Common Name invalid with NGINX


#21

Great. Thank you!

Yes, I can copy the files. Its just the two PEM files right?


#22

Yes, but those files in the live directory are symlinks, so make sure when you copy them, the contents come too, not an empty pointer to a file.


#23

Ahhh ok, ill need to research how to do that.


#24

So, i went to do this:

sudo apt-get install -y certbot
sudo apt install python-certbot-nginx
sudo certbot certonly --nginx -d automate.nsautomate.com.au

and ti says

Could not choose appropriate plugin: The requested nginx plugin does not appear to be installed
The requested nginx plugin does not appear to be installed

I can run this, but the web root for this domain is on the other server?

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/domain -d automate.nsautomate.com.au


#25

Should not be happening. What’s this show:

dpkg --list | grep -iE "(letsencrypt|certbot)"

#26

kris@openhab2:/var/www$ dpkg --list | grep -iE “(letsencrypt|certbot)”
ii certbot 0.28.0-1+ubuntu18.04.1+certbot+4 all automatically configure HTTPS using Let’s Encrypt
ii letsencrypt 0.28.0-1+ubuntu18.04.1+certbot+4 all transitional dummy package
ii python3-acme 0.28.0-1+ubuntu18.04.1+certbot+3 all ACME protocol library for Python 3
ii python3-certbot 0.28.0-1+ubuntu18.04.1+certbot+4 all main library for certbot
ii python3-configobj 5.0.6-2+ubuntu18.04.1+certbot+1 all simple but powerful config file reader and writer for Python 3
ii python3-future 0.15.2-4+ubuntu18.04.1+certbot+3 all Clean single-source support for Python 3 and 2 - Python 3.x
ii python3-josepy 1.1.0-2+ubuntu18.04.1+certbot+1 all JOSE implementation for Python 3.x
ii python3-parsedatetime 2.4-3+ubuntu18.04.1+certbot+3 all Python 3 module to parse human-readable date/time expressions
ii python3-requests-toolbelt 0.8.0-1+ubuntu18.04.1+certbot+1 all Utility belt for advanced users of python3-requests
ii python3-zope.component 4.3.0-1+ubuntu18.04.1+certbot+3 all Zope Component Architecture
ii python3-zope.hookable 4.0.4-4+ubuntu18.04.1+certbot+1 amd64 Hookable object support
ii python3-zope.interface 4.3.2-1+ubuntu18.04.1+certbot+1 amd64 Interfaces for Python3
kris@openhab2:/var/www$


#27

Huh? Is that on your prod server?

Did this succeed?

Are you following instructions from https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx ?


#28

Im following some instructions from the openhab site actually where users have done it.

This is what it said when I installed

kris@openhab2:/var/www$ sudo apt-get install -y certbot
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
guile-2.0-libs libgsasl7 libkyotocabinet16v5 liblockfile-bin liblockfile1 libmailutils5 libntlm0 lockfile-progs m4 mailutils-common
procmail
Use ‘sudo apt autoremove’ to remove them.
The following additional packages will be installed:
python3-certbot python3-ndg-httpsclient
Suggested packages:
python3-certbot-apache python3-certbot-nginx python-certbot-doc
The following NEW packages will be installed:
python3-ndg-httpsclient
The following packages will be upgraded:
certbot python3-certbot
2 upgraded, 1 newly installed, 0 to remove and 76 not upgraded.
Need to get 240 kB of archives.
After this operation, 115 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 python3-ndg-httpsclient all 0.4.4-1 [23.5 kB]
Get:2 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main amd64 certbot all 0.28.0-1+ubuntu18.04.1+certbot+4 [10.9 kB]
Get:3 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main amd64 python3-certbot all 0.28.0-1+ubuntu18.04.1+certbot+4 [206 kB]
Fetched 240 kB in 3s (83.1 kB/s)
Selecting previously unselected package python3-ndg-httpsclient.
(Reading database … 163361 files and directories currently installed.)
Preparing to unpack …/python3-ndg-httpsclient_0.4.4-1_all.deb …
Unpacking python3-ndg-httpsclient (0.4.4-1) …
Preparing to unpack …/certbot_0.28.0-1+ubuntu18.04.1+certbot+4_all.deb …
Unpacking certbot (0.28.0-1+ubuntu18.04.1+certbot+4) over (0.26.1-1+ubuntu18.04.1+certbot+2) …
Preparing to unpack …/python3-certbot_0.28.0-1+ubuntu18.04.1+certbot+4_all.deb …
Unpacking python3-certbot (0.28.0-1+ubuntu18.04.1+certbot+4) over (0.26.1-1+ubuntu18.04.1+certbot+2) …
Processing triggers for man-db (2.8.3-2ubuntu0.1) …
Setting up python3-ndg-httpsclient (0.4.4-1) …
Setting up python3-certbot (0.28.0-1+ubuntu18.04.1+certbot+4) …
Setting up certbot (0.28.0-1+ubuntu18.04.1+certbot+4) …
Installing new version of config file /etc/cron.d/certbot …
certbot.service is a disabled or a static unit, not starting it.


