Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: app01.trnetworkconsulting.com
I ran this command: nginx -t
It produced this output:
My web server is (include version): Nginx
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0
I ran through the Let's Encrypt SSL certificate process with the certbot, but it failed. I have been troubleshooting this issue for a while now.
rg305
August 1, 2023, 3:50pm
2
Hi @trnetwork , and welcome to the LE community forum
trnetwork:
What am I missing?
Let's review the basics...
certbot certificatescat /etc/ssl/certs/zabbix_example.crtnginx -T
4 Likes
Found the following certs:
Certificate Name: app01.trnetworkconsulting.com
Serial Number: 4d5bc00caa9f5fcff619090499979c2bf9c
Key Type: ECDSA
Domains: app01.trnetworkconsulting.com
Expiry Date: 2023-09-28 11:17:09+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/app01.trnetworkconsulting.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/app01.trnetworkconsulting.com/privkey.pem
[root@app01 conf.d]# cat /etc/ssl/certs/zabbix_example.crt
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIUVUYDwpmA+cSv4khE7mtu89jd/u0wDQYJKoZIhvcNAQEL
BQAwejELMAkGA1UEBhMCTFYxDTALBgNVBAgMBFJpZ2ExDTALBgNVBAcMBFJpZ2Ex
GDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVu
dDEbMBkGA1UEAwwSZXhhbXBsZS56YWJiaXguY29tMB4XDTIzMDYzMDExMTk0M1oX
DTI0MDYyOTExMTk0M1owejELMAkGA1UEBhMCTFYxDTALBgNVBAgMBFJpZ2ExDTAL
BgNVBAcMBFJpZ2ExGDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEWMBQGA1UECwwN
SVQgRGVwYXJ0bWVudDEbMBkGA1UEAwwSZXhhbXBsZS56YWJiaXguY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5YUE6IDH9fRlcTT6Nq0dmX8PJqUp
8MK4D1e+oKSF4lmJ8KyrQuEVRHISsV2TMSxmMYtRk5AV3k/7M6iqdCquypEV7UK3
XMorqe0pveDtS98UiNFJyIApGP00e3e37EY+1ao9z7Ao9zGYlNsYw/Xu93BvJYyp
fr6LKpCGOTEoGpPZ6YEa0IdheOZFgYCn66OUyJbwJP3gB0ZdJsgc9Y5N2wawsJNQ
sMR3YmtmEIL/uB4iWq1/UsvYlvNyD4uU7BVlToM/NPnkFgp9a62B8eDt0k1neUR0
R5loy+qvR+Vr6b+7+aY/29AglCuTxLbr0XBw9kjN+WtS0pBxiwwstSS8KwIDAQAB
o1MwUTAdBgNVHQ4EFgQUF0ziB7fgSei0NUaL3MTl7vwzpgAwHwYDVR0jBBgwFoAU
F0ziB7fgSei0NUaL3MTl7vwzpgAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAEtPmxPeJIulEEl3gt0qUalD6jh4Q9VoJtzNRoBteYzOF6OioLlK8
45WRkm5iw+jtFWurh4+ueYrNJ4UHbHTgEB2xv+/UqnVEgMxnuEQQIpA0NHcZ5H5R
SVYureov2YLhTqWTkh9h88fUS1fv1ShRYIh/W5iDth6O3/SNZM/hhZss7rrj0Nto
bdIs37jTKZ1QNxAX+ZB9h6AHCY+QoWtAF20pfwxQ9hSZlCxRmq8q74ll/qta3UKX
1IGKl1SvuiOusSkycHjh/i+nvSydTJn5ciA2UQiDVaNCJqWQunLBKV9L5Ah6Cz+v
itAzvfMOvc/5YZDIowfpNwxudbMwnN8OfA==
-----END CERTIFICATE-----
[root@app01 conf.d]# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
worker_priority -5;
worker_rlimit_nofile 256000;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 5120;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
access_log /var/log/nginx/access.log main;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
client_header_timeout 5m;
client_body_timeout 5m;
send_timeout 5m;
connection_pool_size 4096;
client_header_buffer_size 4k;
large_client_header_buffers 4 4k;
request_pool_size 4k;
reset_timedout_connection on;
gzip on;
gzip_min_length 100;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_types text/plain text/css text/xml application/x-javascript application/xml application/xhtml+xml;
types_hash_max_size 2048;
output_buffers 128 512k;
postpone_output 1460;
aio on;
directio 512;
sendfile on;
client_max_body_size 8m;
fastcgi_intercept_errors on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.php;
server_tokens off;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/php-fpm.conf:
# PHP-FPM FastCGI server
# network or unix domain socket configuration
upstream php-fpm {
server unix:/run/php-fpm/www.sock;
}
# configuration file /etc/nginx/conf.d/zabbix.conf:
server {
listen 443 ssl;
server_name app01.trnetworkconsulting.com;
index index.php;
# server_name zabbix;
ssl_certificate /etc/letsencrypt/live/app01.trnetworkconsulting.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app01.trnetworkconsulting.com/privkey.pem;
# certbot validation
location ^~ /.well-known/ {
alias /usr/share/nginx/html/.well-known/;
}
return 301 https://$host$request_uri;
}
# configuration file /etc/nginx/conf.d/zabbix_ssl.conf:
server {
listen 0.0.0.0:443 ssl http2;
# server_name app01.trnetworkconsulting.com;
index index.php;
root $webroot;
charset utf8;
set $webroot '/usr/share/zabbix';
access_log /var/log/nginx/zabbix_access_ssl.log main;
error_log /var/log/nginx/zabbix_error_ssl.log error;
