The config file?
It goes in /etc/nginx/sites-available
and then you use ln -s /etc/nginx/sites-available/yourfile /etc/nginx/sites-enabled/
to enable it.
The webroot?
Just make one: mkdir -p /var/www/certbot
The config file?
It goes in /etc/nginx/sites-available
and then you use ln -s /etc/nginx/sites-available/yourfile /etc/nginx/sites-enabled/
to enable it.
The webroot?
Just make one: mkdir -p /var/www/certbot
I think I got it now. I actually so block of codes similar to this in the directory.
I created the config file with the following and pushed it to the sites-enabled folder
server {
# default server
listen 80 default; # make it the default for all HTTP requests IPv4
listen [::]:80 default; # make it the default for all HTTP requests IPv6
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
However, I am getting a 404 error now
yeah, that was on your https site before as well. you have to configure the
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
.... more stuff .....
}
block to serve your website. (NB: this is 443, not 80)
I dont know what I am still missing. The following is my config file but the problem persists.
server { # default server
listen 80 default; # make it the default for all HTTP requests IPv4
listen [::]:80 default; # make it the default for all HTTP requests IPv6
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
} #server
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
Perhaps the "more stuff" I should add is not to repeat the location segments?
Below are the last three error log entries when I tried to reload nginx
2022/04/01 22:04:08 [crit] 18791#18791: *809 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.184, server: 0.0.0.0:443
2022/04/01 22:09:35 [emerg] 45189#45189: "location" directive is not allowed here in /etc/nginx/sites-enabled/default:8
2022/04/01 22:14:36 [emerg] 45332#45332: no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/default:16
443 should not be that. Only 80.
443 should contain the directives to actually serve the website, not to redirect. Also, you might want to run certbot install
Okay thanks, I will look for the correct lines of code.
The correct lines are the ones you had in the port 80 before, plus the certbot install
ones.
Below is what was in the old config file. Do I change "root /var/www/html/vue/app/dist;" with "root /var/www/certbot;"?
root /var/www/html/vue/app/dist;
index index.nginx-debian.html index.html index.htm;
server_name pumpview.com.ng;
location / {
try_files $uri $uri/ =404;
}
No. You want the root for the website, not the one you'll use for Certbot.
It should become something like
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
root /var/www/html/vue/app/dist;
index index.nginx-debian.html index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
ssl_certificate ... ;
ssl_certificate_key ... ;
include ... ssl options etc etc ... ;
}
Thank you very much for this... as you might guess from my questions, I am new to all these but trying to put some effort. For the final three lines, I suppose I have to find the corresponding values and replace the three dots with them?
The final three lines are the lines that Certbot will write by itself when you run certbot install
Anyway it's /etc/letsencrypt/live/CERTNAME/fullchain.pem
and privkey.pem
-- the include refers to another file in /etc/letsencrypt
, but that one you can replace with ssl-config.mozilla.org
Ah okay good. Thanks again.
I ran cerbot install
but I got an error. I am looking to see if I can find the bug in the code.
My code:
server { # default server
listen 80 default; # make it the default for all HTTP requests IPv4
listen [::]:80 default; # make it the default for all HTTP requests IPv6
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
} #server
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
root /var/www/html/vue/app/dist;
index index.nginx-debian.html index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
ssl_certificate ... ;
ssl_certificate_key ... ;
include ... ssl options etc etc ... ;
}
The error
root@pumpview:~# certbot install
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] invalid number of arguments in "include" directive in /etc/nginx/sites-enabled/default:30
nginx: configuration file /etc/nginx/nginx.conf test failed
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
I think I shouldnt include
ssl_certificate ... ;
ssl_certificate_key ... ;
include ... ssl options etc etc ... ;
??
Ok, run certbot certificates
: it will tell you where the fullchain.pem
file is. The privkey.pem
is in the same directory.
For the include, there should be a .conf file in /etc/letsencrypt, referring to nginx: include that.
You should get something like
ssl_certificate /etc/letsencrypt/live/CERTNAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/CERTNAME/privkey.pem;
include /etc/letsencrypt/SOMETHING.conf;
Yeah I got them, I am replacing the file again. If I add the SSL certificate information then no need to do cerbot install
again I guess?
Exactly.
In future, you might want to replace that include with a more specific config (that depends on you: do you want to support older clients or just the safest clients? the defaults are very "west-centric")
Seems I can only choose one "Solution" even though I think about 4 posts together make up the solution.