Can't create cert for subdomain

ratrakone · July 23, 2024, 1:56pm

My domain is: http://larademo.ratrakone.com

I ran this command: sudo certbot --nginx -d ratrakone.com -d www.ratrakone.com -d larademo.ratrakone.com

It produced this output:

sudo certbot --nginx -d ratrakone.com -d www.ratrakone.com -d larademo.ratrakone.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ratrakone.com.conf)

It contains these names: ratrakone.com, www.ratrakone.com

You requested these names for the new certificate: ratrakone.com,
www.ratrakone.com, larademo.ratrakone.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for ratrakone.com and 2 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: larademo.ratrakone.com
  Type:   unauthorized
  Detail: 2a10:9c80::193:163:77:250: Invalid response from http://larademo.ratrakone.com/.well-known/acme-challenge/RDZCSJMTQfuB-pw7qpKNvQTpXSefoBlFpDOwim0ZAFw: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Ubuntu 22.04 LTS

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: hostcreators.sk

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

i ran certbot for the top level domain https://ratrakone.com and it works.
then i copied the .conf file and adjusted it for the subdomain, which doesn't work anymore.

server {
     server_name larademo.ratrakone.com www.larademo.ratrakone.com;

     root /var/www/html/ratrakone.com/sub/larademo/public;

     add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";

    index index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

next i tried to create file on this path /var/www/html/ratrakone.com/sub/larademo/public/.well-known/acme-challenge and access it from browser. that worked and i saw the contents of test.txt on this path.

i also transfered ownership and group to www-data and set chmod 775 for public directory and 777 for storage directory (laravel).

i set the CNAME entry of *.ratrakone.com to ratrakone.com

is there anything im missing? will be very thankful for answers, i already spent two days on this issue trying to solve it myself.

tail -100 of the letsencrypt.log

2024-07-23 13:50:36,058:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/380817333187:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTg1MjE5MzAzNyIsICJub25jZSI6ICJncEJqTF8zaVRUWG1NUFd3OC1mU1JjaWNEcU94TXJOcndOamVfd0ZXVW1ieFR0dnByUmciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM4MDgxNzMzMzE4NyJ9",
  "signature": "n_e7gJBKD-YilpDVz6vK0tB_JZ9-dpicN9HKKj5oemBHmpK-A9kSIvkQLLIX0Hac_Qnjp2jqkQBdapgU6Y5UCwZduKl9KNw5doeiIjE3CBJH6kNJi94481TH5Pnf7jt2hxzGdC6y-X3Bt7F2Dgg8kfjYejkvKP1n-8rF-_Ko7blvvfYEBLw1Uo3Jij4R_Q7GVgzWa1-WzmoyIb-QUlOh_goyHbr9jBEdENJlb4zhihcmvSFk2Ert6w2ctuUMgf7rkf3kaXzwVL_ozLIrLoFczb10KNPJMWpKxAc84DmkDFQBVrMupbSxoO7-4dN-t5e77FJz4YdE51Mu_Vqa_Qf_2Q",
  "payload": ""
}
2024-07-23 13:50:36,241:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/380817333187 HTTP/1.1" 200 1122
2024-07-23 13:50:36,243:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 23 Jul 2024 13:50:36 GMT
Content-Type: application/json
Content-Length: 1122
Connection: keep-alive
Boulder-Requester: 1852193037
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: biP_gDtCf5mrgsOlKwNab4xQBt5WpHmR0QB_DuwQRDILV_ptAUY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "larademo.ratrakone.com"
  },
  "status": "invalid",
  "expires": "2024-07-30T13:50:30Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/380817333187/lQ6TrQ",
      "status": "invalid",
      "validated": "2024-07-23T13:50:31Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "2a10:9c80::193:163:77:250: Invalid response from http://larademo.ratrakone.com/.well-known/acme-challenge/So8G6DS9HD_udBInIatH-5KT0W3EYvOOhI32hzzzcL8: 404",     
        "status": 403
      },
      "token": "So8G6DS9HD_udBInIatH-5KT0W3EYvOOhI32hzzzcL8",
      "validationRecord": [
        {
          "url": "http://larademo.ratrakone.com/.well-known/acme-challenge/So8G6DS9HD_udBInIatH-5KT0W3EYvOOhI32hzzzcL8",
          "hostname": "larademo.ratrakone.com",
          "port": "80",
          "addressesResolved": [
            "193.163.77.250",
            "2a10:9c80::193:163:77:250"
          ],
          "addressUsed": "2a10:9c80::193:163:77:250"
        }
      ]
    }
  ]
}
2024-07-23 13:50:36,243:DEBUG:acme.client:Storing nonce: biP_gDtCf5mrgsOlKwNab4xQBt5WpHmR0QB_DuwQRDILV_ptAUY
2024-07-23 13:50:36,244:INFO:certbot._internal.auth_handler:Challenge failed for domain larademo.ratrakone.com
2024-07-23 13:50:36,244:INFO:certbot._internal.auth_handler:http-01 challenge for larademo.ratrakone.com
2024-07-23 13:50:36,244:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: larademo.ratrakone.com
  Type:   unauthorized
  Detail: 2a10:9c80::193:163:77:250: Invalid response from http://larademo.ratrakone.com/.well-known/acme-challenge/So8G6DS9HD_udBInIatH-5KT0W3EYvOOhI32hzzzcL8: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2024-07-23 13:50:36,246:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-07-23 13:50:36,246:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-07-23 13:50:36,246:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-07-23 13:50:37,442:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/3834/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/main.py", line 1450, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-07-23 13:50:37,445:ERROR:certbot._internal.log:Some challenges have failed.

