First of all I am not a native speaker so please excuse any humble or strange expression. Thanks in advance!
I am not new to setting up mostly Apache based servers hosted on my own computers (I once had the very first CERN html sites hosted on a Macintosh Plus with 4 MB of RAM and a NextCube for documentation purposes) but I am new to nginx. I am hosting my WordPress installation on a Raspberry Pi 5 with 16 GB of RAM. I followed the installation guides of PHP, phpMyAdmin, MySQL and nginx on PiMyLifeUp. And now I want to use SSL on my nginx server.
My domain uses No-IP. My Plex server and my SFTP server are running fine, no troubles here.
I installed certbot and linked it to Let's encrypt, I double-checked that certificates are installed. Renewing with
sudo certbot renew
is not possible as they expire somewhere within the next 80 days so I guess the certificates a) are installed and b) are installed in the right place. So far so good.
Before installing certbot for nginx I could reach my Wordpress page locally and from the internet without any troubles as https was not implemented. After installing certbot, the certificates and else on my Raspberry Pi (not using any docker installations) I still can reach my WordPress installation by using the local IP adress (made static by my router) and using "https://". Whenever reaching out to my WordPress installation from somewhere else outside my local network something odd is happening. Typing the domain name ("registered" at No-IP) like "https://example.ddns.net" followed by the WordPress login " .../wp-admin/ " all of my browsers change to "https://IP-adress of Raspberry Pi/wp-admin/". I am not able to log into my WordPress installation outside my local network as the server is not found.
I've been fiddling around with nginx configuration files many hours by now still not understanding where the problem is. Whenever using
nginx -t
or
nginx -T
or variants of this using sudo terminal throws me this:
2025/05/19 16:16:02 [warn] 20899#20899: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2025/05/19 16:16:02 [emerg] 20899#20899: cannot load certificate "/etc/letsencrypt/live/mychosen.ddns.net/fullchain.pem": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem, r) error:10080002:BIO routines::system lib)
I changed the rights on fullchain.pem to 644 and 777 in between but the error message stays the same. I am pretty sure that I made the chown process as sudo, so I do not understand why nginx (or the www user) still isn't able to pick up the certificates. Furthermore I am not able to get a solution for another strange behaviour. Whenever using
systemctl status nginx.service
terminal throws me this:
Mai 19 14:41:38 raspberrypi systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Mai 19 14:41:38 raspberrypi nginx[17106]: 2025/05/19 14:41:38 [warn] 17106#17106: conflicting server name "chosenname.ddns.net" on 0.0.0.0:80, ignored
Mai 19 14:41:38 raspberrypi nginx[17106]: 2025/05/19 14:41:38 [warn] 17106#17106: conflicting server name "chosenname.ddns.net" on [::]:80, ignored
Mai 19 14:41:38 raspberrypi nginx[17106]: 2025/05/19 14:41:38 [warn] 17106#17106: conflicting server name "chosenname.ddns.net" on 0.0.0.0:443, ignored
Mai 19 14:41:38 raspberrypi nginx[17107]: 2025/05/19 14:41:38 [warn] 17107#17107: conflicting server name "chosenname.ddns.net" on 0.0.0.0:80, ignored
Mai 19 14:41:38 raspberrypi nginx[17107]: 2025/05/19 14:41:38 [warn] 17107#17107: conflicting server name "chosenname.ddns.net" on [::]:80, ignored
Mai 19 14:41:38 raspberrypi nginx[17107]: 2025/05/19 14:41:38 [warn] 17107#17107: conflicting server name "chosenname.ddns.net" on 0.0.0.0:443, ignored
Mai 19 14:41:38 raspberrypi systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
As far as I understand this message by now my nginx seems to have at least two server block definitions unsing the same domain name. Am I right? It took my at least three hours to find out that the standard nginx configuration file has dependencies from a "default" file.... I am pretty stuck by now and any help is very appreciated! Thanks for any possible reply!
