The config file?
It goes in /etc/nginx/sites-available and then you use ln -s /etc/nginx/sites-available/yourfile /etc/nginx/sites-enabled/ to enable it.
The webroot?
Just make one: mkdir -p /var/www/certbot
3 Likes
I think I got it now. I actually so block of codes similar to this in the directory.
I created the config file with the following and pushed it to the sites-enabled folder
server {
# default server
listen 80 default; # make it the default for all HTTP requests IPv4
listen [::]:80 default; # make it the default for all HTTP requests IPv6
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
However, I am getting a 404 error now
yeah, that was on your https site before as well. you have to configure the
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
.... more stuff .....
}
block to serve your website. (NB: this is 443, not 80)
4 Likes
I dont know what I am still missing. The following is my config file but the problem persists.
server { # default server
listen 80 default; # make it the default for all HTTP requests IPv4
listen [::]:80 default; # make it the default for all HTTP requests IPv6
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
} #server
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
Perhaps the "more stuff" I should add is not to repeat the location segments?
Below are the last three error log entries when I tried to reload nginx
2022/04/01 22:04:08 [crit] 18791#18791: *809 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.184, server: 0.0.0.0:443
2022/04/01 22:09:35 [emerg] 45189#45189: "location" directive is not allowed here in /etc/nginx/sites-enabled/default:8
2022/04/01 22:14:36 [emerg] 45332#45332: no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/default:16
443 should not be that. Only 80.
443 should contain the directives to actually serve the website, not to redirect. Also, you might want to run certbot install
3 Likes
Okay thanks, I will look for the correct lines of code.
2 Likes
The correct lines are the ones you had in the port 80 before, plus the certbot install ones.
3 Likes
Below is what was in the old config file. Do I change "root /var/www/html/vue/app/dist;" with "root /var/www/certbot;"?
root /var/www/html/vue/app/dist;
index index.nginx-debian.html index.html index.htm;
server_name pumpview.com.ng;
location / {
try_files $uri $uri/ =404;
}
No. You want the root for the website, not the one you'll use for Certbot.
It should become something like
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
root /var/www/html/vue/app/dist;
index index.nginx-debian.html index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
ssl_certificate ... ;
ssl_certificate_key ... ;
include ... ssl options etc etc ... ;
}
2 Likes
Thank you very much for this... as you might guess from my questions, I am new to all these but trying to put some effort. For the final three lines, I suppose I have to find the corresponding values and replace the three dots with them?
2 Likes
The final three lines are the lines that Certbot will write by itself when you run certbot install 
Anyway it's /etc/letsencrypt/live/CERTNAME/fullchain.pem and privkey.pem -- the include refers to another file in /etc/letsencrypt, but that one you can replace with ssl-config.mozilla.org
3 Likes
Ah okay good. Thanks again.
3 Likes
I ran cerbot install but I got an error. I am looking to see if I can find the bug in the code.
My code:
server { # default server
listen 80 default; # make it the default for all HTTP requests IPv4
listen [::]:80 default; # make it the default for all HTTP requests IPv6
server_name pumpview.com.ng;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
} #server
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpview.com.ng;
root /var/www/html/vue/app/dist;
index index.nginx-debian.html index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
ssl_certificate ... ;
ssl_certificate_key ... ;
include ... ssl options etc etc ... ;
}
The error
root@pumpview:~# certbot install
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] invalid number of arguments in "include" directive in /etc/nginx/sites-enabled/default:30
nginx: configuration file /etc/nginx/nginx.conf test failed
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
1 Like
I think I shouldnt include
ssl_certificate ... ;
ssl_certificate_key ... ;
include ... ssl options etc etc ... ;
??
1 Like
Ok, run certbot certificates: it will tell you where the fullchain.pem file is. The privkey.pem is in the same directory.
For the include, there should be a .conf file in /etc/letsencrypt, referring to nginx: include that.
You should get something like
ssl_certificate /etc/letsencrypt/live/CERTNAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/CERTNAME/privkey.pem;
include /etc/letsencrypt/SOMETHING.conf;
2 Likes
Yeah I got them, I am replacing the file again. If I add the SSL certificate information then no need to do cerbot install again I guess?
1 Like
Exactly.
In future, you might want to replace that include with a more specific config (that depends on you: do you want to support older clients or just the safest clients? the defaults are very "west-centric")
3 Likes
Seems I can only choose one "Solution" even though I think about 4 posts together make up the solution.
2 Likes