I ran this command: Pulled up my domain in a Web broswer
It produced this output: Firstly, although I have run certbot --nginx successfully and installed the certificate, the site shows the "Connection not secure error" in my browsers, secondly, when I inspect the certificate, there are some odd features: firstly "organization" on the certificate is "mail.omc.fyi" (when my domain is omc.fyi, though I do have a mailserver at mail.omf.fyi), and there are some other confusing items (the location is ShenZhen in China, and the organization "IT").
I'm guessing that I made a mistake along the way, and would very much appreciate some help.
My web server is (include version): nginx/1.18.0
The operating system my web server runs on is (include version): Ubuntu 20.04 LTS
Although you successfully created a Let's Encrypt certificate, the certificate that you're seeing when connecting to the site is not your Let's Encrypt certificate. It seems like there is some kind of device in front of your nginx server that's serving a self-signed certificate.
(I saw that you wrote "omf.fyi" a couple of times but that you meant "omc.fyi".)
If your mailserver is a separate server, why are the DNS names mail.omc.fyi and omc.fyi both pointed at the same address, 209.95.52.144?
Sorry for the typos; and yes, there is just one IP address, 209.95.52.144.
Here are the outputs!
nginx -t:
nginx: [warn] conflicting server name "omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "omc.fyi" on [::]:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
And nginx -T | grep -Ei 'listen|root|server_name|cert|encrypt|virt|config|location':
nginx: [warn] conflicting server name "omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "omc.fyi" on [::]:443, ignored
nginx: [warn] conflicting server name "www.omc.fyi" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# configuration file /etc/nginx/conf-enabled/0-general.conf:
# configuration file /etc/nginx/conf-enabled/cache.conf:
# configuration file /etc/nginx/conf-enabled/client_max_body_size.conf:
# configuration file /etc/nginx/conf-enabled/default_type.conf:
# configuration file /etc/nginx/conf-enabled/gzip.conf:
text/vnd.rim.location.xloc
# configuration file /etc/nginx/conf-enabled/headers.conf:
# configuration file /etc/nginx/conf-enabled/log.conf:
# configuration file /etc/nginx/conf-enabled/mime_types.conf:
# configuration file /etc/nginx/mime.types:
application/x-x509-ca-cert der pem crt;
# configuration file /etc/nginx/conf-enabled/php_fpm.conf:
# configuration file /etc/nginx/conf-enabled/sendfile.conf:
# configuration file /etc/nginx/conf-enabled/server_tokens.conf:
# configuration file /etc/nginx/conf-enabled/types_hash_max_size.conf:
# configuration file /etc/nginx/sites-enabled/00-default-ssl.conf:
# Note: This file must be loaded before other virtual host config files,
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name omc.fyi www.omc.fyi;
root /var/www/omc.fyi/html;
# configuration file /etc/nginx/templates/misc.tmpl:
location ~ ^/.well-known/ {
#root /var/www/html;
location ~ /\. { deny all; }
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
# configuration file /etc/nginx/templates/ssl.tmpl:
# To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
# To request free "Let's Encrypt" cert, please check our tutorial:
# https://docs.iredmail.org/letsencrypt.html
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;