ssl_stapling on;
ssl_stapling_verify on;
#resolver 192.168.13.160 192.168.10.24;
ssl_certificate /etc/letsencrypt/live/app01.trnetworkconsulting.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app01.trnetworkconsulting.com/privkey.pem;
ssl_dhparam /etc/ssl/private/zabbix_dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_verify_depth 3;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_session_cache shared:SSL:10m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_timeout 1d;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location = /favicon.ico {
log_not_found off;
}
location / {
index index.php;
try_files $uri $uri/ =404;
}
location ~* ^.+.(js|css|png|jpg|jpeg|gif|ico)$ {
access_log off;
expires 10d;
}
location ~ /\.ht {
deny all;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/run/php-fpm/zabbix.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
rg305
August 1, 2023, 4:18pm
4
This file doesn't make much sense:
# configuration file /etc/nginx/conf.d/zabbix.conf:
server {
listen 443 ssl;
server_name app01.trnetworkconsulting.com;
index index.php;
# server_name zabbix;
ssl_certificate /etc/letsencrypt/live/app01.trnetworkconsulting.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app01.trnetworkconsulting.com/privkey.pem;
# certbot validation
location ^~ /.well-known/ {
alias /usr/share/nginx/html/.well-known/;
}
return 301 https://$host$request_uri;
}
This file has no server_name, so I'm not sure what name would be used:[but since it's the only other vhost and there exists a name:port conflict, it must be using the same name]
# configuration file /etc/nginx/conf.d/zabbix_ssl.conf:
server {
listen 0.0.0.0:443 ssl http2;
# server_name app01.trnetworkconsulting.com;
index index.php;
root $webroot;
charset utf8;
set $webroot '/usr/share/zabbix';
access_log /var/log/nginx/zabbix_access_ssl.log main;
error_log /var/log/nginx/zabbix_error_ssl.log error;
ssl_stapling on;
ssl_stapling_verify on;
#resolver 192.168.13.160 192.168.10.24;
ssl_certificate /etc/letsencrypt/live/app01.trnetworkconsulting.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app01.trnetworkconsulting.com/privkey.pem;
ssl_dhparam /etc/ssl/private/zabbix_dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_verify_depth 3;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_session_cache shared:SSL:10m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_timeout 1d;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location = /favicon.ico {
log_not_found off;
}
location / {
index index.php;
try_files $uri $uri/ =404;
}
location ~* ^.+.(js|css|png|jpg|jpeg|gif|ico)$ {
access_log off;
expires 10d;
}
location ~ /\.ht {
deny all;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/run/php-fpm/zabbix.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}
3 Likes
I didn't see the server_name commented out. The FQDN server name is app01.trnetworkconsulting.com .
I am quite new to this, and the installation of the SSL certificate was not as easy as the instructions made it sound. There must have been some prerequisites that needed to be performed to make this process work flawlessly. I did not see those.
Knowing this, what do I need to do to get the SSL certificate to be read correctly so the site will be operational on the new SSL certificate?
rg305
August 1, 2023, 5:31pm
6
The first vhost seems like it should have been for port 80 [not 443].
3 Likes
Thank you. I think I got it working as it should be.
1 Like
Not quite. It looks like a firewall is blocking port 443 (HTTPS). The HTTP (port 80) requests are working well now just not HTTPS
Try this SSL Checker test site (link here )
3 Likes
Thanks Mike for pointing this out to me. So, what setting am I missing? Is that in the zabbix_conf file?
2 Likes
Now I know what is going on. I setup firewall rules to lock that down to my vpn IP so as to create a bubble around the environment so others couldn't even see the page.SSL Checker (decoder.link)
1 Like
Yes, connections work fine now. It is using the cert you created on Jun30 expiring Sep28 which is also the cert shown earlier with certbot certificates. So, that all matches
But, you got a cert on July10 expiring Oct8. It's okay to use any valid cert. But, it is unusual to not have the latest cert on your system.
If you know all about that then nevermind
3 Likes
system
August 31, 2023, 7:59pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
