Error 404 after installing certbot via snapd

dj_h · June 12, 2021, 11:07am

My domain is:www.davidjhindley.com

I ran this command: See below.

It produced this output: See below.

My web server is (include version): 1.10.3-0ubuntu0.16.04.5

The operating system my web server runs on is (include version): Ubuntu 16.04.7

My hosting provider, if applicable, is:Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.16.0

I recently tried to use "certbot-auto renew" to renew my certificates and got a message telling me certbot auto would no longer work, so I followed the instructions to install certbot via snapd. The new certificates installed correctly, but I now can't load my website. I think it is something to do with my nginx configuration file. I was getting too many redirects, so I removed the return 301 command under the https server part of my "default" file at \etc\nginx\sites-available, and that removed the redirect errors, but I now just get Error 404 not found errors. When I originally installed certbot a few years ago, I think I manually changed some of the nginx configuration file called \etc\nginx\sites-available\default so maybe the changes made automatically when I updated certbot via snapd are conflicting in some way with those manual changes. The current file called "default" stored in \etc\nginx\sites-available\ is shown below.

Any help you can give would be much appreciated.

Many Thanks

David.
#########################################

server {
server_name davidjhindley.com www.davidjhindley.com;
###next bit removed 12 June 2021 after installing new certbot via snapd as was getting too many redirects
# return 301 https://$server_name$request_uri;

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/davidjhindley.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/davidjhindley.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
# SSL configuration
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-davidjhindley.com.conf;
include snippets/ssl-params.conf;
# include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    location /shiny/ {
    proxy_pass http://127.0.0.1:3838/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    rewrite ^(/shiny/[^/]+)$ $1/ permanent;
    }
    #next bit added by DH 24 Mar 17 - means can use <<webaddress\rstudio\>>
    location /rstudio/ {
    proxy_pass http://127.0.0.1:8787/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    }
    #added 24 March for let's encrypt/certbot stuff
    location ~ /.well-known {
    allow all;
    }

}

server {
if ($host = www.davidjhindley.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = davidjhindley.com) {
    return 301 https://$host$request_uri;
} # managed by Certbot


    listen 80 default_server;
    listen [::]:80 default_server;
    server_name davidjhindley.com www.davidjhindley.com;

return 404; # managed by Certbot
}

griffin · June 12, 2021, 5:28pm

Welcome Back to the Let's Encrypt Community, David

Let's see what we can do to get your nginx configuration cleaned up. Some of what I'm going to ask for might seem redundant, but I need it formatted using the backticks as mentioned at the bottom of this post.

What are the outputs of these commands?

sudo certbot certificates
sudo ls -lRa /etc/letsencrypt
sudo nginx -T
sudo ls -lRa /etc/nginx/sites-available
sudo ls -lRa /etc/nginx/sites-enabled
sudo cat /etc/nginx/sites-enabled/default

Please put 3 backticks above and below each output, like this:

```
output
```

rg305 · June 12, 2021, 9:57pm

The default server config has:

The config for your site has only:

Where is the document root?
[without which it won't know exactly what to serve when matched]

dj_h · June 13, 2021, 10:14am

Thanks for your reply. Here is the requested output (first two to start with - rest in further posts, as was getting formatting issues, so am breaking it up into different posts).

sudo certbot certificates

Found the following certs:
  Certificate Name: davidjhindley.com
    Serial Number: 4cf26f8e7c828e3886cae5e37ffc46b8226
    Key Type: RSA
    Domains: davidjhindley.com www.davidjhindley.com
    Expiry Date: 2021-09-10 08:29:44+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/davidjhindley.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/davidjhindley.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

sudo ls -lRa /etc/letsencrypt

total 52
drwxr-xr-x   9 root root 4096 Jun 13 11:03 .
drwxr-xr-x 112 root root 4096 Jun 12 10:03 ..
drwx------   6 root root 4096 Jun 12 10:31 accounts
drwx------   3 root root 4096 Mar 24  2017 archive
drwxr-xr-x   2 root root 4096 Jun 12 10:29 csr
drwx------   2 root root 4096 Jun 12 10:29 keys
drwx------   3 root root 4096 Mar 24  2017 live
-rw-r--r--   1 root root  688 Jun 12 10:28 options-ssl-nginx.conf
drwxr-xr-x   2 root root 4096 Jun 12 10:29 renewal
drwxr-xr-x   5 root root 4096 Nov 29  2017 renewal-hooks
-rw-r--r--   1 root root  424 Jun 12 10:28 ssl-dhparams.pem
-rw-r--r--   1 root root   64 Jun 12 10:28 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--   1 root root   64 Jun 12 10:28 .updated-ssl-dhparams-pem-digest.txt

