Challenges failing for my domain

Welcome to the community!

I think the problem may be that the --webroot used ("/var/lib/letsencrypt/") may not match the root being served from.

Please show the http vhost config for these domains.

And as far as the tutorial used, it may be a little bit outdated - I would now recommend using certbot installed from snapd instead of apt.
See:


2 Likes

Fantastic!! and what a fast response!! I am amazed.

@rg305, you are a life saver!! the instructions in the link you sent worked a charm! This time the challenges worked fine. (To be honest i actually tried these instructions at the start but that time the public internet access was not provided. i later forgot about this link and kept trying other options when we got the public internet access for the VM).

However, the test for ssl still fails when i test thru this: https://www.ssllabs.com/ssltest/index.html
That's probably bcos of my horrible nginx config.
It would be great if you can share links for correctly configuring nginx (I find the terminology not quite clear on pem/cert/key/bundle etc.)

This is how the config was when i issued the certbot command.

server {
    listen       443;
    server_name tdmworld.net www.tdmworld.net;


    location / {
        proxy_pass http://127.0.0.1:5000;
    }
}

I think i should include somes lines on ssl, but not sure of the right way to do it.

I also notice some error msgs at the time of certs issued:

    Which names would you like to activate HTTPS for?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: tdmworld.net
    2: www.tdmworld.net
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel): 1,2
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for tdmworld.net
    http-01 challenge for www.tdmworld.net
    nginx: [warn] conflicting server name "tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "www.tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "www.tdmworld.net" on 0.0.0.0:80, ignored
    Waiting for verification...
    Cleaning up challenges
    nginx: [warn] conflicting server name "tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "www.tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "www.tdmworld.net" on 0.0.0.0:80, ignored
    Deploying Certificate to VirtualHost /etc/nginx/conf.d/virtual.conf
    Deploying Certificate to VirtualHost /etc/nginx/conf.d/virtual.conf
    nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directiv                                                                                                              e in /etc/nginx/conf.d/virtual.conf:1
    Rolling back to previous server configuration...
    nginx: [warn] conflicting server name "tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "www.tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "tdmworld.net" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "www.tdmworld.net" on 0.0.0.0:80, ignored
    nginx restart failed:
    b''
    b''

    IMPORTANT NOTES:
     - We were unable to install your certificate, however, we
       successfully restored your server to its prior configuration.
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/tdmworld.net/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/tdmworld.net/privkey.pem
       Your cert will expire on 2021-01-10. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot again
       with the "certonly" option. To non-interactively renew *all* of
       your certificates, run "certbot renew"
2 Likes

Glad to see that the cert issue was resolved.
For the cipher configurations and such, I would start here:

1 Like

hi @rg305, could you please help me with what goes in to each of these paths?

/path/to/signed_cert_plus_intermediates i am assuming it to be "/etc/letsencrypt/live/tdmworld.net/fullchain.pem"

/path/to/private_key - i am assuming this is to be /etc/letsencrypt/live/tdmworld.net/privkey.pem

Are these correct?

And for this:

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /path/to/dhparam;

Should we just curl and put that file in to some local path and replace it for /path/to/dhparam?
(I am seeing a .dhparams.pem file at /etc/letsencrypt, should i mention that as the folder here?)

And lastly, i am not sure what path i am supposed to mention here:

ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
1 Like

Yes to both.

I would not recommend using any predefined DH.
Either create your own fresh with OpenSSL or don't use any ciphers relying on DH primes.

This is rarely used these days, which version of Apache are you running?
I see you use nginx, it is not required for nginx.