Thanks for taking a look into my request! Before getting into detail I would like to note that I re-installed Nginx (phpMyAdmin, MariaDB, PHP and several other things) several times, always ending up with more or less the same behaviour. Now the details... I followed the guide at
as it is covering not only Apache but Nginx, too. Before I had Pi-Hole 6 running, also several times re-installed (but now uninstalled). I did not use Pi-Hole as DNS or DHCP server. Pi-Hole some times interfered with my port forwarding as it was not using alternative ports the way it was supposed to. After deleting Pi-Hole and re-installing the complete NGinx-related server stuff the port problems have gone. Additional not: I was always able to ssh into my Raspberry Pi within the local network and from the outside. Now for the certbot stuff. Installed version is
certbot 2.1.0
As far as I know the most actual version. Now the certificates (please note that I am not providing the real name chosen with "No-IP" and in cases not the real IP of the Raspberry Pi within my network):
Found the following certs:
Certificate Name: mychosenname.ddns.net
Serial Number: 652df46e172c3bb669142bcc7d246b4a51c
Key Type: ECDSA
Domains: mychosenname.ddns.net
Expiry Date: 2025-08-17 09:13:56+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem
As You can see the certificates can not be renewed. I've been looking around the directories. At the given location of fullchain.pem and privkey.pem are just alias files stored, the real files are stored within /etc/letsencrypt/archive/ . I can not access that directory as normal user (but by sudo). In addition the file prefixes over there contain an additional "1* within their filenames at the end. Now for the big one (sudo nginx -T):
5/05/20 07:23:30 [warn] 63532#63532: conflicting server name "mychosenname.ddns.net" on 0.0.0.0:80, ignored
2025/05/20 07:23:30 [warn] 63532#63532: conflicting server name "mychosenname.ddns.net" on [::]:80, ignored
2025/05/20 07:23:30 [warn] 63532#63532: conflicting server name "mychosenname.ddns.net" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name mychosenname.ddns.net;
ssl_certificate /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name mychosenname.ddns.net; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mychosenname.ddns.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name mychosenname.ddns.net;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
In addition I would like to provide the Nginx configuration. Please have in mind that it took me some hours to find out that any SSL related modifications can NOT be placed into "nginx.conf" located at /etc/nginx . Modifications have to be made into the file "default" (no suffix...) located at /etc/nginx/sites-available/ . The only "error" I can think off regarding that configuration file is the fact "server" is appearing two times but I am not sure about that one:
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name mychosenname.ddns.net;
ssl_certificate /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name mychosenname.ddns.net; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mychosenname.ddns.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name mychosenname.ddns.net;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
pi@raspberrypi:~ $ sudo nano /etc/nginx/sites-available/default
GNU nano 7.2 /etc/nginx/sites-available/default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name mychosenname.ddns.net;
ssl_certificate /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name mychosenname.ddns.net; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mychosenname.ddns.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name mychosenname.ddns.net;
return 404; # managed by Certbot
}
As already mentioned: This configuration does not interfere with my WordPress / Nginx when running without SSL at port 80, the installation is reachable from within and outside the network.
That is a significant error. There should be a unique combination of server_name(s) and listen port(s) for each server block. That message says there are multiple server blocks with the same name and port. nginx will ignore one.
Your problem is with the "default" server block. You want that to just be a default. You have specific server blocks for this domain name in sites-enabled so they overlap. Here are the key lines from your default:
As for this ... the file in .../live/... is a symlink to one in ../archive/...
Certbot rotates the ones in archive and the live symlink points to the latest.
When you were debugging your permissions problem did you also modify the ../archive/.. file?
Usually the nginx master runs as root and reads the cert files just once at startup. You need to reload or restart nginx for it to load a fresh copy of the cert files. With this setup you won't see a permissions problem because the cert files are loaded by the nginx master.
First of all I removed the user directive from nginx.conf - worked out well, no error message in that one. Dealing with the user permissions as sudo on
ended up in "file or directory not found", the same with privkey.pem . So I modified the ones at ---/live/... .Restarting nginx did not work. Calling the status throws me this:
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Wed 2025-05-21 17:18:14 CEST; 18s ago
Docs: man:nginx(8)
Process: 11376 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 11377 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 29ms
Mai 21 17:18:12 raspberrypi nginx[11377]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mai 21 17:18:12 raspberrypi nginx[11377]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Mai 21 17:18:13 raspberrypi nginx[11377]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mai 21 17:18:13 raspberrypi nginx[11377]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Mai 21 17:18:13 raspberrypi nginx[11377]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mai 21 17:18:13 raspberrypi nginx[11377]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Mai 21 17:18:14 raspberrypi nginx[11377]: nginx: [emerg] still could not bind()
Mai 21 17:18:14 raspberrypi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mai 21 17:18:14 raspberrypi systemd[1]: nginx.service: Failed with result 'exit-code'.
Mai 21 17:18:14 raspberrypi systemd[1]: Failed to start nginx.service - A high performance web server and a reverse proxy server
Why the heck does the start daemon not run as master while the prestart does?
I modified the nginx "default" file once more, reduced it a bit, did not touch the nginx.conf file:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name mychosenname.ddns.net;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mychosenname.ddns.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mychosenname.ddns.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
As far as I understand Nginx by now this looks clean to me. The nginx.conf file should not interfere - as far as I understand Nginx:
x nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Wed 2025-05-21 17:31:37 CEST; 11min ago
Docs: man:nginx(8)
Process: 11783 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 11784 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 23ms
Mai 21 17:31:36 raspberrypi nginx[11784]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mai 21 17:31:36 raspberrypi nginx[11784]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Mai 21 17:31:36 raspberrypi nginx[11784]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mai 21 17:31:36 raspberrypi nginx[11784]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Mai 21 17:31:37 raspberrypi nginx[11784]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mai 21 17:31:37 raspberrypi nginx[11784]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Mai 21 17:31:37 raspberrypi nginx[11784]: nginx: [emerg] still could not bind()
Mai 21 17:31:37 raspberrypi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mai 21 17:31:37 raspberrypi systemd[1]: nginx.service: Failed with result 'exit-code'.
Mai 21 17:31:37 raspberrypi systemd[1]: Failed to start nginx.service - A high performance web server and a reverse proxy server.
