Certbot on debian 12 server (Not web but IRC)

Suntop · October 31, 2023, 9:37pm

My domain is: irc.chattogratis.it

I ran this command: sudo certbot --nginx

It produced this output: This is from the log file:

2023-10-31 21:53:57,440:DEBUG:acme.client:Storing nonce: drGA4aWAl5ZhdyY-qvRIqfEoZQ-JN0noHgaIntbEmsTSvdiMkJ4
2023-10-31 21:53:57,443:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/archive.
2023-10-31 21:53:57,443:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/live.
2023-10-31 21:53:57,443:DEBUG:certbot._internal.storage:Writing README to /etc/letsencrypt/live/README.
2023-10-31 21:53:57,444:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/archive/irc.chattogratis.it.
2023-10-31 21:53:57,444:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/live/irc.chattogratis.it.
2023-10-31 21:53:57,444:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/live/irc.chattogratis.it/cert.pem.
2023-10-31 21:53:57,444:DEBUG:certbot._internal.storage:Writing private key to /etc/letsencrypt/live/irc.chattogratis.it/privkey.pem.
2023-10-31 21:53:57,445:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/live/irc.chattogratis.it/chain.pem.
2023-10-31 21:53:57,445:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/live/irc.chattogratis.it/fullchain.pem.
2023-10-31 21:53:57,445:DEBUG:certbot._internal.storage:Writing README to /etc/letsencrypt/live/irc.chattogratis.it/README.
2023-10-31 21:53:57,454:DEBUG:certbot.configuration:Var account=6354fa1d86a49701e5f32e920a0a5155 (set by user).
2023-10-31 21:53:57,455:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2023-10-31 21:53:57,455:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2023-10-31 21:53:57,455:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/irc.chattogratis.it.conf.
2023-10-31 21:53:57,458:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/irc.chattogratis.it/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/irc.chattogratis.it/privkey.pem
This certificate expires on 2024-01-29.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

2023-10-31 21:53:57,459:DEBUG:certbot._internal.display.obj:Notifying user: Deploying certificate
2023-10-31 21:53:57,464:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot/_internal/client.py", line 657, in deploy_certificate
    self.installer.deploy_cert(
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 251, in deploy_cert
    vhosts = self.choose_vhosts(domain, create_if_no_match=True)
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 362, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name, True,
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 411, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(domain, allow_port_mismatch, port)
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 449, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server "
certbot.errors.MisconfigurationError: Could not automatically find a matching server block for irc.chattogratis.it. Set the `server_name` directive to use the Nginx installer.

2023-10-31 21:53:57,464:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-10-31 21:53:57,545:DEBUG:certbot._internal.display.obj:Notifying user: Could not install certificate
2023-10-31 21:53:57,546:DEBUG:certbot._internal.display.obj:Notifying user: NEXT STEPS:
2023-10-31 21:53:57,546:DEBUG:certbot._internal.display.obj:Notifying user: - The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name irc.chattogratis.it
2023-10-31 21:53:57,546:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/3437/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot/_internal/main.py", line 1873, in main
    return config.func(config, plugins)
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot/_internal/main.py", line 1480, in run
    raise installer_err
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot/_internal/main.py", line 1464, in run
    _install_cert(config, le_client, domains, new_lineage)
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot/_internal/main.py", line 1058, in _install_cert
    le_client.deploy_certificate(domains, path_provider.key_path, path_provider.cert_path,
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot/_internal/client.py", line 657, in deploy_certificate
    self.installer.deploy_cert(
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 251, in deploy_cert
    vhosts = self.choose_vhosts(domain, create_if_no_match=True)
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 362, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name, True,
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 411, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(domain, allow_port_mismatch, port)
  File "/snap/certbot/3437/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 449, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server "
certbot.errors.MisconfigurationError: Could not automatically find a matching server block for irc.chattogratis.it. Set the `server_name` directive to use the Nginx installer.
2023-10-31 21:53:57,549:ERROR:certbot._internal.log:Could not automatically find a matching server block for irc.chattogratis.it. Set the `server_name` directive to use the Nginx installer.

My web server is (include version): nginx 1.22.1

The operating system my web server runs on is (include version): debian 12

My hosting provider, if applicable, is: ovh cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.3

Where exactly is this server_name I need to change? I am sorry, but I am noob when it comes to SSL certs and certbot.
I installed certbot through snapd ..but I really don't understand how to fix this, and would be very grateful for any help.

Thanks in advance.
Bjorn.