/etc/letsencrypt/accounts:
total 24
drwx------ 6 root root 4096 Jun 12 10:31 .
drwxr-xr-x 9 root root 4096 Jun 13 11:03 ..
drwx------ 3 root root 4096 Mar 26  2017 acme-staging.api.letsencrypt.org
drwx------ 2 root root 4096 Jun 12 10:31 acme-staging-v02.api.letsencrypt.org
drwx------ 3 root root 4096 Mar 24  2017 acme-v01.api.letsencrypt.org
drwx------ 2 root root 4096 Jul 21  2018 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Mar 26  2017 .
drwx------ 6 root root 4096 Jun 12 10:31 ..
drwx------ 3 root root 4096 Mar 26  2017 directory

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Mar 26  2017 .
drwx------ 3 root root 4096 Mar 26  2017 ..
drwx------ 2 root root 4096 Mar 26  2017 c8651c8ed995b66515214d24a8b68559

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/c8651c8ed995b66515214d24a8b68559:
total 20
drwx------ 2 root root 4096 Mar 26  2017 .
drwx------ 3 root root 4096 Mar 26  2017 ..
-rw-r--r-- 1 root root   82 Mar 26  2017 meta.json
-r-------- 1 root root 1632 Mar 26  2017 private_key.json
-rw-r--r-- 1 root root  711 Mar 26  2017 regr.json

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org:
total 12
drwx------ 2 root root 4096 Jun 12 10:31 .
drwx------ 6 root root 4096 Jun 12 10:31 ..
lrwxrwxrwx 1 root root   68 Jun 12 10:31 directory -> /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Mar 24  2017 .
drwx------ 6 root root 4096 Jun 12 10:31 ..
drwx------ 3 root root 4096 Mar 24  2017 directory

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Mar 24  2017 .
drwx------ 3 root root 4096 Mar 24  2017 ..
drwx------ 2 root root 4096 Mar 24  2017 d6ac227ded6db906124fb68f8d0c99f7

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/d6ac227ded6db906124fb68f8d0c99f7:
total 20
drwx------ 2 root root 4096 Mar 24  2017 .
drwx------ 3 root root 4096 Mar 24  2017 ..
-rw-r--r-- 1 root root   82 Mar 24  2017 meta.json
-r-------- 1 root root 1632 Mar 24  2017 private_key.json
-rw-r--r-- 1 root root  750 Mar 24  2017 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 2 root root 4096 Jul 21  2018 .
drwx------ 6 root root 4096 Jun 12 10:31 ..
lrwxrwxrwx 1 root root   64 Jul 21  2018 directory -> /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory

/etc/letsencrypt/archive:
total 12
drwx------ 3 root root 4096 Mar 24  2017 .
drwxr-xr-x 9 root root 4096 Jun 13 11:03 ..
drwxr-xr-x 2 root root 4096 Jun 12 10:29 davidjhindley.com

