Certbot failing, sites previous SSL is expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.argentscientific.com

I ran this command: sudo certbot --nginx -d argentscientific.com www.argentscientific.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for argentscientific.com
tls-sni-01 challenge for www.argentscientific.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/default for argents cientific.com
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/default for www.arg entscientific.com
nginx: [emerg] "ssl_certificate" directive is duplicate in /etc/nginx/sites-enab led/default:31
Rolling back to previous server configuration...
nginx restart failed:
b''
b''

IMPORTANT NOTES:

• We were unable to install your certificate, however, we
  successfully restored your server to its prior configuration.
• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/argentscientific.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/argentscientific.com/privkey.pem
  Your cert will expire on 2018-05-20. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the "certonly" option. To non-interactively renew all of
  your certificates, run "certbot renew"

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @benikens,

I’m not sure why Certbot was unable to install the certificate in your nginx configuration; I’d be happy to gather some more information to try to understand this.

In the meantime, were you using the previous Certbot-provided certificate in this same nginx instance? If so, the new certificate should be used as soon as you restart nginx.

If that doesn’t work, could you post the output from this command?

fgrep -r .pem /etc/nginx

try: grep -r .pem /etc/nginx

The certificate in use prior was not a certbot one, it was provided by comodo I believe.

Output: /etc/nginx/snippets/ssl-params.conf:ssl_dhparam /etc/ssl/certs/dhparam.pem;
/etc/nginx/snippets/ssl-argentscientific.com.conf:#/etc/letsencrypt/live/argentscientific.com/fullchain.pem;
/etc/nginx/snippets/ssl-argentscientific.com.conf:#/etc/letsencrypt/live/argentscientific.com/privkey.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;

I suggested fgrep in order to avoid false positive matches due to the special meaning of . to ordinary grep.

Hmm, do you remember commenting out those lines in ssl-argentscientific.com.conf by adding the initial # to them?

Tbh I don’t but I might’ve we set it up a year ago. If I un-comment you think it will fix it?

Could you post that whole file’s contents here so we can see what’s been done to it and what the context is?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.