Certbox: Could not automatically find a matching server block

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: o3i.international

I ran this command: sudo /usr/local/bin/certbot-auto --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): o3i.international
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/o3i.international.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Could not automatically find a matching server block for o3i.international. Set the `server_name` directive to use the Nginx installer.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/o3i.international/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/o3i.international/privkey.pem
   Your cert will expire on 2020-01-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"

My web server is (include version): nginx 1.9.3 Ubuntu

The operating system my web server runs on is (include version): Ubuntu 15.10 (GNU/Linux 4.2.0-42-generic x86_64)

My hosting provider, if applicable, is: Physically hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.39.0

I keep receiving an error saying “Could not automatically find a matching server block for secure.o3i.international. Set the server_name directive to use the Nginx installer.”

I’m not sure what this means, but any help is highly appreciated.

Hi @o3illc

you should have something like a minimal server block.

  server {
    listen 80;
    server_name o3i.international;
    access_log logs/ o3i.international.access.log main;

    root /var/www/ o3i.international/htdocs;
  }

in your main config file or in an extra config file.

Your nginx config files have some samples.

If a port 80 block exists, Certbot is able to create a port 443 block.

Perhaps you have a default block. Then use that as template.

nginx -T

should show the new block (after a restart).

Then use

certbot --reinstall -d o3i.international

to try, if certbot finds the existing certificate and is able to install it.

1 Like

What does
nginx -t
show?

Nginx -t shows:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Hi Juergen, thank you for the reply.

I’m not sure where my config file is located. Can you provide more information on where I would find it?

Most likely location:
/etc/nginx/sites-enabled/

If nothing there…
[to get a better idea of where it may be]
Try showing:
nginx -T | grep -Ei 'include|server_name|virtual'

Hi rg, thanks for the reply. Here’s the output after using the command suggested:

secure.ozone.international: server_name .secure.ozone.international;
secure.ozone.international: server_name .secure.ozone.international;
secure.ozone.international: add_header Strict-Transport-Security “max-age=31536000; includeSubDomains”;
nossl.ozone.international: server_name .nossl.ozone.international;

1 Like

let’s “find” those file:
find / -name secure.ozone.international
find / -name nossl.ozone.international

and also show:
ls -l /etc/nginx/sites-enabled/

Thanks! Looks like I located some files in the following locations:

total 0
lrwxrwxrwx 1 root root 52 Sep 11 04:05 nossl.ozone.international -> /etc/nginx/sites-available/nossl.ozone.international
lrwxrwxrwx 1 root root 53 Sep 11 03:41 secure.ozone.international -> /etc/nginx/sites-available/secure.ozone.international

What should I do next?

Now we deal with this problem:

Please show file:
/etc/nginx/sites-available/nossl.ozone.international

and also out of:
grep -i server_name /etc/nginx/nginx.conf

[there seems to be a conflict between those two files' server_names]

server
{
listen 80;
server_name .nossl.ozone.international;
add_header X-Frame-Options “SAMEORIGIN”;

access_log /var/log/nginx/secure.access.log;
error_log /var/log/nginx/secure.error.log;

location /
{
proxy_pass http://0.0.0.0:11100;
index index.html;
}

location /u/
{
alias /opt/web/api/u/;
expires max;
add_header Pragma public;
add_header Cache-Control “public, must-revalidate, proxy-revalidate”;
}

location /graphs
{
alias /opt/web/report-emailer/cache;
}

location /api
{
proxy_pass http://0.0.0.0:11110;
proxy_next_upstream error invalid_header http_500 http_502 http_503 http_504 timeout;
proxy_redirect off;
proxy_buffering off;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 25s;
proxy_connect_timeout 25s;
send_timeout 25s;
proxy_send_timeout 25s;
}

location /websockify
{
proxy_pass http://0.0.0.0:11111;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}