# configuration file /etc/nginx/templates/iredadmin.tmpl:
location ~ ^/iredadmin/static/(.*) {
location ~ ^/iredadmin(.*) {
location = /iredadmin {
location ~ ^/newsletter/ {
# configuration file /etc/nginx/templates/hsts.tmpl:
# certificate.
# configuration file /etc/nginx/uwsgi_params:
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_NAME $server_name;
# configuration file /etc/nginx/templates/roundcube.tmpl:
# Running Roundcube as a subfolder on an existing virtual host
location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
# Block plugin config files and sample config files.
location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; }
location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; }
location = /mail {
location ~ ^/mail/(.*\.php)$ {
location ~ ^/mail/(.*) {
# configuration file /etc/nginx/templates/fastcgi_php.tmpl:
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_NAME $server_name;
# configuration file /etc/nginx/templates/sogo.tmpl:
location ~ ^/sogo { rewrite ^ https://$host/SOGo; }
location ~ ^/SOGO { rewrite ^ https://$host/SOGo; }
#location ~ ^/mail { rewrite ^ https://$host/SOGo; }
location ^~ /SOGo {
location ^~ /Microsoft-Server-ActiveSync {
location ^~ /SOGo/Microsoft-Server-ActiveSync {
location /SOGo.woa/WebServerResources/ {
location /SOGo/WebServerResources/ {
location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
# configuration file /etc/nginx/templates/netdata.tmpl:
# Running netdata as a subfolder to an existing virtual host
location = /netdata {
location ~ /netdata/(?<ndpath>.*) {
# configuration file /etc/nginx/templates/php-catchall.tmpl:
location ~ \.php$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# configuration file /etc/nginx/templates/stub_status.tmpl:
location = /stub_status {
location = /status {
# configuration file /etc/nginx/sites-enabled/00-default.conf:
# Note: This file must be loaded before other virtual host config files,
# Listen on ipv4
root /var/www/omc.fyi/html;
server_name omc.fyi www.omc.fyi;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/omc.fyi/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/omc.fyi/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
} # managed by Certbot
} # managed by Certbot
listen 80;
listen [::]:80 ipv6only=on;
server_name omc.fyi www.omc.fyi;
return 404; # managed by Certbot
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
Hi team, thanks again for all the help! Per your direction, @JuergenAuer, I attempted to make it one port-domain combination per virtual host file; so:
00-default.conf contains:
#
# Note: This file must be loaded before other virtual host config files,
#
# HTTP
server {
if ($host = www.omc.fyi) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = omc.fyi) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 ipv6only=on;
server_name omc.fyi www.omc.fyi;
return 404; # managed by Certbot
}
and 00-default-ssl.conf contains:
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
# Redirect all insecure http:// requests to https://
return 301 https://$host$request_uri;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/omc.fyi/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/omc.fyi/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name omc.fyi www.omc.fyi;
root /var/www/omc.fyi/html;
index index.php index.html index.nginx-debian.html;
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/ssl.tmpl;
include /etc/nginx/templates/iredadmin.tmpl;
include /etc/nginx/templates/roundcube.tmpl;
include /etc/nginx/templates/sogo.tmpl;
include /etc/nginx/templates/netdata.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
include /etc/nginx/templates/stub_status.tmpl;
}
But now, when I run nginx -t, I get:
nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/templates/ssl.tmpl:1
nginx: [emerg] "ssl_ciphers" directive is duplicate in /etc/nginx/templates/ssl.tmpl:4
nginx: configuration file /etc/nginx/nginx.conf test failed
Can you advise as to how I might resolve the duplication? Or please let me know if there's something else that I did wrong.
Contents of /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
The contents of /etc/nginx/templates/ssl.tmpl are (which appears to have been generated when I set up the mail server with iRedMail):
ssl_protocols TLSv1.2;
# Fix 'The Logjam Attack'.
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;
# To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
#
# To request free "Let's Encrypt" cert, please check our tutorial:
# https://docs.iredmail.org/letsencrypt.html
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;
I commented out the "/etc/nginx/templates/ssl.tmpl" line, and as a result omc.fyi and www.omc.fyi now load without a warning and with the correct cert.
Now, however, my mail. subdomain loads with a security error.
If you are trying to access https://mail.omc.fyi/ then you will need to create a vhost config for it and then get a cert that covers that name.
Otherwise, you could try including the roundcube template into one of the current working vhost configs. /etc/nginx/templates/roundcube.tmpl
[Which could then be accessed via https://site.name/mail/]
I added updatded the "sever_name" line to include the mail. subdomain, server_name omc.fyi www.omc.fyi mail.omc.fyi; to 00-default.conf and 00-default-ssl.conf.
And now, it all works and the certificates show up correctly.