Certbot: nginx plugin is not working

niggiover9000 · August 20, 2021, 8:32am

Hello hive mind. I broke my nginx plugin - and I have no clue how I did it.
When running nginx -t, i get the following error message:

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Checking /etc/letsencrypt/live/, the folder is empty..

Thanks in advance!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: niggipi.duckdns.org

I ran this command: certbot --nginx

It produced this output:

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

My web server is (include version): nginx 1.14

The operating system my web server runs on is (include version): Raspbian 10

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

rg305 · August 20, 2021, 8:41am

Hi @niggiover9000, welcome to the LE community forum

If you don't have a backup...
I guess you will have to disable all the TLS enabled sites to get nginx to start, to get new certs, to put nginx back the was it was (needs to be).
You can either:

remove the HTTP to HTTPS redirections - to handle HTTP challenges
add a location within the HTTP vhost to handle the HTTP challenges
OR
stop nginx and use certbot in --standalone mode to obtain all new certs (which is probably a faster fix)

Ensuring all the certs are correctly creating new paths within the /etc/letsencrypt/ folders.
If NOT, then you may have to remove certbot, and entirely remove the /etc/letsencrypt/ directory and start over, by then reinstalling certbot.

niggiover9000 · August 20, 2021, 8:50am

Hello @rg305, thanks for your help!

When running certbot certonly --standalone it get the following error message:

Failed authorization procedure. niggipi.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://niggipi.duckdns.org/.well-known/acme-challenge/sXRGnD4cHBEG2N2ecKanN7q93YFIdDQ7vM86F0D2Cd0: Connection refused

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: niggipi.duckdns.org
   Type:   connection
   Detail: Fetching
   http://niggipi.duckdns.org/.well-known/acme-challenge/sXRGnD4cHBEG2N2ecKanN7q93YFIdDQ7vM86F0D2Cd0:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I have always used certbot --nginx for the procedure, can you explain how to add a location within the HTTP vhost? Or alternatively, what I am doing wrong at the moment?

Thanks in advance

rg305 · August 20, 2021, 9:24am

Is the IP address dynamic?
Is is up-to-date?
Can HTTP connections from the Internet reach your system?

If you show the output of:
sudo nginx -T
[we can better discuss your options]

niggiover9000 · August 20, 2021, 9:36am

Just found out, that I indeed cannot ping nor reach the host from outside of my home. Thanks for the tip, this might be the biggest part of my problem.

nginx -t gives back:

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Thanks!

rg305 · August 20, 2021, 9:41am

Oh yeah, I forgot.
hmm...
Please show:
ls -l /etc/nginx/sites-enabled/

If empty, then show file:
/etc/nginx/nginx.conf

niggiover9000 · August 20, 2021, 9:43am

lrwxrwxrwx 1 root root 61 Aug 20 11:37 bitwarden.niggipi.duckdns.org.conf -> /etc/nginx/sites-available/bitwarden.niggipi.duckdns.org.conf
lrwxrwxrwx 1 root root 46 Aug 20 10:09 niggipi.duckdns.org -> /etc/nginx/sites-available/niggipi.duckdns.org

rg305 · August 20, 2021, 9:45am

OK, let's see which of those two files is using a letsencrypt cert, with:
grep letsencrypt /etc/nginx/sites-enabled/*

niggiover9000 · August 20, 2021, 9:52am

grep letsencrypt /etc/nginx/sites-enabled/* returns:

/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/www.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/www.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/cospend.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/cospend.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/deck.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/deck.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/files.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/files.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/mail.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/mail.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/calendar.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/calendar.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/niggipi.duckdns.org/privkey.pem;

Please note: all these ssl certificates are commented out: the niggipi.duckdns.org config looks like this:

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/var/run/php/php7.3-fpm.sock;
}

#server {
#    listen 80;
#    listen [::]:80;
#    server_name niggipi.duckdns.org;
#    return 301 https://$server_name$request_uri;
#}

#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#    server_name www.niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/www.niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/www.niggipi.duckdns.org/privkey.pem;
#    return 301 https://niggipi.duckdns.org;
#}

#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#    server_name cospend.niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/cospend.niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/cospend.niggipi.duckdns.org/privkey.pem;
#    return 301 https://niggipi.duckdns.org/apps/cospend$request_uri;
#}

#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#    server_name deck.niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/deck.niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/deck.niggipi.duckdns.org/privkey.pem;
#    return 301 https://niggipi.duckdns.org/apps/deck$request_uri;
#}

#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#    server_name files.niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/files.niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/files.niggipi.duckdns.org/privkey.pem;
#    return 301 https://niggipi.duckdns.org/apps/files$request_uri;
#}

#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#    server_name mail.niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/mail.niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/mail.niggipi.duckdns.org/privkey.pem;
#    return 301 https://niggipi.duckdns.org/apps/mail$request_uri;
#}

#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#    server_name calendar.niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/calendar.niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/calendar.niggipi.duckdns.org/privkey.pem;
#    return 301 https://niggipi.duckdns.org/apps/calendar$request_uri;
#}


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/niggipi.duckdns.org/privkey.pem;

    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype $
    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    add_header Strict-Transport-Security            "max-age=15552000; includeSubDomains; preload;";
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/nextcloud;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ \.(?:css|js|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

rg305 · August 20, 2021, 9:56am

niggiover9000:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/niggipi.duckdns.org/privkey.pem;

That is chaos! - LOL
[use SSL - but do it without a cert!]

