Error while running nginx -c /etc/nginx/nginx.conf -t

Help
1

Hi,

Find below the asked details, certbot claims there is an issue when check nginx config file, however if I run the same command "nginx -c /etc/nginx/nginx.conf -t" I get the output

sudo nginx -c /etc/nginx/nginx.conf -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

My domain is:

hptm.eu
dev.hptm.eu

I ran this command:

sudo certbot renew

It produced this output:

[alex@dev-hptm renewal]$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/dev.hptm.eu.conf

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)
nginx: configuration file /etc/nginx/nginx.conf test failed

Failed to renew certificate dev.hptm.eu with error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

Processing /etc/letsencrypt/renewal/hptm.eu.conf

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)
nginx: configuration file /etc/nginx/nginx.conf test failed

Failed to renew certificate hptm.eu with error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/dev.hptm.eu/fullchain.pem (failure)
/etc/letsencrypt/live/hptm.eu/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[alex@dev-hptm renewal]$

My web server is (include version):

nginx/1.20.1

The operating system my web server runs on is (include version):

Linux version 5.14.0-362.13.1.el9_3.x86_64 (mockbuild@x64-builder01.almalinux.org) (gcc (GCC) 11.4.1 20230605 (Red Hat 11.4.1-2), GNU ld version 2.35.2-42.el9) #1 SMP PREEMPT_DYNAMIC Thu Dec 21 07:12:43 EST 2023

My hosting provider, if applicable, is:

DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 3.1.0

2

I believe this will be relevant, this is the contents of /etc/letsencrypt/options-ssl-nginx.conf

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

3

This is the log file:

2025-01-27 12:14:59,414:DEBUG:certbot._internal.main:certbot version: 3.1.0
2025-01-27 12:14:59,414:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/4325/bin/certbot
2025-01-27 12:14:59,414:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2025-01-27 12:14:59,415:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-01-27 12:14:59,457:DEBUG:certbot._internal.log:Root logging level set at 30
2025-01-27 12:14:59,458:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/dev.hptm.eu.conf
2025-01-27 12:14:59,460:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-01-27 12:14:59,460:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-01-27 12:14:59,473:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e6.o.lencr.org:80
2025-01-27 12:14:59,624:DEBUG:urllib3.connectionpool:http://e6.o.lencr.org:80 "POST / HTTP/1.1" 200 346
2025-01-27 12:14:59,625:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/dev.hptm.eu/cert9.pem is signed by the certificate's issuer.
2025-01-27 12:14:59,643:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/dev.hptm.eu/cert9.pem is: OCSPCertStatus.GOOD
2025-01-27 12:14:59,647:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2025-02-09 05:45:33 UTC.
2025-01-27 12:14:59,647:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2025-01-27 12:14:59,647:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2025-01-27 12:14:59,660:ERROR:certbot.util:Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)
nginx: configuration file /etc/nginx/nginx.conf test failed

2025-01-27 12:14:59,660:DEBUG:certbot._internal.plugins.disco:Misconfigured PluginEntryPoint#nginx: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)
nginx: configuration file /etc/nginx/nginx.conf test failed
Traceback (most recent call last):
File "/snap/certbot/4325/lib/python3.12/site-packages/certbot_nginx/_internal/configurator.py", line 1008, in config_test
util.run_script([self.conf('ctl'), "-c", self.nginx_conf, "-t"])
File "/snap/certbot/4325/lib/python3.12/site-packages/certbot/util.py", line 199, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)
nginx: configuration file /etc/nginx/nginx.conf test failed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/snap/certbot/4325/lib/python3.12/site-packages/certbot/_internal/plugins/disco.py", line 112, in prepare
self._initialized.prepare()
File "/snap/certbot/4325/lib/python3.12/site-packages/certbot_nginx/_internal/configurator.py", line 204, in prepare
self.config_test()
File "/snap/certbot/4325/lib/python3.12/site-packages/certbot_nginx/_internal/configurator.py", line 1010, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)
nginx: configuration file /etc/nginx/nginx.conf test failed

2025-01-27 12:14:59,662:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='nginx', value='certbot_nginx._internal.configurator:NginxConfigurator', group='certbot.plugins')
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fc9edd61d00>
Prep: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_new() failed (SSL: error:0A0000A1:SSL routines::library has no ciphers)
nginx: configuration file /etc/nginx/nginx.conf test failed

2025-01-27 12:14:59,663:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin

4

Oof I found the fix!

"yum update openssl"

2 Likes
5

One small addendum: I could not logon via ssh anymore after I did that. "yum update -y" was required to fix that.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.