/etc/letsencrypt/archive/davidjhindley.com:
total 368
drwxr-xr-x 2 root root 4096 Jun 12 10:29 .
drwx------ 3 root root 4096 Mar 24  2017 ..
-rw-r--r-- 1 root root 1948 Mar  3  2019 cert10.pem
-rw-r--r-- 1 root root 1944 May 14  2019 cert11.pem
-rw-r--r-- 1 root root 1948 Jul 28  2019 cert12.pem
-rw-r--r-- 1 root root 1948 Oct  8  2019 cert13.pem
-rw-r--r-- 1 root root 1948 Dec 28  2019 cert14.pem
-rw-r--r-- 1 root root 1948 Mar  8  2020 cert15.pem
-rw-r--r-- 1 root root 1948 May 22  2020 cert16.pem
-rw-r--r-- 1 root root 1948 Aug 10  2020 cert17.pem
-rw-r--r-- 1 root root 1948 Oct 24  2020 cert18.pem
-rw-r--r-- 1 root root 1883 Jan  5 18:24 cert19.pem
-rw-r--r-- 1 root root 1834 Mar 24  2017 cert1.pem
-rw-r--r-- 1 root root 1879 Mar 19 15:35 cert20.pem
-rw-r--r-- 1 root root 1879 Jun 12 10:04 cert21.pem
-rw-r--r-- 1 root root 1879 Jun 12 10:29 cert22.pem
-rw-r--r-- 1 root root 1834 Jun  5  2017 cert2.pem
-rw-r--r-- 1 root root 1834 Sep  3  2017 cert3.pem
-rw-r--r-- 1 root root 1834 Nov 29  2017 cert4.pem
-rw-r--r-- 1 root root 1834 Feb  8  2018 cert5.pem
-rw-r--r-- 1 root root 2187 Apr 29  2018 cert6.pem
-rw-r--r-- 1 root root 2187 Jul 21  2018 cert7.pem
-rw-r--r-- 1 root root 2191 Oct 11  2018 cert8.pem
-rw-r--r-- 1 root root 1948 Dec 22  2018 cert9.pem
-rw-r--r-- 1 root root 1647 Mar  3  2019 chain10.pem
-rw-r--r-- 1 root root 1647 May 14  2019 chain11.pem
-rw-r--r-- 1 root root 1647 Jul 28  2019 chain12.pem
-rw-r--r-- 1 root root 1647 Oct  8  2019 chain13.pem
-rw-r--r-- 1 root root 1647 Dec 28  2019 chain14.pem
-rw-r--r-- 1 root root 1647 Mar  8  2020 chain15.pem
-rw-r--r-- 1 root root 1647 May 22  2020 chain16.pem
-rw-r--r-- 1 root root 1647 Aug 10  2020 chain17.pem
-rw-r--r-- 1 root root 1647 Oct 24  2020 chain18.pem
-rw-r--r-- 1 root root 1586 Jan  5 18:24 chain19.pem
-rw-r--r-- 1 root root 1647 Mar 24  2017 chain1.pem
-rw-r--r-- 1 root root 1586 Mar 19 15:35 chain20.pem
-rw-r--r-- 1 root root 3749 Jun 12 10:04 chain21.pem
-rw-r--r-- 1 root root 3749 Jun 12 10:29 chain22.pem
-rw-r--r-- 1 root root 1647 Jun  5  2017 chain2.pem
-rw-r--r-- 1 root root 1647 Sep  3  2017 chain3.pem
-rw-r--r-- 1 root root 1647 Nov 29  2017 chain4.pem
-rw-r--r-- 1 root root 1647 Feb  8  2018 chain5.pem
-rw-r--r-- 1 root root 1647 Apr 29  2018 chain6.pem
-rw-r--r-- 1 root root 1647 Jul 21  2018 chain7.pem
-rw-r--r-- 1 root root 1647 Oct 11  2018 chain8.pem
-rw-r--r-- 1 root root 1647 Dec 22  2018 chain9.pem
-rw-r--r-- 1 root root 3595 Mar  3  2019 fullchain10.pem
-rw-r--r-- 1 root root 3591 May 14  2019 fullchain11.pem
-rw-r--r-- 1 root root 3595 Jul 28  2019 fullchain12.pem
-rw-r--r-- 1 root root 3595 Oct  8  2019 fullchain13.pem
-rw-r--r-- 1 root root 3595 Dec 28  2019 fullchain14.pem
-rw-r--r-- 1 root root 3595 Mar  8  2020 fullchain15.pem
-rw-r--r-- 1 root root 3595 May 22  2020 fullchain16.pem
-rw-r--r-- 1 root root 3595 Aug 10  2020 fullchain17.pem
-rw-r--r-- 1 root root 3595 Oct 24  2020 fullchain18.pem
-rw-r--r-- 1 root root 3469 Jan  5 18:24 fullchain19.pem
-rw-r--r-- 1 root root 3481 Mar 24  2017 fullchain1.pem
-rw-r--r-- 1 root root 3465 Mar 19 15:35 fullchain20.pem
-rw-r--r-- 1 root root 5628 Jun 12 10:04 fullchain21.pem
-rw-r--r-- 1 root root 5628 Jun 12 10:29 fullchain22.pem
-rw-r--r-- 1 root root 3481 Jun  5  2017 fullchain2.pem
-rw-r--r-- 1 root root 3481 Sep  3  2017 fullchain3.pem
-rw-r--r-- 1 root root 3481 Nov 29  2017 fullchain4.pem
-rw-r--r-- 1 root root 3481 Feb  8  2018 fullchain5.pem
-rw-r--r-- 1 root root 3834 Apr 29  2018 fullchain6.pem
-rw-r--r-- 1 root root 3834 Jul 21  2018 fullchain7.pem
-rw-r--r-- 1 root root 3838 Oct 11  2018 fullchain8.pem
-rw-r--r-- 1 root root 3595 Dec 22  2018 fullchain9.pem
-rw-r--r-- 1 root root 1704 Mar  3  2019 privkey10.pem
-rw-r--r-- 1 root root 1704 May 14  2019 privkey11.pem
-rw-r--r-- 1 root root 1708 Jul 28  2019 privkey12.pem
-rw-r--r-- 1 root root 1704 Oct  8  2019 privkey13.pem
-rw-r--r-- 1 root root 1704 Dec 28  2019 privkey14.pem
-rw-r--r-- 1 root root 1704 Mar  8  2020 privkey15.pem
-rw-r--r-- 1 root root 1704 May 22  2020 privkey16.pem
-rw-r--r-- 1 root root 1708 Aug 10  2020 privkey17.pem
-rw-r--r-- 1 root root 1704 Oct 24  2020 privkey18.pem
-rw-r--r-- 1 root root 1704 Jan  5 18:24 privkey19.pem
-rw-r--r-- 1 root root 1704 Mar 24  2017 privkey1.pem
-rw-r--r-- 1 root root 1704 Mar 19 15:35 privkey20.pem
-rw-r--r-- 1 root root 1704 Jun 12 10:04 privkey21.pem
-rw-r--r-- 1 root root 1704 Jun 12 10:29 privkey22.pem
-rw-r--r-- 1 root root 1704 Jun  5  2017 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep  3  2017 privkey3.pem
-rw-r--r-- 1 root root 1708 Nov 29  2017 privkey4.pem
-rw-r--r-- 1 root root 1708 Feb  8  2018 privkey5.pem
-rw-r--r-- 1 root root 1708 Apr 29  2018 privkey6.pem
-rw-r--r-- 1 root root 1704 Jul 21  2018 privkey7.pem
-rw-r--r-- 1 root root 1708 Oct 11  2018 privkey8.pem
-rw-r--r-- 1 root root 1704 Dec 22  2018 privkey9.pem

