So revocation is not really a thing. It’s just local deletion with no propagation to the CA that says “hey, this site has revoked this cert, let’s mark it as deleted/untrusted.”
No, revocation is something with the CA, and it does indicate that the certificate is untrusted (for clients that check OCSP). It just isn’t part of how Let’s Encrypt calculates rate limits.
This was something I didn’t expect:
listen [::]:443 ssl ipv6only=on; # managed by Certbot
I have been OK with the config file edits by Certbot but I’m not sure about this.
I decided to simply shut down the server that is affected by all of this. Evidently, I no longer have the capacity to manage all of this…stuff as I used to. A lot can happen in 24 hours, apparently. 24 hours ago, everything was working. Now, not so much. Since I have no idea when I can get a certificate installed and working, with or without surprises, maybe it’s best to close up shop.
How can you actually lose certificates that were issued ? certbot saves them all.
You have a valid certificate:
https://crt.sh/?id=1427289889
you can get it back from /etc/letsencrypt/archive/ and install it again until the limit rate is no longer blocking you.
That doesn't help if the certificate (and the private key) is deleted.
First Post:
Later:
If the private key is deleted, the download of the public certificate part doesn't help.
Never delete files if you don't have a backup.
Agreed, but the private keys are saved in the archive, why whould anyone dig in the archive to delete files ? Most people don't even know that certificate files are archived.
Edit: double checking: oh. I never noticed that the 'live' files are symlinked to the archive, not duplicated. That's not great.
my best option seems to be to start over with the most basic nginx config and add back all the customizations til it breaks again. Right now browsers are saying I have certificates but that they are wrong. Not sure how that works. In future I will mak a timestamped copy of my configs so that I can recover from certbot edits that go wrong.
This seems conflicted: "you don't have what you asked for but congratulations for it all the same."
IMPORTANT NOTES:
- Unable to install the certificate
Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem
Your cert will expire on 2019-08-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew"
The files exist, symlinks and all.
nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
What says
nginx -T
Sorry to posting about a past question, not related to the immediate issue of @paulbeard, but I just like to understand mysterious problems, and for me this message ‘no cert founds.’ for a ‘certbot certificates’ was, and what @paulbeard could have deleted to generate it.
I ruled out rm /etc/letsencrypt, rm/etc/letsencrypt/live/mydomain/*… all this leads to error messages while running certbot certificates, not ‘No cert founds’.
Looking at the code I was enlightened (I think so at least). When running certbot certificates the code looks first at the renewal configuration found in /etc/letsencrypt/renewal/mydomain.com.conf to search for the certificates that are indeed stored in /etc/letsencrypt/archive and symlinked in /etc/letsencrypt/live/mydomain
If the /etc/letsencrypt/renewal/mydomain.com.conf is missing, then certbot certificates returns ‘No certs found.’
And it could very well the case that @paulbeard deleted nothing at all, and the removal (or messing) of the renewal configuration config file occurred through a misguided renewal attempt, since the renewal configuration file is recreated everytime a certbot certicate creation is attempted.
Finally I have changed my opinion: it’s ‘certbot certificates’ that is not really the best that could be.
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
# configuration file /usr/local/etc/nginx/nginx.conf:
# Generated by nginxconfig.io
# https://nginxconfig.io/?0.domain=paulbeard.org&0.path=%2Fusr%2Flocal&0.document_root=%2Fwww&0.non_www=false&0.wordpress&access_log=%2Fvar%2Flog%2Fhttpd%2Fhttpd-access.log&error_log=%2Fvar%2Flog%2Fhttpd%2Fhttpd-error.log%20warn&user=www&pid=%2Fvar%2Frun%2Fnginx.pid
user www;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 65535;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
# MIME
include mime.types;
default_type application/octet-stream;
# logging
access_log /var/log/httpd/httpd-access.log;
error_log /var/log/httpd/httpd-error.log warn;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
# OWASP B (Broad Compatibility) configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# load configs
include /usr/local/etc/nginx/conf.d/*.conf;
include /usr/local/etc/nginx/sites-enabled/*;
}
# configuration file /usr/local/etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /usr/local/etc/nginx/sites-enabled/paulbeard.org.conf:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.paulbeard.org;
set $base /usr/local;
root $base/www;
# SSL
ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/chain.pem;
# security
include nginxconfig.io/security.conf;
# index.php
index index.php;
# index.php fallback
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# handle .php
location ~ \.php$ {
include nginxconfig.io/php_fastcgi.conf;
}
# additional config
include nginxconfig.io/general.conf;
include nginxconfig.io/wordpress.conf;
}
# non-www, subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .paulbeard.org;
# SSL
ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/chain.pem;
return 301 https://www.paulbeard.org$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name .paulbeard.org;
include nginxconfig.io/letsencrypt.conf;
location / {
return 301 https://www.paulbeard.org$request_uri;
}
}
# configuration file /usr/local/etc/nginx/nginxconfig.io/security.conf:
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# configuration file /usr/local/etc/nginx/nginxconfig.io/php_fastcgi.conf:
# 404
try_files $fastcgi_script_name =404;
# default fastcgi_params
include fastcgi_params;
# fastcgi settings
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
# fastcgi params
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
# configuration file /usr/local/etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /usr/local/etc/nginx/nginxconfig.io/general.conf:
# favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# configuration file /usr/local/etc/nginx/nginxconfig.io/wordpress.conf:
# WordPress: allow TinyMCE
location = /wp-includes/js/tinymce/wp-tinymce.php {
include nginxconfig.io/php_fastcgi.conf;
}
# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
deny all;
}
# WordPress: deny wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
deny all;
}
# WordPress: deny wp-content/plugins (except earlier rules)
location ~ ^/wp-content/plugins {
deny all;
}
# WordPress: deny scripts and styles concat
location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
deny all;
}
# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
deny all;
}
# configuration file /usr/local/etc/nginx/nginxconfig.io/letsencrypt.conf:
# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
root /var/www/_letsencrypt;
}
Is this a wildcard server name?