2 Likes

thanks a bunch @rg305 for your super fast responses!

i happen to watch this video now and i realized how simple it was if the initial nginx config file was correctly setup. The root cause of my troubles is that i had created a config file at /etc/nginx/conf.d/virtual.conf with some improper config while i had exact same one at /sites-available as shown in the video. I removed the virtual.conf file and reran the certbot cmd and voila! it all worked fine. i am now able to view my domain at https as well.

letsencrypt and you are awesome!!
if i dont donate to letsencrypt even after this, i am not human :slight_smile:

3 Likes

Cheers from Miami :beers:

3 Likes

Hi, I am trying to make nginx listen on 443 (my domain www.tdmworld.net) and proxy to myapp on port 5000. And I am struggling to get the right syntax and file loc for ssl cert and cert.key.

Here is my conf:

server {
listen 80 default_server;
server_name tdmworld.net;

location / {
    proxy_pass http://127.0.0.1:5000;
}

}

server {
listen 443 ssl;
server_name www.tdmworld.net;
ssl_certificate /etc/letsencrypt/live/www.tdmworld.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tdmworld.net/privkey.pem;

location / {
    proxy_pass http://127.0.0.1:5000;
}

}
Most examples on internet show it as
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example.crt
ssl_certificate_key /etc/ngnix/ssl/example.key
}

I have successfully generated certs/keys with certbot but not sure what i should mention for the paths (and keywords) for ssl_certificate and & ssl_certificate_key. Right now https://mydomain shows default page and I need to reroute it to my app.

Any help on this is greatly appreciated.

Some links showed these as paths: (but it says those are not known cmds)

SSLCertificateFile     /etc/letsencrypt/live/www.tdmworld.net/fullchain.pem
SSLCertificateKeyFile  /etc/letsencrypt/live/www.tdmworld.net/privkey.pem

And when i change keywords to ssl_certificate and ssl_certifcate_key i get below error msgs. I also can't cd to those folders to see what exactly those folders have (says permission denied)

:/etc/nginx/conf.d$ sudo nginx -t
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/www.tdmworld.net/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/www.tdmworld.net/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

@rg305, any tips on this?

Please show:
certbot --version
certbot certificates

Sure. Here are the details:

It's certbot 0.40.0
and..

Found the following certs:
Certificate Name: tdmworld.net
Domains: tdmworld.net www.tdmworld.net
Expiry Date: 2021-01-10 16:56:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/tdmworld.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tdmworld.net/privkey.pem


This is where the certs are:

This is where it fails to find them:

Remove the "WWW." from those two lines and try again.

Why still on version 0.40.0?
Where you unable to install from snapd?

You have to be root user to get into those folders.
sudo su -

Where you unable to install from snapd ?
When i tired to install it said it already exists.
Is there a way to change that?

Please show:
find / -name certbot
which certbot

$ sudo find / -name certbot
/home/ubuntu/snap/certbot
/var/snap/certbot
/root/snap/certbot
/snap/certbot
/snap/certbot/652/bin/certbot
/snap/certbot/652/lib/python3.8/site-packages/certbot
/snap/bin/certbot
/etc/logrotate.d/certbot
/etc/cron.d/certbot
/usr/lib/python3/dist-packages/certbot
/usr/share/doc/certbot
/usr/bin/certbot

$ which certbot
/usr/bin/certbot

You have certbot installed twice.

Try:
sudo apt remove certbot
sudo apt autoremove
then
which certbot

Done! Now it shows

/snap/bin/certbot

for which certbot

Also, since nginx has conf files at multiple places, can you pls confirm which conf file i should add these certs and keys to?

/etc/nginx/sites-available/tdmworld.net
/etc/nginx/conf.d/virtual.conf

There is no way for me to know, from here, how you have configured your server.
Wherever you entered:

You need to go back and edit that and remove the "www." form each line.
Then restart nginx.

Try:
sudo grep -R SSLCert /etc/nginx/

I edited the file at conf.d and it worked fine! thanks a bunch for bearing with me @rg305 :+1: !!

1 Like

Now you need to keep an eye on it to ensure the autorenewals are working and your done!
Which should be in about 59 days.
[Expiration date - 30 days]

Cheers from Miami :beers:

1 Like