Then you need to create a new one.
Perhaps start with a copy of the secure file.
[it has both port 80 and 443 in the one file - simpler]
You can show the cert files it will use with:
certbot certificates
Hi Rg,
Would there be any issues if I copied secure.ozone.international and changes entries to o3i?
Outpt for certbot:
certbot: command not found
It’s a good start.
You will need to change:
- document root
- server_name
- cert files used
- log file names (if any individualized)
- proxy location:port (if different)
The files are actually in the /sites-available/ folder.
Copy it there.
Do you know how to make symbolic links?
Hi Rg!
I just created the file.
server
{
listen 80;
server_name .secure.o3i.international;
add_header X-Frame-Options "SAMEORIGIN";
location /websockify
{
proxy_pass http://0.0.0.0:11111;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /
{
return 301 https://$host$request_uri;
}
}
server
{
listen 443 ssl spdy;
listen [::]:443 ssl;
add_header Alternate-Protocol 443:npn-spdy/2;
server_name .secure.o3i.international;
add_header X-Frame-Options "SAMEORIGIN";
access_log /var/log/nginx/secure.access.log;
error_log /var/log/nginx/secure.error.log;
location /
{
proxy_pass http://0.0.0.0:11100;
index index.html;
}
location /u/
{
alias /opt/web/api/u/;
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location /graphs
{
alias /opt/web/report-emailer/cache;
}
location /api
{
proxy_pass http://0.0.0.0:11110;
proxy_next_upstream error invalid_header http_500 http_502 http_503 http_504 timeout;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 25s;
proxy_connect_timeout 25s;
send_timeout 25s;
proxy_send_timeout 25s;
}
location /websockify
{
proxy_pass http://0.0.0.0:11111;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
ssl_certificate /etc/letsencrypt/live/secure.o3i.international/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/secure.o3i.international/privkey.pem;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Enable server-side protection against BEAST attacks
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
#ssl_dhparam /etc/ssl/ffdhe4096.pem;
#ssl_ecdh_curve secp521r1:secp384r1;
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/secure.o3i.international/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
}
I think this is correct.
Can you describe how to make a symbolic link?
Thank you again.
Please show the names covered in the o3i cert:
certbot certificates
Hi Rg!
After entering the command I get the output:
certbot: command not found
try:
./certbot certificates
What is the new file named?
Still no luck on the output.
Output:
Found the following certs:
Certificate Name: o3i.international
Domains: o3i.international
Expiry Date: 2020-01-29 18:59:53+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/o3i.international/fullchain.pem
Private Key Path: /etc/letsencrypt/live/o3i.international/privkey.pem
Certificate Name: ozone.international
Domains: ozone.international
Expiry Date: 2019-12-09 16:51:22+00:00 (VALID: 38 days)
Certificate Path: /etc/letsencrypt/live/ozone.international/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ozone.international/privkey.pem
Certificate Name: secure.o3i.international
Domains: secure.o3i.international
Expiry Date: 2020-01-29 18:38:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/secure.o3i.international/fullchain.pem
Private Key Path: /etc/letsencrypt/live/secure.o3i.international/privkey.pem
Certificate Name: secure.ozone.international
Domains: secure.ozone.international ssl.ozone.international www.secure.ozone.international
Expiry Date: 2019-12-09 17:10:51+00:00 (VALID: 38 days)
Certificate Path: /etc/letsencrypt/live/secure.ozone.international/fullchain.pem
Private Key Path: /etc/letsencrypt/live/secure.ozone.international/privkey.pem
Certificate Name: secure.tristrata.group
Domains: secure.tristrata.group
Expiry Date: 2019-12-10 09:28:58+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/secure.tristrata.group/fullchain.pem
Private Key Path: /etc/letsencrypt/live/secure.tristrata.group/privkey.pem
Certificate Name: ssl.ozone.international
Domains: ssl.ozone.international
Expiry Date: 2019-12-09 17:11:30+00:00 (VALID: 38 days)
Certificate Path: /etc/letsencrypt/live/ssl.ozone.international/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ssl.ozone.international/privkey.pem
Certificate Name: www.secure.ozone.international
Domains: www.secure.ozone.international ssl.ozone.international
Expiry Date: 2019-12-09 17:11:10+00:00 (VALID: 38 days)
Certificate Path: /etc/letsencrypt/live/www.secure.ozone.international/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.secure.ozone.international/privkey.pem
Yes, sorry, you’re using certbot-auto
try:
sudo /usr/local/bin/certbot-auto certificates
OK so far so good.
Now to make the symbolic link…
What is the new file called?
New file is called secure.o3i.international
OK
make the sumbolic link with:
ls -l /etc/nginx/sites-available/secure.o3i.international /etc/nginx/sites-enabled/
Then show that it’s there:
ls -l /etc/nginx/sites-enabled/
Great! Looks like that worked.
Output for ls -l /etc/nginx/sites-enabled/
lrwxrwxrwx 1 root root 52 Sep 11 04:05 nossl.ozone.international -> /etc/nginx/sites-available/nossl.ozone.international
lrwxrwxrwx 1 root root 53 Sep 11 03:41 secure.ozone.international -> /etc/nginx/sites-available/secure.ozone.international
1 Like
now restart/reload nginx and test access
just restarted nginx but still getting no certificate on website.
nginx is handing out the wrong cert:
https://www.ssllabs.com/ssltest/analyze.html?d=secure.o3i.international&hideResults=on
Would deleting the other cert fix this problem?
Much appreciated!
This output is lacking the o3i file...
Try (I gave you the wrong command before - dooh):
ln -s /etc/nginx/sites-available/secure.o3i.international /etc/nginx/sites-enabled/secure.o3i.international
# ^ln (link) ^-s (symbolic) [1] [2]
and restart/reload nginx
Please show:
ls -l /etc/nginx/sites-enabled/
[new file needs to be there]