I'm trying to reconfigure my server after having moved from 20.04 to 22.04.01, with no success.
The domain names I'm trying to register are www.pikeen.it and pikeen.it
Running sudo systemctl status nginx
I rceived the following respons, and I don't like it.
ā nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-08-04 22:50:44 CEST; 19h ago
Docs: man:nginx(8)
Process: 7203 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 7204 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 7205 (nginx)
Tasks: 9 (limit: 76091)
Memory: 7.6M
CPU: 37ms
CGroup: /system.slice/nginx.service
āā7205 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
āā7206 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā7207 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā7208 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā7209 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā7210 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā7211 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā7212 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā7213 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ago 04 22:50:44 neo4j systemd[1]: Starting A high performance web server and a reverse proxy server...
ago 04 22:50:44 neo4j systemd[1]: Started A high performance web server and a reverse proxy server.
Trying to install certbot, I emitted the following command sudo certbot --nginx -d www.pikeen.it
, which returned the following error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.pikeen.it
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.pikeen.it-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.pikeen.it-0001/privkey.pem
This certificate expires on 2022-11-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Could not install certificate
NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
certbot install --cert-name www.pikeen.it-0001
Could not automatically find a matching server block for www.pikeen.it. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My default conf file is:
server {
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.pikeen.it;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:3000;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.pikeen.it/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.pikeen.it/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.pikeen.it) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.pikeen.it;
return 404; # managed by Certbot
}
Any help will be appreciated!
rg305
August 5, 2022, 4:54pm
2
pdipietro:
-0001
This is usually an indication of a "problem" - something has gone wrong.
Let's review the cert covered names, with the output of:
certbot certificates
4 Likes
Hi rg305
Here is my output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.pikeen.it-0001
Serial Number: 462a5c4736f21758f5236f150a7a17c89a3
Key Type: RSA
Domains: www.pikeen.it
Expiry Date: 2022-11-03 15:17:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.pikeen.it-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.pikeen.it-0001/privkey.pem
Certificate Name: www.pikeen.it
Serial Number: 304d23382e4f96a69a418ff5abc488f31cb
Key Type: RSA
Domains: pikeen.it www.pikeen.it
Expiry Date: 2022-11-03 15:24:40+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.pikeen.it/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.pikeen.it/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
And this is the list of the directory
root@neo4j:/etc/nginx/sites-available# cd /etc/letsencrypt/live/
root@neo4j:/etc/letsencrypt/live# ls -la
totale 20
drwx------ 4 root root 4096 ago 5 18:18 .
drwxr-xr-x 9 root root 4096 ago 5 18:55 ..
-rw-r--r-- 1 root root 740 ago 4 22:45 README
drwxr-xr-x 2 root root 4096 ago 5 18:24 www.pikeen.it
drwxr-xr-x 2 root root 4096 ago 5 18:18 www.pikeen.it-0001
Paolo
1 Like
rg305
August 5, 2022, 5:18pm
4
It seems you don't really need the -0001
cert; As the only name it holds is already covered by the other.
I'd ensure that the web server only uses the second cert and then remove the first, with:
certbot remove --cert-name www.pikeen.it-0001
certbot delete --cert-name www.pikeen.it-0001
3 Likes
rg305
August 5, 2022, 5:22pm
5
Also, since both names resolve to this same system/IP:
Address: 217.133.19.27
Aliases: www.pikeen.it
Name: pikeen.it
Address: 217.133.19.27
I'd add this line to that server block:
server_name pikeen.it;
[unless you are actually serving unique site content for each of those names]
3 Likes
Well, maybe I made a mistake manually removing the www.pikeen.it-0001 directory.
Which is the best way to remove that certificate?
And yes, I added the other server name: the site should respond to both addresses. Here is my actual default
server {
server_name www.pikeen.it pikeen.it; # managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:3000;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/pikeen.it/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pikeen.it/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.pikeen.it) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = pikeen.it) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.pikeen.it pikeen.it;
return 404; # managed by Certbot
}
But why there are a lot of empty CGRoups
in sudo systemctl status nginx
?
And, BTW, this is the result attempting to remove:
certbot remove --cert-name www.pikeen.it-0001
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: remove
Osiris
August 5, 2022, 5:40pm
8
Please see certbot --help
for the correct command.
4 Likes
Done, it is certbot delete
2 Likes
rg305
August 5, 2022, 6:06pm
10
They seem to be at the ready for more client connections.
3 Likes
Well, at this point everything looks running, but the https://pikeen.it
responds that there is an error on the site.
While localhost:3000 runs with no problems!
What is the next step I could do to verify and solve the problem?
The only thing is ufw
:
neo4j@neo4j:/var/log/nginx$ sudo ufw status
Stato: attivo
A Azione Da
- ------ --
22 ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
Nginx HTTPS ALLOW Anywhere
Nginx Full ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
Nginx HTTPS (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
No NAT/PAT
Hmmm. Something is blocking ports 80 and 443. Or maybe nginx is not listening.
nmap www.pikeen.it
rDNS record for 217.133.19.27: 217-133-19-27.static.clienti.tiscali.it
PORT STATE SERVICE
80/tcp closed http
443/tcp closed https
5060/tcp open sip
8089/tcp open unknown
What does this show?
sudo netstat -pant | grep -i listen
4 Likes
sudo netstat -pant | grep -i listen
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 545/systemd-resolve
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 25288/node
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 7756/cupsd
tcp6 0 0 :::7474 :::* LISTEN 26016/java
tcp6 0 0 :::7687 :::* LISTEN 26016/java
tcp6 0 0 ::1:631 :::* LISTEN 7756/cupsd
nginx is not running. What do these do?
sudo nginx -t
sudo systemctl status nginx
4 Likes
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
neo4j@neo4j:/var/log/nginx$ sudo systemctl status nginx
ā nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-08-05 20:09:25 CEST; 15min ago
Docs: man:nginx(8)
Process: 30958 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 30959 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 30960 (nginx)
Tasks: 9 (limit: 76091)
Memory: 7.6M
CPU: 30ms
CGroup: /system.slice/nginx.service
āā30960 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
āā30961 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā30962 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā30963 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā30964 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā30965 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā30966 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā30967 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
āā30968 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
ago 05 20:09:25 neo4j systemd[1]: Starting A high performance web server and a reverse proxy server...
ago 05 20:09:25 neo4j systemd[1]: Started A high performance web server and a reverse proxy server.
That's interesting. Maybe try restarting your server. nginx is not bound to ports 80 or 443 as we saw from netstat command
Or, we can double-check nginx. Show us the output of sudo nginx -T
(capital T). Please put 3 backticks before and after the output to format it. LIke this:
```
output of: sudo nginx -T
```
4 Likes
Sorry for backtik missing!
sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
2 Likes
There is no server blocks defined in that output. Was all of it there?
Normally there is a file(s) included from /sites-enabled/ that would show in nginx -T
4 Likes