Certbot insists on installing apt's Nginx over my custom-built one

This question is about the installation of Certbot itself and not certificate installation. This is on Debian 10.3.

I built and installed Nginx from source because I needed some third party modules. My configuration uses the same directories as the standard Nginx installation apt would install for Debian. This is all fine and working.

When installing Certbot according to the instructions, however, apt insists on installing nginx-full and nginx-common along with it. This overwrites my custom build. I can run make install again and re-overwrite, but I don’t like fighting against apt like that. I’m sure there’s a better way.

I can provide details. I’m leaving them out for now in case they’d just make the post too long.

I would greatly appreciate it if anyone has advice on using Certbot with a custom build of Nginx on Debian. Thanks in advance.

This is for Ubuntu, but might it also work with apt on Debian?

Just took a look at this. Seems like Nginx packages aren’t direct dependencies of either certbot or python-certbot-nginx so maybe it’s some dependency down the line that’s requiring Nginx?

Maybe installing my custom binary over apt's Nginx isn’t so bad as long as I’m careful to match the version and directories.

python-certbot-nginx -> python3-certbot-nginx -> nginx

I’d be interested to see what sudo apt-get install certbot python-certbot-nginx nginx- does though. Could be helpful for others with custom build webservers from source. Just edited my post earlier, for some reason the URL I got from Google scrolled to the wrong answer.

Ah, I see now.

I just tried that command and it responds with the following. You can see nginx-extras and nginx-common in there.

Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'nginx' is not installed, so not removed
The following additional packages will be installed:
  fontconfig-config fonts-dejavu-core geoip-database libfontconfig1 libgd3 libgeoip1 libhiredis0.14 libjbig0 libjpeg62-turbo
  libluajit-5.1-2 libluajit-5.1-common libnginx-mod-http-auth-pam libnginx-mod-http-cache-purge libnginx-mod-http-dav-ext
  libnginx-mod-http-echo libnginx-mod-http-fancyindex libnginx-mod-http-geoip libnginx-mod-http-headers-more-filter
  libnginx-mod-http-image-filter libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-http-perl libnginx-mod-http-subs-filter
  libnginx-mod-http-uploadprogress libnginx-mod-http-upstream-fair libnginx-mod-http-xslt-filter libnginx-mod-mail
  libnginx-mod-nchan libnginx-mod-stream libtiff5 libwebp6 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxpm4 nginx-common
  nginx-extras python3-certbot-nginx
Suggested packages:
  python3-certbot-apache python-certbot-doc libgd-tools geoip-bin fcgiwrap nginx-doc ssl-cert python-certbot-nginx-doc
The following NEW packages will be installed:
  certbot fontconfig-config fonts-dejavu-core geoip-database libfontconfig1 libgd3 libgeoip1 libhiredis0.14 libjbig0 libjpeg62-turbo
  libluajit-5.1-2 libluajit-5.1-common libnginx-mod-http-auth-pam libnginx-mod-http-cache-purge libnginx-mod-http-dav-ext
  libnginx-mod-http-echo libnginx-mod-http-fancyindex libnginx-mod-http-geoip libnginx-mod-http-headers-more-filter
  libnginx-mod-http-image-filter libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-http-perl libnginx-mod-http-subs-filter
  libnginx-mod-http-uploadprogress libnginx-mod-http-upstream-fair libnginx-mod-http-xslt-filter libnginx-mod-mail
  libnginx-mod-nchan libnginx-mod-stream libtiff5 libwebp6 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxpm4 nginx-common
  nginx-extras python-certbot-nginx python3-certbot-nginx

Further update. Just tried sudo apt-get install certbot python-certbot-nginx nginx-extras- nginx-common- and the response was:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'nginx-common' is not installed, so not removed
Package 'nginx-extras' is not installed, so not removed
The following additional packages will be installed:
  nginx python3-certbot-nginx
Suggested packages:
  python3-certbot-apache python-certbot-doc python-certbot-nginx-doc
The following NEW packages will be installed:
  certbot nginx python-certbot-nginx python3-certbot-nginx

So that seems to attempt to install nginx. I then tried sudo apt-get install certbot python-certbot-nginx nginx-extras- nginx-common- nginx- and got:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'nginx-common' is not installed, so not removed
Package 'nginx-extras' is not installed, so not removed
Package 'nginx' is not installed, so not removed
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
python-certbot-nginx : Depends: python3-certbot-nginx but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

This is sortof a weird suggestion, but it’s something I’ve done before (and it is also discussed within that serverfault link).

As part of your custom make install, you can generate an “equivs” package which is an empty/metadata .deb makes apt understand that a certain dependency is already satisfied.

http://shallowsky.com/blog/linux/install/blocking-deb-dependencies.html

Hey, this seems to have worked! I created and installed a fake nginx .deb file and Certbot isn’t trying to overwrite my custom build anymore. Entering sudo apt install certbot python-certbot-nginx now gets the following response:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  python3-certbot-nginx
Suggested packages:
  python3-certbot-apache python-certbot-doc python-certbot-nginx-doc
The following NEW packages will be installed:
  certbot python-certbot-nginx python3-certbot-nginx

Cerbot installed as expected. I’ll generate some certificates and verify this works before writing up the solution in full that worked for me. I’ll post the full results and solution in this thread. Thanks again.