It's possible that Certbot doesn't deal with wildcard server names. So Certbot doesn't understand your port 80 vHosts and doesn't know how to create the 443 port vHosts.
Hmm. Commented those out. That seems confusing.
The error Chrome returns is NET::ERR_CERT_COMMON_NAME_INVALID which seems like it should be telling me something.
the Nginx config redirects the non-www to the www, but your certificate is only for the www version.
note that you created several certificates, from
you seem to have created 4 valid certificates in 2 days, some of them having the 2 required names, some of them not (the one having a ‘1’ in #DNS Names). You are currently using one of these certificates.
This seems to be a pretty circular conversation. My certificates no longer work. I have too many, unintentionally; I am using the wrong ones, which is easy when you have more than one, but I have no idea how/if I can prune them down to where i have just one for the domain/three hostnames I want and just use that one certificate.
# configuration file /usr/local/etc/nginx/nginx.conf:
user nobody;
worker_processes auto;
worker_cpu_affinity auto 0001;
pid /var/run/nginx.pid;
error_log /var/log/httpd/httpd-error.log;
events {
worker_connections 1024;
}
http {
fastcgi_buffers 16 32k;
fastcgi_param HTTP_PROXY "";
fastcgi_buffer_size 32k;
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/httpd/httpd-access.log main;
error_log /var/log/httpd/httpd-error.log;
sendfile on;
tcp_nopush on;
keepalive_timeout 300;
gzip on;
# Upstream to abstract backend connection(s) for PHP.
upstream php {
#this should match value of "listen" directive in php-fpm pool
#server 127.0.0.1:9000;
server unix:/tmp/php-fpm.sock;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header X-Clacks-Overhead "GNU Terry Pratchett";
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
server_name www.paulbeard.org paulbeard.org;
return 301 https://$host$request_uri;
root /usr/local/www/;
disable_symlinks off;
location / {
root /usr/local/www/;
try_files $uri $uri/ /index.php?$args;
index index.html index.php;
}
if ($request ~* liker.profile_URL) {
return 301 http://www.answers.com/fail ;
}
location /wordpress {
try_files $uri /wordpress/index.php;
index index.html index.php;
}
location /cacti {
try_files $uri $uri/ /cacti/index.php;
index index.html index.php;
}
if ($host = www.paulbeard.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = paulbeard.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = cloud.paulbeard.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
location /nextcloud {
try_files $uri $uri/ /nextcloud/index.php;
index index.html index.php;
rewrite ^ https://cloud.paulbeard.org/$request_uri? permanent;
# access_log off;
}
location /status {
stub_status on;
access_log off;
allow 192.168.0.1;
deny all;
}
location /fpm.status {
#access_log off;
allow 127.0.0.1;
allow 192.168.0.1;
deny all;
include fastcgi_params;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/tmp/php-fpm.sock;
}
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite /movabletype* $scheme://paulbeard.org/wordpress permanent;
location ~ ^/~(.+?)(/.*)?$ {
alias /usr/home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass php;
fastcgi_read_timeout 300;
}
location ~ /\.ht {
deny all;
}
}
server {
#ssl on;
listen 443;
server_name cloud.paulbeard.org;
access_log /var/log/httpd/httpd-cloud-access.log;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
#access_log off;
# Path to the root of your installation
root /usr/local/www/nextcloud;
client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}
location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ index.php;
}
location ~ ^(.+?\.php)(/.*)?$ {
try_files $1 = 404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$1;
fastcgi_param PATH_INFO $2;
fastcgi_param HTTPS on;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/tmp/php-fpm.sock;
}
# Optional: set long EXPIRES header on static assets
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don't log access to assets
#access_log off;
}
}
# server {
# if ($host = paulbeard.org) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name www.paulbeard.org paulbeard.org;
# return 404; # managed by Certbot
#
#
# }
}
# configuration file /usr/local/etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /usr/local/etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
# configuration file /usr/local/etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
Yes it’s circular. I admit I have no idea why your nginx config is not workable for certbot. I don’t use nginx plugin, I use nginx but without the plugin.
