Certbot on NGINX - not working... no plug-and-play solution?

We have a “sandbox machine” at http://jats.science/ running fresh UBUNTU 16 LTS (xenial) and NGINX. Used standard procedures as certbot.eff.org/#ubuntuxenial-nginx. Is not working! Check it at https://jats.science

root@jats-science:~# certbot --version
certbot 0.12.0

root@jats-science:~# certbot certonly --webroot --webroot-path=/usr/share/nginx/html -d jats.science -d www.jats.science
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/jats.science.conf)

What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jats.science
http-01 challenge for www.jats.science
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/jats.science/fullchain.pem. Your cert will
   expire on 2017-08-10. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@jats-science:~# service nginx restart

PS: this old tutorial explains how to do a workaround… But it is not a “plug-and-play procedure”, it is ugly.

Hi @ppKrauss,

The meaning of “certonly” is that it only obtains the certificate and does not install or configure it for you.

In recent version of Certbot there is now an --nginx option available, parallel to the older --apache, which tries to obtain and install your certificate in Nginx in a comparatively automated way. You are welcome to give this a try and let us know about your experiences, which can also help us to improve the software if you run into any problems.

I believe the version that you got from the Ubuntu PPA is not yet recent enough to include --nginx, although it should be updated soon if you can wait for, I guess, another week or two. Alternatively, you can install the most recent version by a different method

and then you can try --nginx.

Hi @schoen, I am back to my NGINX server… It is working (!). I redo all machine… See Notes below.

And certificates are all there, but analyzing it with
we get Overall Rating B (not A), and a error: https://weakdh.org/

PS: after I redo by certbot --nginx --cert-name oficial.news and answering “Renew & replace the cert”… No solution.


Steps used to work at a “fresh” UBUNTU 16 LTS (and standard nginx-on-ubuntu-16-04 installation) server:

0. ad a VirtualHost to domains. Even when running (HTTP fine), Cerbot needs a nginx.conf fragment script (the parse detects server{} clauses and its server_name variables) for each certified domain or subdomain.

1. do all https://certbot.eff.org/#ubuntuxenial-nginx commands with su, apt install software-properties-common, add-apt-repository ppa:certbot/certbot, etc.

2. run command certbot --nginx (as the same ubuntuxenial-nginx instruction), and answered the questions with yes, domains and subdomains… All domains and subdomains detected.

3. run service nginx restart.

Hi @ppKrauss,

This issue is caused by the default configuration provided by Ubuntu for nginx. To solve this issue, you need to create your own dh param file.

mkdir /etc/nginx/ssl/
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Note: the openssl dhparam command could take a few minutes to complete, be patient.

Now edit your /etc/nginx/nginx.conf and inside the http block, you sill see a section called # SSL Settings, put there this directive:

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

Save the nginx.conf file, restart or reload your nginx server and try the ssllabs test again.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.