#29

That’s the install output for certbot, but what’s key is the output for apt install python-certbot-nginx, since it brings the nginx plugin with it.


#30

OK, sudo and the command installed it.


#31

And did that get rid of the plugin error?

(BTW, the command you’re trying probably won’t work for now, due to the rate limit reasons I mentioned earlier).


#32

Yes, it worked fine.

I put in the big nginx configuration and then restarted nginx

This popped up. I have to comment out all the SSL stuff right from the Dev domain

kris@openhab2:/var/www$ systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2019-02-15 12:14:12 AEDT; 7s ago
Docs: man:nginx(8)
Process: 708 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=2)
Process: 710 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Main PID: 1971 (code=exited, status=0/SUCCESS)

Feb 15 12:14:12 openhab2 systemd[1]: Starting A high performance web server and a reverse proxy server…
Feb 15 12:14:12 openhab2 nginx[710]: nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/automate.nsautomate.com.au/fullchain.pem") failed (SSL: error:02001002:system library:
Feb 15 12:14:12 openhab2 nginx[710]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 15 12:14:12 openhab2 systemd[1]: nginx.service: Control process exited, code=exited status=1
Feb 15 12:14:12 openhab2 systemd[1]: nginx.service: Failed with result ‘exit-code’.
Feb 15 12:14:12 openhab2 systemd[1]: Failed to start A high performance web server and a reverse proxy server.

kris@openhab2:/var/www$


#33

As suggested earlier, you’ll need to copy the fullchain.pem and privkey.pem from your dev server and use those temporarily.

That’ll get your nginx up and running with SSL for both your domains on port 443.

Then once your rate limit is gone, you can use the certonly.


#34

OK. hmm. So use cp with preserve links?


#35

You want to copy the contents:

cp -L

#36

root@openhabdev:/etc/letsencrypt/live/automate.nsautomate.com.au# mkdir /home/kris/certs
root@openhabdev:/etc/letsencrypt/live/automate.nsautomate.com.au# cp -L . /home/kris/certs
root@openhabdev:/etc/letsencrypt/live/automate.nsautomate.com.au# cd /home/kris/certs
root@openhabdev:/home/kris/certs# ls
cert.pem chain.pem fullchain.pem privkey.pem
root@openhabdev:/home/kris/certs# ls -la
total 24
drwxr-xr-x 2 root root 4096 Feb 15 01:22 .
drwxr-xr-x 7 kris kris 4096 Feb 15 01:22 …
-rw-r–r-- 1 root root 1944 Feb 15 01:22 cert.pem
-rw-r–r-- 1 root root 1647 Feb 15 01:22 chain.pem
-rw-r–r-- 1 root root 3591 Feb 15 01:22 fullchain.pem
-rw-r–r-- 1 root root 1704 Feb 15 01:22 privkey.pem
root@openhabdev:/home/kris/certs#

Now to copy them off the server, and onto .3


#37

You’re the man.

I copied the files, restarted the server and it’s started without error. Now the moment of truth!


closed #38

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.