatewaydigital.in/.well-known/acme-challenge/VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY: 502",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3164091774/JHXxxQ",
      "token": "VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY",
      "validationRecord": [
        {
          "url": "http://meeting.thegatewaydigital.in/.well-known/acme-challenge/VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY",
          "hostname": "meeting.thegatewaydigital.in",
          "port": "80",
          "addressesResolved": [
            "202.131.103.237"
          ],
          "addressUsed": "202.131.103.237"
        }
      ],
      "validated": "2022-07-29T04:49:50Z"
    }
  ]
}
2022-07-29 10:19:51,838:DEBUG:acme.client:Storing nonce: 0002gs773CugbemUw8JxAQB4PlwZu_XKoxX9b12y8gXYs9M
2022-07-29 10:19:51,839:INFO:certbot._internal.auth_handler:Challenge failed for domain meeting.thegatewaydigital.in
2022-07-29 10:19:51,840:INFO:certbot._internal.auth_handler:http-01 challenge for meeting.thegatewaydigital.in
2022-07-29 10:19:51,840:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: meeting.thegatewaydigital.in
  Type:   unauthorized
  Detail: 202.131.103.237: Invalid response from http://meeting.thegatewaydigital.in/.well-known/acme-challenge/VyCG0H5soHy_if7X9vcqULCe57cEgxUpxZLS-FDCavY: 502

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2022-07-29 10:19:51,841:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-07-29 10:19:51,842:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-07-29 10:19:51,842:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-07-29 10:19:53,126:ERROR:certbot._internal.renewal:Failed to renew certificate meeting.thegatewaydigital.in with error: Some challenges have failed.
2022-07-29 10:19:53,129:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 484, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1541, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 344, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-07-29 10:19:53,129:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-07-29 10:19:53,130:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2022-07-29 10:19:53,130:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/meeting.thegatewaydigital.in/fullchain.pem (failure)
2022-07-29 10:19:53,130:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-07-29 10:19:53,131:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/2192/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1630, in renew
    renewal.handle_renewal_request(config)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2022-07-29 10:19:53,132:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

.

18

It looks like HTTP requests are not reaching this nginx server. And, instead are being rejected with a 502 error code probably by a device from Sophos

For example, see the response headers for this test request. Normally we should see a header with "Server: nginx" but we don't see that header in the response. It is possible to turn those off in nginx but I don't see that you did.

You should look at what is responsible for the "forward.http.proxy:3128".

curl -i meeting.thegatewaydigital.in

HTTP/1.1 502 Operation not permitted
Date: Fri, 29 Jul 2022 14:27:21 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset="UTF-8"
Content-Length: 80454
Via: HTTP/1.1 forward.http.proxy:3128
Connection: close

(most of data response omitted but I see this)
                        <footer>
                        <div class='logoSophosFooter'>
                            <div class='logoSophosFooterText'>
                                <span class='logoSophosFooterFont'>Protected by</span>
                            </div>
                        </div>
                    </footer>

Here is your http server block. We should get redirected with the above test curl request for your "home" page but we don't. We get the 502

3 Likes
19

Unrelated, but I'd update that version to the latest via snap.

3 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.