/etc/letsencrypt/csr:
total 100
drwxr-xr-x 2 root root 4096 Jun 12 10:29 .
drwxr-xr-x 9 root root 4096 Jun 13 11:03 ..
-rw-r--r-- 1 root root  997 Mar 24  2017 0000_csr-certbot.pem
-rw-r--r-- 1 root root  997 Mar 26  2017 0001_csr-certbot.pem
-rw-r--r-- 1 root root  960 Jun  5  2017 0002_csr-certbot.pem
-rw-r--r-- 1 root root  960 Sep  3  2017 0003_csr-certbot.pem
-rw-r--r-- 1 root root  960 Nov 29  2017 0004_csr-certbot.pem
-rw-r--r-- 1 root root  960 Feb  8  2018 0005_csr-certbot.pem
-rw-r--r-- 1 root root  960 Apr 29  2018 0006_csr-certbot.pem
-rw-r--r-- 1 root root  960 Jul 21  2018 0007_csr-certbot.pem
-rw-r--r-- 1 root root  960 Oct 11  2018 0008_csr-certbot.pem
-rw-r--r-- 1 root root  960 Dec 22  2018 0009_csr-certbot.pem
-rw-r--r-- 1 root root  960 Mar  3  2019 0010_csr-certbot.pem
-rw-r--r-- 1 root root  960 May 14  2019 0011_csr-certbot.pem
-rw-r--r-- 1 root root  960 Jul 28  2019 0012_csr-certbot.pem
-rw-r--r-- 1 root root  960 Oct  8  2019 0013_csr-certbot.pem
-rw-r--r-- 1 root root  960 Dec 28  2019 0014_csr-certbot.pem
-rw-r--r-- 1 root root  960 Mar  8  2020 0015_csr-certbot.pem
-rw-r--r-- 1 root root  960 May 22  2020 0016_csr-certbot.pem
-rw-r--r-- 1 root root  960 Aug 10  2020 0017_csr-certbot.pem
-rw-r--r-- 1 root root  960 Oct 24  2020 0018_csr-certbot.pem
-rw-r--r-- 1 root root  960 Jan  5 18:24 0019_csr-certbot.pem
-rw-r--r-- 1 root root  960 Mar 19 15:35 0020_csr-certbot.pem
-rw-r--r-- 1 root root  960 Jun 12 10:03 0021_csr-certbot.pem
-rw-r--r-- 1 root root  960 Jun 12 10:29 0022_csr-certbot.pem

