Cannot run nginx - certbot on Ubuntu 22.04.1 LTS Jelly

I'm trying to reconfigure my server after having moved from 20.04 to 22.04.01, with no success.
The domain names I'm trying to register are www.pikeen.it and pikeen.it

Running sudo systemctl status nginx I rceived the following respons, and I don't like it.

ā— nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-08-04 22:50:44 CEST; 19h ago
       Docs: man:nginx(8)
    Process: 7203 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 7204 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 7205 (nginx)
      Tasks: 9 (limit: 76091)
     Memory: 7.6M
        CPU: 37ms
     CGroup: /system.slice/nginx.service
             ā”œā”€7205 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
             ā”œā”€7206 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ā”œā”€7207 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ā”œā”€7208 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ā”œā”€7209 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ā”œā”€7210 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ā”œā”€7211 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ā”œā”€7212 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ā””ā”€7213 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

ago 04 22:50:44 neo4j systemd[1]: Starting A high performance web server and a reverse proxy server...
ago 04 22:50:44 neo4j systemd[1]: Started A high performance web server and a reverse proxy server.

Trying to install certbot, I emitted the following command sudo certbot --nginx -d www.pikeen.it, which returned the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.pikeen.it

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.pikeen.it-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.pikeen.it-0001/privkey.pem
This certificate expires on 2022-11-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Could not install certificate

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name www.pikeen.it-0001

Could not automatically find a matching server block for www.pikeen.it. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My default conf file is:

server {

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name www.pikeen.it;

	location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://localhost:3000;
	}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.pikeen.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.pikeen.it/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.pikeen.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name www.pikeen.it;

    return 404; # managed by Certbot
}

Any help will be appreciated!

This is usually an indication of a "problem" - something has gone wrong.

Let's review the cert covered names, with the output of:
certbot certificates

4 Likes

Hi rg305

Here is my output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.pikeen.it-0001
    Serial Number: 462a5c4736f21758f5236f150a7a17c89a3
    Key Type: RSA
    Domains: www.pikeen.it
    Expiry Date: 2022-11-03 15:17:59+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.pikeen.it-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.pikeen.it-0001/privkey.pem
  Certificate Name: www.pikeen.it
    Serial Number: 304d23382e4f96a69a418ff5abc488f31cb
    Key Type: RSA
    Domains: pikeen.it www.pikeen.it
    Expiry Date: 2022-11-03 15:24:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.pikeen.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.pikeen.it/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And this is the list of the directory

root@neo4j:/etc/nginx/sites-available# cd /etc/letsencrypt/live/
root@neo4j:/etc/letsencrypt/live# ls -la
totale 20
drwx------ 4 root root 4096 ago  5 18:18 .
drwxr-xr-x 9 root root 4096 ago  5 18:55 ..
-rw-r--r-- 1 root root  740 ago  4 22:45 README
drwxr-xr-x 2 root root 4096 ago  5 18:24 www.pikeen.it
drwxr-xr-x 2 root root 4096 ago  5 18:18 www.pikeen.it-0001

Paolo

1 Like

It seems you don't really need the -0001 cert; As the only name it holds is already covered by the other.

I'd ensure that the web server only uses the second cert and then remove the first, with:
certbot remove --cert-name www.pikeen.it-0001
certbot delete --cert-name www.pikeen.it-0001

3 Likes

Also, since both names resolve to this same system/IP:

Address: 217.133.19.27
Aliases: www.pikeen.it

Name:    pikeen.it
Address: 217.133.19.27

I'd add this line to that server block:
server_name pikeen.it;

[unless you are actually serving unique site content for each of those names]

2 Likes

Well, maybe I made a mistake manually removing the www.pikeen.it-0001 directory.

Which is the best way to remove that certificate?

And yes, I added the other server name: the site should respond to both addresses. Here is my actual default

server {


   server_name www.pikeen.it pikeen.it; # managed by Certbot
    
	location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://localhost:3000;

        }


    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pikeen.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pikeen.it/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.pikeen.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pikeen.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
	listen [::]:80 ;
	 server_name www.pikeen.it pikeen.it;
    	return 404; # managed by Certbot

}

But why there are a lot of empty CGRoups in sudo systemctl status nginx?

And, BTW, this is the result attempting to remove:

certbot remove --cert-name www.pikeen.it-0001
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: remove

Please see certbot --help for the correct command.

3 Likes

Done, it is certbot delete

2 Likes

They seem to be at the ready for more client connections.

2 Likes

Well, at this point everything looks running, but the https://pikeen.it responds that there is an error on the site.

While localhost:3000 runs with no problems!

What is the next step I could do to verify and solve the problem?

I'd go step by step:

  • is there an external firewall?
    does it allow HTTP, HTTPS?
    does it do NAT?
    are those settings correct?

  • is there any other type of device that might be doing PAT/NAT?
    are those settings correct?

  • is there an internal firewall?
    does it allow HTTP, HTTPS?

2 Likes

The only thing is ufw:

neo4j@neo4j:/var/log/nginx$ sudo ufw status
Stato: attivo

A                          Azione      Da
-                          ------      --
22                         ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
Nginx HTTPS                ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)             
Nginx HTTPS (v6)           ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)   

No NAT/PAT

Hmmm. Something is blocking ports 80 and 443. Or maybe nginx is not listening.

nmap www.pikeen.it

rDNS record for 217.133.19.27: 217-133-19-27.static.clienti.tiscali.it
PORT     STATE  SERVICE
80/tcp   closed http
443/tcp  closed https
5060/tcp open   sip
8089/tcp open   unknown

What does this show?

sudo netstat -pant | grep -i listen
3 Likes

sudo netstat -pant | grep -i listen
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 545/systemd-resolve
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 25288/node
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 7756/cupsd
tcp6 0 0 :::7474 :::* LISTEN 26016/java
tcp6 0 0 :::7687 :::* LISTEN 26016/java
tcp6 0 0 ::1:631 :::* LISTEN 7756/cupsd

nginx is not running. What do these do?

sudo nginx -t
sudo systemctl status nginx
3 Likes

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
neo4j@neo4j:/var/log/nginx$ sudo systemctl status nginx
ā— nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-08-05 20:09:25 CEST; 15min ago
Docs: man:nginx(8)
Process: 30958 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 30959 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 30960 (nginx)
Tasks: 9 (limit: 76091)
Memory: 7.6M
CPU: 30ms
CGroup: /system.slice/nginx.service
ā”œā”€30960 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
ā”œā”€30961 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ā”œā”€30962 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ā”œā”€30963 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ā”œā”€30964 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ā”œā”€30965 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ā”œā”€30966 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ā”œā”€30967 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ā””ā”€30968 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

ago 05 20:09:25 neo4j systemd[1]: Starting A high performance web server and a reverse proxy server...
ago 05 20:09:25 neo4j systemd[1]: Started A high performance web server and a reverse proxy server.

That's interesting. Maybe try restarting your server. nginx is not bound to ports 80 or 443 as we saw from netstat command

Or, we can double-check nginx. Show us the output of sudo nginx -T (capital T). Please put 3 backticks before and after the output to format it. LIke this:
```
output of: sudo nginx -T
```

3 Likes

Sorry for backtik missing!

sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}
2 Likes

There is no server blocks defined in that output. Was all of it there?

Normally there is a file(s) included from /sites-enabled/ that would show in nginx -T

3 Likes