MikeMcQ · July 23, 2024, 2:21pm

I think something is wrong with your nginx config. Can you show output of this?

sudo nginx -T

Output will be long. If you prefer, run sudo nginx -T >config.txt and upload the config.txt
An uppercase T is essential

A couple things though in case this helps you sort it out

I don't see any listen statements in that server block. You should have one for IPv4 and one for IPv6

I also see the test.txt file in that folder. But, the --nginx option adds temp changes to your nginx server block to reply to the challenge directly. So, that test isn't that helpful. It would be helpful if using --webroot but I think something more fundamental is wrong in your nginx conf.

Also, this regex hurts my brain this early in the day but what were you trying to achieve with this

ratrakone · July 23, 2024, 2:24pm

i assumed the regex would disallow users to directly access files that weren't being shown by the laravel app. anyway, i just took it from here https://gist.github.com/alfajrimutawadhi/2b9600ab13eca041e4bd02a6c21424ff
anyway, i'll remove the regex.

here is the output of -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

# configuration file /etc/nginx/sites-enabled/larademo.ratrakone.com.conf:
server {
     server_name larademo.ratrakone.com www.larademo.ratrakone.com;

     root /var/www/html/ratrakone.com/sub/larademo/public;

     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options "nosniff";

     index index.php;

     charset utf-8;

     location / {
             try_files $uri $uri/ /index.php?$query_string;
     }

     location = /favicon.ico { access_log off; log_not_found off; }
     location = /robots.txt  { access_log off; log_not_found off; }

     error_page 404 /index.php;

     location ~ \.php$ {
             fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
             fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
             include fastcgi_params;
     }

     location ~ /\.(?!well-known).* {
             deny all;
     }
}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/ratrakone.com.conf:
server {
     server_name ratrakone.com www.ratrakone.com;

     root /var/www/html/ratrakone.com/web/public;

     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options "nosniff";

     index index.php;

     location / {
          try_files $uri $uri/ /index.php?$query_string;
     }

     location = /favicon.ico { access_log off; log_not_found off; }
     location = /robots.txt  { access_log off; log_not_found off; }

     location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ratrakone.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ratrakone.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}
server {
    if ($host = www.ratrakone.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = ratrakone.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


     listen 80;
     listen [::]:80;
     server_name ratrakone.com www.ratrakone.com;
    return 404; # managed by Certbot




}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

MikeMcQ · July 23, 2024, 2:29pm

You must have made a mistake adding the new domain name into your config. Because as you can see from that output the new name is not there.

ratrakone · July 23, 2024, 2:39pm

could you, please, be more specific? im reading the file and i'm seeting both ratrakone.com and larademo.ratrakone.com there.
i also listed sites-enabled and both sites have symlink created, which is then loaded by include /etc/nginx/sites-enabled/*;, if im not wrong.

part that is missing the subdomain would be

     listen 80;
     listen [::]:80;
     server_name ratrakone.com www.ratrakone.com;
    return 404; # managed by Certbot

which is however generated by the certbot, so i didn't want to modify it, so my renew process wont be damaged.

MikeMcQ · July 23, 2024, 2:45pm

Oof. Yes, I totally mis-read that.

But, the problem is that you are missing the listen statements in your server block for larademo. I believe the default is to only listen on IPv4. But, you have IPv6 active so need to listen to that too. You have that in your default server block (and the one for your apex name and its www) so you need it in larademo server block too.

Without this your default server block is replying to the inbound HTTP request on IPv6

Specifically add these two listen to larademo like you have with your apex name block

(we cross-posted a bit)

system · August 22, 2024, 2:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.