It tries to load an LE cert somewhere...
Let's look for it in the main config folder, with:
grep letsencrypt /etc/nginx/*

niggiover9000 · August 20, 2021, 9:57am

grep letsencrypt /etc/nginx/* returns:

grep: /etc/nginx/conf.d: Ist ein Verzeichnis
grep: /etc/nginx/modules-available: Ist ein Verzeichnis
grep: /etc/nginx/modules-enabled: Ist ein Verzeichnis
grep: /etc/nginx/sites-available: Ist ein Verzeichnis
grep: /etc/nginx/sites-enabled: Ist ein Verzeichnis
grep: /etc/nginx/snippets: Ist ein Verzeichnis

rg305 · August 20, 2021, 9:58am

hmm...
Not adding up.

Let's try:
grep -ERi 'ssl_certificate|letsencrypt' /etc/nginx

niggiover9000 · August 20, 2021, 10:01am

grep -ERi 'ssl_certificate|letsencrypt' /etc/nginx returns:

/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/sites-available/files.niggipi.duckdns.org:    ssl_certificate /etc/letsencrypt/live/files.niggipi.duckdns.org/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/files.niggipi.duckdns.org:    ssl_certificate_key /etc/letsencrypt/live/files.niggipi.duckdns.org/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/deck.niggipi.duckdns.org:    ssl_certificate /etc/letsencrypt/live/deck.niggipi.duckdns.org/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/deck.niggipi.duckdns.org:        ssl_certificate_key /etc/letsencrypt/live/deck.niggipi.duckdns.org/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/mail.niggipi.duckdns.org:    ssl_certificate /etc/letsencrypt/live/mail.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/mail.niggipi.duckdns.org:    ssl_certificate_key /etc/letsencrypt/live/mail.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-available/cospend.niggipi.duckdns.org: ssl_certificate /etc/letsencrypt/live/cospend.niggipi.duckdns.org/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/cospend.niggipi.duckdns.org:        ssl_certificate_key /etc/letsencrypt/live/cospend.niggipi.duckdns.org/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/www.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/www.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/cospend.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/cospend.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/deck.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/deck.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/files.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/files.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/mail.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/mail.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/calendar.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/calendar.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-available/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/www.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/www.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/cospend.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/cospend.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/deck.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/deck.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/files.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/files.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/mail.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/mail.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/calendar.niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/calendar.niggipi.duckdns.org/privkey.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate /etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    ssl_certificate_key /etc/letsencrypt/live/niggipi.duckdns.org/privkey.pem;

rg305 · August 20, 2021, 10:03am

Only files in /sites-available/ use certs.
I think you config is non-standard.

Please show:
grep -i include /etc/nginx/nginx.conf

niggiover9000 · August 20, 2021, 10:04am

grep -i include /etc/nginx/nginx.conf returns:

include /etc/nginx/modules-enabled/*.conf;
        include /etc/nginx/mime.types;
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

rg305 · August 20, 2021, 10:07am

OMG!
Now we have gone full circle!

nginx fails to run because it can't load an LE cert.
nginx config doesn't include any files that have LE certs.

rg305 · August 20, 2021, 10:08am

Let's see if these files are available (maybe they can get us out of this jam):
ls -l /etc/ssl/certs/ssl-cert-snakeoil*

niggiover9000 · August 20, 2021, 10:10am

ls -l /etc/ssl/certs/ssl-cert-snakeoil* returns:

-rw-r--r-- 1 root root 1103 Dez 2 2020 /etc/ssl/certs/ssl-cert-snakeoil.pem

If only I knew what I did to get myself into this trouble

rg305 · August 20, 2021, 10:11am

Change this:

niggiover9000:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name niggipi.duckdns.org;
#    ssl_certificate /etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/niggipi.duckdns.org/privkey.pem;

To this:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name niggipi.duckdns.org;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; # only temporary
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; # only temporary
#    ssl_certificate /etc/letsencrypt/live/niggipi.duckdns.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/niggipi.duckdns.org/privkey.pem;

rg305 · August 20, 2021, 10:14am

Something really bad like:
r m - r / e t c / l e t s e n c r y p t / l i v e /
[spaced that out so no one tries to run it]

Topic		Replies	Views
[Solved] Error: Nginx plugin is not working Help	3	4082	March 31, 2021
The nginx plugin is not working after delete certificate Help	4	2798	March 26, 2022
[Solved] $ sudo certbot --nginx fails :-( Help	6	5285	October 19, 2017
Error while trying to generate a nginx cert Help	3	3251	October 17, 2022
Issue w/ creating a new certbot certificate Help	13	5149	August 21, 2020

Certbot: nginx plugin is not working

Related topics