Certbot failed installation


#1

Hello people, how are you :slight_smile:

I am a student, got myself free .tech domain, obtained free 1 year hosting on Google compute, connected my server to ServerPilot free plan, installed WordPress and uploaded some content.
It’s Code Playground, a project started as an open source.
after following instructions after few steps I got an error.
error was: NoInstallationError()
The nginx plugin is not working; there may be problems with your existing configuration.

Could someone please guide me through on how to get valid certificate using Certbot? Thank you

-My domain is: wwcd.tech
-I ran this command: I followed instructions on https://certbot.eff.org/
-It produced this output: Everything went ok untill I tried to install nginx plugin
-My web server is (include version): nginx over apache (serverpilot)
-The operating system my web server runs on is (include version): UBUNTU 16.04 LTS-
-My hosting provider, if applicable, is: Google cloud (compute vps)
-I can login to a root shell on my machine
-I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ServerPIlot


#2

Based on some Google searches, ServerPilot may customize the location of nginx.

Perhaps try

--nginx-server-root "/etc/nginx-sp" 

and also if necessary

--nginx-ctl "/path/to/sbin/nginx"

I would also seriously consider reading the ServerPilot documentation about their existing Let’s Encrypt integration rather than trying to manually apply Certbot:

https://serverpilot.io/community/articles/how-to-use-autossl.html


#3

Thank you for so fast reply. I have read the Serverpilot guide, but I would really like to do this myself and learn something.
Their auto ssl is a paid feature, and I need this for educational purposes. If I pay for it I won’t learn a thing.
I found a script which works flawlessly, but still it is a script, which I didn’t wrote.
I would like to do it in official way, using Certbot. :slight_smile:
Thank you


#4

@bredpit, @_az’s first suggestions are Certbot command-line options that you could provide when running Certbot on the command line (in order to deal with the NoInstallationError).


#5

@schoen I found something interesting and gave it a try:
first I cloned the repo:
git clone https://github.com/certbot/certbot
this extracted stuff in a folder “certbot” so I navigate there with:
cd certbot
then I start with this:
./certbot-auto certonly --webroot --webroot-path /srv/users/serverpilot/apps/wwcd/public --renew-by-default --email ****@yahoo.com --text --agree-tos -d wwcd.tech

everything goes well, I get congrat message how all went well.
But my site goes down. Then I navigate to:
cd /etc/nginx-sp/vhosts.d
I edit my app

sudo nano wwcd.ssl.conf
and I put this into the file and save

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name wwcd.tech;
 
    ssl on;
 
    # letsencrypt certificates
    ssl_certificate      /etc/letsencrypt/live/wwcd/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/wwcd/privkey.pem;
 
        #SSL Optimization
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:20m;
    ssl_session_tickets off;
 
        # modern configuration
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
 
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 
 
        # OCSP stapling 
        ssl_stapling on; 
        ssl_stapling_verify on; 
 
        # verify chain of trust of OCSP response 
        ssl_trusted_certificate /etc/letsencrypt/live/wwcd/chain.pem;
 
        #root directory and logfiles 
        root /srv/users/serverpilot/apps/wwcd/public; 
 
        #index files
        index index.php index.html index.htm;
 
        access_log /srv/users/serverpilot/log/wwcd/wwcd_nginx.access.log main; 
        error_log /srv/users/serverpilot/log/wwcd/wwcd_nginx.error.log; 
 
        #proxyset 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-SSL on; 
        proxy_set_header X-Forwarded-Proto $scheme; 
 
        #includes 
        include /etc/nginx-sp/vhosts.d/wwcd.d/*.nonssl_conf; 
        include /etc/nginx-sp/vhosts.d/wwcd.d/*.conf; 
}

and everything goes down, I can’t even restart nginx
Probably the paths are wrong, I need to check everything folder by folder file by file.

But the idea is right? Right?


#6

For sure these paths are wrong.

Same issue.

Try nginx -t to test the config.


#7

hey @_az , thanks for confirmation, the problem is I can’t use filezilla to browse these files as it doesn’t allow me to enter these files, says I don’t have permission, which is crazy.
I probably need to tweak sshd_config and allow PermitRootLogin and PasswordAuthentication to be able to check the correct paths. using console is a huge pain :slight_smile:


#8

If you have root access on that server, you don’t need PermitRootLogin at all, you can just use sudo, e.g. sudo ls /etc/letsencrypt/live.


#9

@_az @schoen Hey guys, thank you for help.
I managed to do it.
I configured another server and I tried to do the same but this time without “certonly” part.
It went smooth, but at the end it told me that I need to use “certonly” part because I am using --webroot path

Anyway, I went back to the previous server, and I edited sshd_config the way I said, and I added a password for root with:
passwd root
Before I was using serverpilot’s account to login via sftp, but this time I used root and the password I just set.
Browsing through the folders went without any complications.

Then I was able to check all the correct paths, and finally I was able to edit the .conf file with corrected paths.

ssl works :)))

A question: will I be able to renew the certificates every 3 months with this code:
certbot-auto renew
is it futureproof? or do I need to update repository before running the renew script?

Also, how to add a cronjob to run the renew every x months or x days?


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.