So I checked tcp and tcp6:
tcp6 0 0 :::80 :::* LISTEN 861/apache2
Apache? Regarding my nginx configuration I simply do not understand why root and www-data are listening to port 80 via IPv6 as apache commands. Apache is not installed, not a single package!
Well, it must be to be running on that system Somehow, somewhere
That looks like a damaged /archive/ file. The archive file names always have a sequence number.
If you want to experiment with different permissions please copy the Certbot files to a new location of you own. (maybe like /etc/ssl). It is best not to manually adjust the files in Certbot's folders. You can easily create a mess that is difficult to recover.
You need to get your system stable again just using just HTTP on port 80.
Given the kinds of problems you have had it might be better to avoid using the --nginx plugin. Or, at least use the certonly option like this
sudo certbot certonly --nginx -d DOMAIN
Using certonly ensures Certbot will not make permanent changes to your nginx config. This also means you need to create a server block for HTTPS (port 443) AFTER you successfully get a cert. Right now I think you need to reduce the number of "moving parts" and this is one way to do it.
The Mozilla configurator can help with the port 443 server block. Certbot does as well
Avoid using OCSP Stapling as Let's Encrypt is dropping and is nearly done. Avoids HSTS as well until you know for sure what that means. I set those options off in the link below
I know. It has been there once, it has gone in between. The only thing that changed in between is a Plex server update but I am sure that did not touch that directory or contained files.
Question: Could it be possible that the symlink ends up in some sort of loop looking for itself? I know, sounds weird but NGinx still is somewhat not very handy to me.
Ok, being a bit hazardous I wiped everything regarding Apache:
sudo apt-get remove apache2
rebooted the Raspberry, checking Plex, FTP and some other stuff. Restarting nginx with
systemctl status nginx.service
Resulted in:
* nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-05-21 18:34:02 CEST; 1min 0s ago
Docs: man:nginx(8)
Process: 21969 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 21971 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 21972 (nginx)
Tasks: 5 (limit: 19365)
CPU: 27ms
CGroup: /system.slice/nginx.service
|-21972 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
|-21973 "nginx: worker process"
|-21974 "nginx: worker process"
|-21975 "nginx: worker process"
`-21976 "nginx: worker process"
Mai 21 18:34:02 raspberrypi systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Mai 21 18:34:02 raspberrypi systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
Looks better than before. nginx -t still throws me this:
Your nginx config still has a server block that names that file. Perhaps the nginx conf remained even after reinstall
In any case, use sudo nginx -T to see your current active nginx config. All of it including every include and such.
You can post it here if you wish or just correct it. Don't just comment out the sslcertificate* related lines. Remove any unused server blocks.
If you need to post it here upload the config.txt from:
sudo nginx -T >config.txt
Do that from your home or a temp folder. We don't want that .txt mixed with your real nginx configs.
It won't until you fix the emerg grade error. Certbot --nginx needs to be able to reload nginx after Certbot makes temp changes. The reload will fail and so will cert request. I doubt it's because of permissions.
Works fine, index html and test php work on port 80 (right now I don't even think of SSL in any way). The file "default" looks like this:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
"nginx.pid" in /etc/run/ is at 644, "default" in /etc/nginx/sites-available/ at 644 and "nginx.conf" in /etc/nginx/ at 644, too. This is how nginx installs itself, did not touch any permissions. Running nginx -t results in:
2025/05/22 06:19:50 [warn] 3854#3854: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2025/05/22 06:19:50 [emerg] 3854#3854: open() "/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
Running sudo nginx -t results this:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
nginx -T:
2025/05/22 06:21:26 [warn] 3895#3895: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2025/05/22 06:21:26 [emerg] 3895#3895: open() "/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
sudo nginx -T:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
The file "nginx.pid" does exist at /run/ , at 644. Obviously the fresh installation of NGinx seems to install the pid-file with wrong permissions. Directory /run/ is at 755. I am confused even more by now. As far as I understood Nginx by now the nginx.pid should contain the ID of the active user, to be more exact: The "www-data" user defined by the worker process directive within the nginx.config. But to me exactly this user is not allowed to get hold of the nginx.pid right now.
Do I really have to mod the pid-file to 755 or even 777?
I think I chowned everything as described by You, Mike. Doing
ps aux | grep nginx
Gives me that:
root 108069 0.0 0.0 10384 1552 ? Ss 15:04 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 108070 0.0 0.0 10752 2112 ? S 15:04 0:00 nginx: worker process
www-data 108071 0.0 0.0 10752 4256 ? S 15:04 0:00 nginx: worker process
www-data 108072 0.0 0.0 10752 4256 ? S 15:04 0:00 nginx: worker process
www-data 108073 0.0 0.0 10752 2112 ? S 15:04 0:00 nginx: worker process
pi 109155 0.0 0.0 4032 1600 pts/1 S+ 15:09 0:00 grep --color=auto nginx
Should be ok. But when doing
nginx -t
I am still stuck at the old problem:
2025/05/22 15:05:08 [warn] 108222#108222: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2025/05/22 15:05:08 [emerg] 108222#108222: open() "/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
Doing that nginx -t as sudo does not help much:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Somehow, somewhere