I already have nginx configured with two server{} sections, each routing to a different web server. If I try to include options-ssl-nginx.conf in both the sections, nginx -t tells me that I can't use le_nginx_SSL twice (in ssl_session_cache), but if I include such file once only, from the top nginx.conf, it can't go inside server{}.
I suppose including this from http{} would work, but this isn't good for me either, since I also have a stream{} section, which I want to protect with the same SSL directives and certificates.
The only way I see is changing that file so that it doesn'have the non-common parts (ie, the cache name), but its comments say it shouldn't be touched.
Should certbot work differently? Should I setup things differently?
I have that same include in multiple nginx server blocks without any problem. More importantly, the nginx.org docs say that kind of statement can appear in multiple server blocks.
Can you show output of this (it will be long, an uppercase T is essential)
nginx: [emerg] the shared memory zone "le_nginx_SSL" is already declared for a different use in /etc/letsencrypt/options-ssl-nginx.conf:7
nginx: configuration file /etc/nginx/nginx.conf test failed
I've added include /etc/letsencrypt/options-ssl-nginx.conf; to two server{} sections, which are both under http{} (each serving one sub-domain associated to the same certificate), and it worked until that.
Then, I've added the same include under a third server{} section, which is under stream{}. This forwards TCP/BOLT connections on port 7687 to the internal Neo4j database, realising SSL termination (ie, the target gets unencrypted connections from NGINX). At this point, nginx gives me the error above.
The same works fine if I do it this way:
I include another file, which is a copy of /etc/letsencrypt/options-ssl-nginx.conf;, in which the ssl_session_cache was commented out.
I define two different ssl_session_cache on http{} and stream{}, with two different cache names.
In conclusion, I think SSL caches aren't reusable everywhere and hence the Let's Encrypt-provided file can't be included as-is both in the http{} and stream{} sections. Nor can it be placed out of these sections (I've tried previously and nginx says the directives are in a bad place).
-T doesn't produce anything when I use the errored version.
Please, find attached the output produced with the version that works (with the wrong inclusion commented out). I have had to change some server names and IPs from that, because it's a reserved server, which we still have to launch to the public.
I'm using nginx 1.26.1, which should be one of the most recent.
Yes, I agree and can reproduce this error (nginx v1.18). The ssl_session_cache shared:le_nginx_SSL:10m; cannot be used in a server block within a stream section if it is also listed in a server block in an http section.
It can be listed in multiple server blocks within an http section. This is commonly done. Those can also appear multiple times even if the ssl_session_cache is also listed at the http level.
Using stream is not as common which is probably why we don't see this as often (or ever).
How to proceed?
First, make sure you are using a recent version of Certbot. It is possible this was addressed along the way although I did not see this mentioned in the changelog. What version are you using? (do: certbot --version)
The certonly will only get a cert but not make permanent changes to nginx config. You then manually create / update any server block for that domain.
You could continue to use the --nginx plugin as you have been for the non-stream domains. I didn't see any problem having multiple ssl_session_cache statements for those.
Thanks Mike, I had already done what you propose, I hope I'll be able to include a modified version of that file in future. I've reported the problem to the developers.