I finally got my certificates automatically and also the nginx configuration was updated OK (with entries like certbot managed)
Now this error pops up on the a.m. command. The error is pretty much self-explanatory, but I don't know what to do with it, because I don't have "dummy" certificates which I could enter into the nginx.conf instead:
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/default:12
nginx: configuration file /etc/nginx/nginx.conf test failed
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/default:12\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')
Yes, the Certbot --nginx plug-in will make a server block for https (port 443).
But, you have defined your server block for http (port 80) to also listen to port 443. All port 443 (ssl) server blocks must have certs defined and you don't have any.
Remove the two lines for listen 443 and try again.
Also, you are listening to both IPv4 and IPv6 for port 443 but only IPv4 for port 80. You might want to change your listen 80 line if you want to support IPv6
I have removed all listener entries from the original config above now and catching two warnings, once if nginx checks the conf and once if certbot gets the certs.
But in the end the configuration is like so:
server {
server_name server1.domain.com server2.domain.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/server1.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/server1.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = server2.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = server1.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name server1.domain.com server2.domain.com;
listen 80;
return 404; # managed by Certbot
}
server {
if ($host = server1.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name server1.domain.com server2.domain.com;
listen 80;
return 404; # managed by Certbot
}
Looks a bit weird. I think the confusion comes from the two server entries. But I had a note in my conf, which stated, that this is required for certbot's validation. The certificate is supposed to work for both subdomains.
Sure. Thanks. But the whole setup is Ansible controlled, I don't want to put my hands on it later on.
I think, if I would remove "server2.domain.com" then I would not have that ambiguity, but I guess I would get in troubles later on with certbot (?, not sure, but I guess I have appeared that in the past).
Are these questions answered with my later post? The first conf was just an Ansible controlled template to start from. In earlier versions of nginx (?) it was seemingly not necessary to specify cert and key, even when there were listeners on 443.
It leaves much out of the picture.
It comes in and makes temporary changes and then removes them in the blink of an eye.
Now that is all good and fine when things work well.
But when they don't work ... it can hide too much [including the reason why it is failing].