Cannot run nginx - certbot on Ubuntu 22.04.1 LTS Jelly

First: I restarted the machine, but nothing has changed

Second: I have only the default file defined into sites-available and sites-enabled

How can I add/include this file in nginx -T?

You already have this line in your nginx config. That should include anything in /sites-enabled/

The nginx -T shows the current active nginx config. It does not look like your nginx is seeing that server conf file in sites-enabled. If it did it would show in -T and would also show in netstat command as listening on ports 80 and 443.

Please show:

ls -l /etc/nginx/sites-enabled
4 Likes

uh-oh! there is nothing there!
I'll try to ls and let you know

1 Like

I think you meant ln. Example:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
4 Likes

yes!!!

but the testing returns errors

sudo nginx -t
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/pikeen.it/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/pikeen.it/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Let's check this again

sudo certbot certificates
4 Likes
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.pikeen.it
    Serial Number: 304d23382e4f96a69a418ff5abc488f31cb
    Key Type: RSA
    Domains: pikeen.it www.pikeen.it
    Expiry Date: 2022-11-03 15:24:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.pikeen.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.pikeen.it/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ah. nginx is looking for cert named pikeen.it but your current one is the www name.

Let's look at nginx -T again and make sure we change the right things. Same as before with the backticks.

4 Likes
sudo nginx -T
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/pikeen.it/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/pikeen.it/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

So, I tried to add the missing certificate: worst

sudo certbot --nginx -d pikeen.it 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/pikeen.it/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/pikeen.it/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/pikeen.it/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/pikeen.it/fullchain.pem, r) error:10000080:BIO routines::no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

Can you show the contents of the file(s) in /sites-enabled/ ? We'll just modify them by hand

4 Likes

# Default server configuration
#

server {


   server_name www.pikeen.it pikeen.it; # managed by Certbot
    
	location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://localhost:3000;

        }


    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pikeen.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pikeen.it/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.pikeen.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pikeen.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
	listen [::]:80 ;
	 server_name www.pikeen.it pikeen.it;
    	return 404; # managed by Certbot

}

Change above two lines to this (just adding www in front of pikeen.it)

    ssl_certificate /etc/letsencrypt/live/www.pikeen.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.pikeen.it/privkey.pem; # managed by Certbot

Then, just show result of nginx -t but do not run certbot yet !

4 Likes

here it is:


server {


   server_name www.pikeen.it pikeen.it; # managed by Certbot
    
	location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://localhost:3000;

        }


    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.pikeen.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.pikeen.it/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.pikeen.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pikeen.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
	listen [::]:80 ;
	 server_name www.pikeen.it pikeen.it;
    	return 404; # managed by Certbot

}

Is nginx -t successful?

4 Likes

You tried to get a new certificate where instead you need to reconfigure your nginx to use the already existing certificate.

As @MikeMcQ already has instructed you patiently I see :slight_smile:

3 Likes

yes, it is.

Good. So, do

sudo systemctl restart nginx
4 Likes

Yes you are right, but I should request a new certificate anYway or not?

And yes, @MikeMcQ is driving me step by step, with infinite patience.

1 Like