prepend your file output with:
```

and postpend it with same (three back ticks)
[so we can read it clearly - as written]

grep -i server_name /etc/nginx/nginx.conf
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

I’m not familiar with this syntax:
server_name .nossl.ozone.international;
[where it has a dot before the FQDN - not sure if that is a issue]

Please show the ssl file
/etc/nginx/sites-available/secure.ozone.international

Output for /etc/nginx/sites-available/secure.ozone.international:

server
{
listen 80;
server_name .secure.ozone.international;
add_header X-Frame-Options “SAMEORIGIN”;

location /websockify
{
proxy_pass http://0.0.0.0:11111;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}

location /
{
return 301 https://$host$request_uri;
}
}

server
{
listen 443 ssl spdy;
listen [::]:443 ssl;
add_header Alternate-Protocol 443:npn-spdy/2;

server_name .secure.ozone.international;
add_header X-Frame-Options “SAMEORIGIN”;
access_log /var/log/nginx/secure.access.log;
error_log /var/log/nginx/secure.error.log;

location /
{
proxy_pass http://0.0.0.0:11100;
index index.html;
}

location /u/
{
alias /opt/web/api/u/;
expires max;
add_header Pragma public;
add_header Cache-Control “public, must-revalidate, proxy-revalidate”;
}

location /graphs
{
alias /opt/web/report-emailer/cache;
}

location /api
{
proxy_pass http://0.0.0.0:11110;
proxy_next_upstream error invalid_header http_500 http_502 http_503 http_504 timeout;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 25s;
proxy_connect_timeout 25s;
send_timeout 25s;
proxy_send_timeout 25s;
}

location /websockify
{
proxy_pass http://0.0.0.0:11111;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}

ssl_certificate /etc/letsencrypt/live/secure.ozone.international/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/secure.ozone.international/privkey.pem;

Improve HTTPS performance with session resumption

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Enable server-side protection against BEAST attacks

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384”;

RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096

#ssl_dhparam /etc/ssl/ffdhe4096.pem;
#ssl_ecdh_curve secp521r1:secp384r1;

Aditional Security Headers

ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains”;

ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

add_header X-Frame-Options DENY always;

ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

add_header X-Content-Type-Options nosniff always;

ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

add_header X-Xss-Protection “1; mode=block” always;

Enable OCSP stapling

ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/secure.ozone.international/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;

Required for LE certificate enrollment using certbot

location ‘/.well-known/acme-challenge’ {
default_type “text/plain”;
root /var/www/html;
}
}

Ok
Neither of those files has o3i.
You will need to create a file for o3i (if one is not already there).
Please show:
ls -l /etc/nginx/sites-available/

and again: for legibility, please insert a line with 3 back ticks before your pasted file and also after

Output for ls -l /etc/nginx/sites-available/:

-rw-r--r-- 1 root root 2068 Jul 22  2015 default
-rw-r--r-- 1 root root 1210 Sep 11 04:05 nossl.ozone.international
-rw-r--r-- 1 root root  725 Sep 22  2015 o3i_api
-rw-r--r-- 1 root root 2535 Sep 10 10:56 o3i_api_ssl
-rw-r--r-- 1 root root  750 Apr  8  2014 o3i_forseafood
-rw-r--r-- 1 root root  849 Jan 12  2015 o3i_mantis
-rw-r--r-- 1 root root  166 Jan  9  2015 o3i_nav
-rw-r--r-- 1 root root  313 May 19  2015 o3i_repository
-rw-r--r-- 1 root root 1456 Nov 20  2014 o3i_solutions
-rw-r--r-- 1 root root 1730 May 27  2014 o3i_solutions_dev
-rw-r--r-- 1 root root 1331 Jan  7  2016 o3i_solutions_ng
-rw-r--r-- 1 root root 1506 Feb 15  2016 o3i_solutions_ng_nossl
-rw-r--r-- 1 root root 3645 Sep 11 03:12 o3i_solutions_ng_ssl
-rw-r--r-- 1 root root 3467 Feb  4  2019 o3i_solutions_ng_ssl.bak
-rw-r--r-- 1 root root  342 Nov 18  2014 o3i_tools
-rw-r--r-- 1 root root 3538 Sep 11 03:48 secure.ozone.international

I once again appreciate the help

1 Like

are any of those of any use (for your current o3i site) ?

Hi Rg,

None of these are used for my current o3i site. They were used for a previous domain.