/etc/letsencrypt/keys:
total 100
drwx------ 2 root root 4096 Jun 12 10:29 .
drwxr-xr-x 9 root root 4096 Jun 13 11:03 ..
-rw------- 1 root root 1704 Mar 24  2017 0000_key-certbot.pem
-rw------- 1 root root 1704 Mar 26  2017 0001_key-certbot.pem
-rw------- 1 root root 1704 Jun  5  2017 0002_key-certbot.pem
-rw------- 1 root root 1704 Sep  3  2017 0003_key-certbot.pem
-rw------- 1 root root 1708 Nov 29  2017 0004_key-certbot.pem
-rw------- 1 root root 1708 Feb  8  2018 0005_key-certbot.pem
-rw------- 1 root root 1708 Apr 29  2018 0006_key-certbot.pem
-rw------- 1 root root 1704 Jul 21  2018 0007_key-certbot.pem
-rw------- 1 root root 1708 Oct 11  2018 0008_key-certbot.pem
-rw------- 1 root root 1704 Dec 22  2018 0009_key-certbot.pem
-rw------- 1 root root 1704 Mar  3  2019 0010_key-certbot.pem
-rw------- 1 root root 1704 May 14  2019 0011_key-certbot.pem
-rw------- 1 root root 1708 Jul 28  2019 0012_key-certbot.pem
-rw------- 1 root root 1704 Oct  8  2019 0013_key-certbot.pem
-rw------- 1 root root 1704 Dec 28  2019 0014_key-certbot.pem
-rw------- 1 root root 1704 Mar  8  2020 0015_key-certbot.pem
-rw------- 1 root root 1704 May 22  2020 0016_key-certbot.pem
-rw------- 1 root root 1708 Aug 10  2020 0017_key-certbot.pem
-rw------- 1 root root 1704 Oct 24  2020 0018_key-certbot.pem
-rw------- 1 root root 1704 Jan  5 18:24 0019_key-certbot.pem
-rw------- 1 root root 1704 Mar 19 15:35 0020_key-certbot.pem
-rw------- 1 root root 1704 Jun 12 10:03 0021_key-certbot.pem
-rw------- 1 root root 1704 Jun 12 10:29 0022_key-certbot.pem

/etc/letsencrypt/live:
total 12
drwx------ 3 root root 4096 Mar 24  2017 .
drwxr-xr-x 9 root root 4096 Jun 13 11:03 ..
drwxr-xr-x 2 root root 4096 Jun 12 10:29 davidjhindley.com

/etc/letsencrypt/live/davidjhindley.com:
total 12
drwxr-xr-x 2 root root 4096 Jun 12 10:29 .
drwx------ 3 root root 4096 Mar 24  2017 ..
lrwxrwxrwx 1 root root   42 Jun 12 10:29 cert.pem -> ../../archive/davidjhindley.com/cert22.pem
lrwxrwxrwx 1 root root   43 Jun 12 10:29 chain.pem -> ../../archive/davidjhindley.com/chain22.pem
lrwxrwxrwx 1 root root   47 Jun 12 10:29 fullchain.pem -> ../../archive/davidjhindley.com/fullchain22.pem
lrwxrwxrwx 1 root root   45 Jun 12 10:29 privkey.pem -> ../../archive/davidjhindley.com/privkey22.pem
-rw-r--r-- 1 root root  543 Mar 24  2017 README

/etc/letsencrypt/renewal:
total 12
drwxr-xr-x 2 root root 4096 Jun 12 10:29 .
drwxr-xr-x 9 root root 4096 Jun 13 11:03 ..
-rw-r--r-- 1 root root  542 Jun 12 10:29 davidjhindley.com.conf

/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x 5 root root 4096 Nov 29  2017 .
drwxr-xr-x 9 root root 4096 Jun 13 11:03 ..
drwxr-xr-x 2 root root 4096 Nov 29  2017 deploy
drwxr-xr-x 2 root root 4096 Nov 29  2017 post
drwxr-xr-x 2 root root 4096 Nov 29  2017 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x 2 root root 4096 Nov 29  2017 .
drwxr-xr-x 5 root root 4096 Nov 29  2017 ..

/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x 2 root root 4096 Nov 29  2017 .
drwxr-xr-x 5 root root 4096 Nov 29  2017 ..