Perhaps the method for apt on Ubuntu doesn't work on Debian, I dunno. I don't have real experience with both, but in any case it's also good to know it didn't work.

.

One last solution, the one I generally use when I need to modify a package, is to rebuild the package using the repo's source packages (either from Debian or nginx.org, either would work), rather than building using the tarball.

After all, why not? The packagers have already put all the effort in for you.

Small tutorial if anybody else comes upon this thread:

Add the source repo to your apt sources (this is for nginx.org's mainline release, but you can use the nginx.org stable release or Debian's if you want):

deb-src http://nginx.org/packages/mainline/debian/ stretch nginx

Get build dependencies:

apt update
apt install build-essential git
apt-get build-dep nginx

Download the Debian nginx source packages:

mkdir /tmp/nginx-build && cd /tmp/nginx-build
apt-get source nginx

Then modify nginx-1.17.10/debian/rules to enable whatever static modules you need built.

Build the package:

cd nginx-1.17.10 && dpkg-buildpackage -b

and then you can just install the single .deb:

dpkg -i /tmp/nginx-build/nginx_1.17.10-1~stretch_amd64.deb

You may then also want to use apt-mark hold to lock the package version to prevent it being automatically upgraded, if you have unattended-upgrades turned on.

This does seem like an even better solution but I can’t seem to get it to work the way I want it to at the moment. I’m not that familiar with this method of building Nginx. I’ll have to go with the other method for now but I’m bookmarking this to try again later.

So here’s a full description of the problem and solution for people finding this thread in the future.

Disclaimer: I’m definitely not an expert and this is a hack-y solution so definitely look over this whole thread. I’m just detailing my steps so others can see something that worked.

If anyone sees something dangerous or dumb that I did in here, please comment and I’ll correct it.

This is on Debian 10.3.

I have a custom-built Nginx installed and working on port 80, but of course I want to install Certbot and get an SSL certificate. I use

sudo apt install certbot python-certbot-nginx

but…

The following NEW packages will be installed:
  certbot nginx python-certbot-nginx python3-certbot-nginx

I don’t want apt to install nginx over the one I’ve already got working.

What’s working for me now is creating a fake nginx .deb and installing it so that apt doesn’t overwrite mine. This fake package was created using the method described on this page, and I’ll describe specifically what I did here.

First of all, I needed the equivs package:

sudo apt install equivs

I then created a temporary ~/fakepackages directory and entered it (doesn’t matter where you put this; I didn’t create mine in temp because I want to keep what’s in there). Then to get started I used:

equivs-control nginx

This created a template file named nginx which I then edited by un-commenting some lines and editing some values. The active/relevant lines in my file look like this:

Section: misc
Priority: optional
Standards-Version: 3.9.2

Package: nginx
Version: 1:99
Maintainer: Myself <notarealemail@example.com>
Architecture: all
Description: A fake package that doesn't really install nginx.

Note: The version number above means “epoch 1, verson 99.” The idea is to install a version number way above anything the nginx package is likely to reach any time soon.

I saved the file and then ran:

equivs-build nginx

This built the file nginx_99_all.deb in my case. I then ran:

sudo apt install ./nginx_99_all.deb

Which produced some warnings but seems to have installed my fake Nginx package just fine. I also separately tried:

sudo dpkg -i nginx_99_all.deb

which produced some warnings about being “unable to delete old directory” on some of the configuration and log directories of my custom Nginx installation. They both seemed to do what I inteded but obviously you don’t need to run both of those commands.

Now when I run

sudo apt install certbot python-certbot-nginx

I get the response:

The following NEW packages will be installed:
  certbot python-certbot-nginx python3-certbot-nginx

Excellent! It’s not installing nginx over my custom build. After installing Cerbot, I run

sudo nginx -V

and see the custom configuration parameters from when I built Nginx, confirming that this is still my custom-built version.

It's not weird at all. There are 6 ways to install nginx on ubuntu, 4 from ubuntu repositories,

one from upstream repositories,

Package: nginx
Version: 1.14.0-1~bionic
Architecture: amd64
Maintainer: Sergey Budnevitch <sb@nginx.com>
Installed-Size: 2862
Depends: libc6 (>= 2.27), libpcre3, libssl1.1 (>= 1.1.0), zlib1g (>= 1:1.1.4), lsb-base (>= 3.0-6), adduser
Conflicts: nginx-common
Provides: httpd

(and another ppa run by volunteers)

and the sixth, compiling it yourself. All five deb packages satisfy a "nginx" dependency. I guess compiling it yourself should do it as well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.