I have looked a bit at nginx plugin code but it’s not easy to guess what could go wrong. I had hoped to find a way to activate a maximum debug mode but I don’t think there is any such thing.
Whatever having a working config for you should be relatively easy if you have not really deleted any certificate as I think is the case, with a bit of Unix lore; look at your certificates, in (probably)
/usr/local/etc/letsencrypt/archive
do you see .pem files ? if yes you can open them with
openssl x509 -in fullchain(number).pem -text
for example
openssl x509 -in fullchain10.pem -text
and find out the last one issued with the right names
Then
in
/usr/local/etc/letsencrypt/live
you will find 3 symbolic links to the last files in the archives.
Remove them and recreate them by linking to the right file and it should give you a working site (I hope that I don’t have to explain to you about ln -s…)
It would not solve the general problem of course.
Yes it’s circular. I admin I have no idea why your nginx config is not workable for certbot. I don’t use nginx plugin, I use nginx but without the plugin.
I have looked a bit at nginx plugin code but it’s not easy to guess what could go wrong. I had hoped to find a way to activate a maximum debug mode but I don’t think there is any such thing.
I have tried to reinstall with and without the plugin code.
Whatever having a working config for you should be relatively easy if you have not really deleted any certificate as I think is the case, with a bit of Unix lore; look at your certificates, in (probably)
/usr/local/etc/letsencrypt/archive
do you see .pem files ? if yes you can open them with
openssl x509 -in fullchain(number).pem -text
for example
openssl x509 -in fullchain10.pem -text
and find out the last one issued with the right names
Then
in
/usr/local/etc/letsencrypt/live
you will find 3 symbolic links to the last files in the archives.
Remove them and recreate them by linking to the right file and it should give you a working site (I hope that I don’t have to explain to you about ln -s…)
This is all as expected. Four files, four links.
`README
cert.pem -> ../../archive/paulbeard.org/cert1.pem
chain.pem -> ../../archive/paulbeard.org/chain1.pem
fullchain.pem -> ../../archive/paulbeard.org/fullchain1.
privkey.pem -> ../../archive/paulbeard.org/privkey1.pem`
`-rw-r--r-- 1 root wheel 1907 Jun 1 18:48 cert1.pem
-rw-r--r-- 1 root wheel 1647 Jun 1 18:48 chain1.pem
-rw-r--r-- 1 root wheel 3554 Jun 1 18:48 fullchain1.pem
-rw------- 1 root wheel 1700 Jun 1 18:48 privkey1.pem`
This seems concerning:
[cert name]/cert.pem
: will break many server configurations, and should not be used
without reading further documentation (see link below).
I don't have keys.
/etc/letsencrypt/archive
and/etc/letsencrypt/keys
contain all previous keys and certificates, while/etc/letsencrypt/live
symlinks to the latest versions.
Or more precisely, the keys I have don't match the certs.
So it seems that what I want/need is to erase/delete/revoke this cert, since it can't be used without the (missing) key. Seems to me there should be a way to do that. If someone got hold of someone else's private key, they could impersonate them. That seems to go against what this project is about.
Any guidance there would be appreciated. I have tried what I see in the docs (revoke/delete) but it didn't seem to work).
Well, if you reinstall the software you risk losing certs and private keys depending on how the packaging software works. If you use Freebsd I guess it’s packaged outside of Letsencrypt. You should avoid reinstalling.
If your archive has only files suffixed by ‘1’ that’s probably the reason you lost your certificates files. Given what the certificate spotter sites says, you should have suffixes until 7 at least.
In this case you have indeed to restart certbot to create new certificates. Since you created 5 certificates the 1/6 you have to wait until 8/6 I think (5 identical certificates for 7 rolling days IIRC). You could try to create one immediately with only the paulbeard.ord and www.paulbeard.org since it would be missing the cloud.paulbeard.org it could probably be accepted immediately.
Nginx works fine for me with only 2 files (fullchain.pem and privkey.pem). Once you have these 2 files and they have the right names on the corresponding certificates, you can always set them by hand in the nginx config even if the nginx certbot code can’t understand your setup.
I ended up just doing as you hint here, getting a new cert for each record. That worked, though now my http-> https redirects are all b0rked. Easily fixed, I expect. That was where some of this began, with Certbot making unwise edits.
Plainly this is a hard problem.