/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x 2 root root 4096 Nov 29  2017 .
drwxr-xr-x 5 root root 4096 Nov 29  2017 ..

dj_h · June 13, 2021, 10:18am

and the remainder:
sudo nginx -T

nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
# changed by DH 24 March 17 as per DO let's encrypt instructions. default.bak has previous settings if all
#goes wrong
server {
        server_name davidjhindley.com www.davidjhindley.com;
      ###next bit removed 12 June after installing new certbot via snapd as was getting too many redirects
      # return 301 https://$server_name$request_uri;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/davidjhindley.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/davidjhindley.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
        # SSL configuration
        server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        include snippets/ssl-davidjhindley.com.conf;
        include snippets/ssl-params.conf;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        location /shiny/ {
        proxy_pass http://127.0.0.1:3838/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        rewrite ^(/shiny/[^/]+)$ $1/ permanent;
        }
        #next bit added by DH 24 Mar 17 - means can use <<webaddress\rstudio\>>
        location /rstudio/ {
        proxy_pass http://127.0.0.1:8787/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        #added 24 March for let's encrypt/certbot stuff
        location ~ /.well-known {
        allow all;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
        #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

server {
    if ($host = www.davidjhindley.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = davidjhindley.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 default_server;
        listen [::]:80 default_server;
        server_name davidjhindley.com www.davidjhindley.com;
    return 404; # managed by Certbot




}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/snippets/ssl-davidjhindley.com.conf:
ssl_certificate /etc/letsencrypt/live/davidjhindley.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/davidjhindley.com/privkey.pem;

# configuration file /etc/nginx/snippets/ssl-params.conf:
#this file copied from Cipherli.st on 24 Mar 17 by DH
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#changed the bit after resolver as per DO let's encrypt instructions. Careful that 8. are in two blocks
resolver 8.8.8.8 8.8.4.4  valid=300s;
resolver_timeout 5s;
#DH 24 March. I have disabled preloading HSTS for now as per DO let's encrpyt guide
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#next line added as per DO let's encrypt instructions
ssl_dhparam /etc/ssl/certs/dhparam.pem;

sudo ls -lRa /etc/nginx/sites-available

total 20
drwxr-xr-x 2 root root 4096 Jun 12 15:40 .
drwxr-xr-x 6 root root 4096 Jun 12 15:49 ..
-rw-r--r-- 1 root root 3996 Jun 12 15:34 default
-rw-r--r-- 1 root root 2739 Mar 24  2017 default.bak
-rw-r--r-- 1 root root 3982 Jun 12 15:13 default.new

sudo ls -lRa /etc/nginx/sites-enabled

total 8
drwxr-xr-x 2 root root 4096 Jun 12 15:09 .
drwxr-xr-x 6 root root 4096 Jun 12 15:49 ..
lrwxrwxrwx 1 root root   34 Mar 11  2017 default -> /etc/nginx/sites-available/default

sudo cat /etc/nginx/sites-enabled/default

# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
# changed by DH 24 March 17 as per DO let's encrypt instructions. default.bak has previous settings if all
#goes wrong
server {
        server_name davidjhindley.com www.davidjhindley.com;
      ###next bit removed 12 June after installing new certbot via snapd as was getting too many redirects
      # return 301 https://$server_name$request_uri;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/davidjhindley.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/davidjhindley.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
        # SSL configuration
        server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        include snippets/ssl-davidjhindley.com.conf;
        include snippets/ssl-params.conf;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        location /shiny/ {
        proxy_pass http://127.0.0.1:3838/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        rewrite ^(/shiny/[^/]+)$ $1/ permanent;
        }
        #next bit added by DH 24 Mar 17 - means can use <<webaddress\rstudio\>>
        location /rstudio/ {
        proxy_pass http://127.0.0.1:8787/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        #added 24 March for let's encrypt/certbot stuff
        location ~ /.well-known {
        allow all;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
        #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

server {
    if ($host = www.davidjhindley.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = davidjhindley.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 default_server;
        listen [::]:80 default_server;
        server_name davidjhindley.com www.davidjhindley.com;
    return 404; # managed by Certbot




}

griffin · June 13, 2021, 5:11pm

Thanks for posting those.

Replace your existing default file in /etc/nginx/sites-available with the following file (removing the .txt extension of course):

default.txt (1.6 KB)

Reload nginx.

sudo nginx -s reload

Test your certificate renewal.

sudo certbot renew --dry-run

dj_h · June 13, 2021, 5:44pm

Amazing. That worked brilliantly. Thank you so much.

griffin · June 13, 2021, 5:45pm

Did the certificate renewal test succeed?

system · July 13, 2021, 5:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.