MikeMcQ · October 31, 2023, 9:46pm

When you use the --nginx plugin it will create a server block in nginx that listens on port 443 (HTTPS). It bases this new server block from an existing server block for that domain name that is listening on port 80 (HTTP).

The error is saying it could not find a server block for HTTP. It must have used a default one to satisfy the challenge because you got your cert.

I am guessing you are using some default nginx config without any customization. It is probably best if you show us the entire config. Can you paste the full, long, output from this command

sudo nginx -T

(a capital T is essential)

Suntop · October 31, 2023, 9:52pm

debian@vps-11a4ee67:~$ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/avif                            avif;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;

    font/woff                             woff;
    font/woff2                            woff2;

    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.oasis.opendocument.graphics        odg;
    application/vnd.oasis.opendocument.presentation    odp;
    application/vnd.oasis.opendocument.spreadsheet     ods;
    application/vnd.oasis.opendocument.text            odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation    pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet    xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.wap.wmlc              wmlc;
    application/wasm                      wasm;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

rg305 · October 31, 2023, 9:55pm

Hi @Suntop, and welcome to the LE community forum

That requires a working HTTP site for the name on the requested certificate.
But, since you mention "Not web but IRC", I suspect you don't have such a site, nor do you even want one.
If so, then you need to change the request logic [a bit].
You can either:

stop nginx and have certbot run in a standalone mode and handle the HTTP authentication
[difficult (and annoying) to automate]
switch from HTTP authentication to DNS authentication
[more difficult to achieve/automate than using HTTP]
modify the default nginx config (just enough) to use it to validate the HTTP authentication request

Of the three, I would opt for using DNS-01 authentication [if that is possible].
If not (possible) OR too complicated to achieve, then the last choice seems best.
[it would essentially only require the use of nginx (via --webroot) to obtain/renew the cert for IRC]
But you are free to choose at your discretion.
In any case, we are here to help you get this done in whichever way you prefer.

rg305 · October 31, 2023, 9:56pm

Why do you even have nginx installed?
I mean: It is obviously not doing anything now...
What do you plan on using it for?

Suntop · October 31, 2023, 9:58pm

Thanks for the welcome
All I want is to make certbot work for the irc server, and I thought I had to use nginx or apache to make it work..

rg305 · October 31, 2023, 10:13pm

Well, you don't actually need a web server at all [just to get a cert].
To simplify the cert process, you will need the HTTP ACME challenge requests to reach your system.
[that means the firewall(s) and ISP must allow HTTP (TCP port 80) through]
You can then use certbot in standalone mode to serve the response to those requests.

MikeMcQ · October 31, 2023, 10:18pm

Could also use --nginx but no installer like below. Then Certbot would use an existing HTTP block (or setup a default server block if none exists) to satisfy the HTTP Challenge like it did in their initial attempt. It just would not create an HTTPS server block.

But, agree, standalone probably easiest if don't need nginx at all. No sense having to maintain nginx just to get a cert.

sudo certbot certonly -a nginx -i none -d irc.chattogratis.it

Suntop · October 31, 2023, 10:26pm

Ok, it does allow HTTP port 80, so how do I do that?
Is that what sudo certbot -a nginx -i none -d irc.chattogratis.it does?

MikeMcQ · October 31, 2023, 10:38pm

If you have no need for nginx it is probably better to do standalone like

sudo certbot certonly --standalone -d irc.chattogratis.it

The --standalone requires exclusive use of port 80.

So, you will need to stop nginx first and make sure nginx never runs again as it will latch onto port 80. So, probably best to uninstall nginx completely if using --standalone. As an aside, it is technically possible to configure nginx to not use port 80 and only use other ports. But, I think that is above your pay grade at the moment

If you might want nginx in the future, do the -a nginx -i none example.

There is no single right answer here. There are just tradeoffs which you need to decide.

Suntop · October 31, 2023, 10:46pm

Ok, thank you. I will consult my other admins

rg305 · October 31, 2023, 10:56pm

That is still using nginx.
If you don't nginx, just uninstall it [you could always install it later on if you ever do really need it].
Something like one of these:

apt remove nginx
yum remove nginx

Then you can use certbot in standalone mode to only obtain the cert:
sudo certbot certonly -d irc.chattogratis.it --standalone

Suntop · October 31, 2023, 11:20pm

Ok, thank you
Already done.

rg305 · November 1, 2023, 7:33am

Were you able to obtain a cert?

Suntop · November 1, 2023, 3:27pm

Yes, it worked with --standalone, thank you