I have an Amazon EC2 Ubuntu VM running and I have a website spun up on nginx. Currently It is a public IP address that I have a forwarded domain to. My domain is on IONOS and I can't transfer the certificate otherwise it removed my other sites ssl. Even when I did that though it still didn't work. I can't get a cert for a ip either so what can I do to get my ssl certificate on my vm website?
I moved your post to the Help category. You would have been shown the form below had you posted there originally. Please complete as much as you can.
The short answer to your question is you run an ACME Client on your EC2 instance and request a cert. But answers to the below will help us guide you better
================================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
3 Likes
~/acme.sh$ ./acme.sh --issue -d host.wis.systems -w /home/ubuntu/
[Fri Mar 15 14:50:02 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Mar 15 14:50:02 UTC 2024] Single domain='host.wis.systems'
[Fri Mar 15 14:50:04 UTC 2024] Getting webroot for domain='host.wis.systems'
[Fri Mar 15 14:50:04 UTC 2024] Verifying: host.wis.systems
[Fri Mar 15 14:50:05 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Fri Mar 15 14:50:08 UTC 2024] Pending, The CA is processing your order, please just wait. (2/30)
[Fri Mar 15 14:50:12 UTC 2024] Pending, The CA is processing your order, please just wait. (3/30)
I can ping my public ip via that hostname so I know it's setup within the dns properly. It just keeps timing out over and over. What do I do?
That is not the Let's Encrypt CA. The default CA used by acme.sh changed three years ago. You need to tell it to use Let's Encrypt if that is the CA you prefer.
As for the network timeouts, have you checked for firewall settings, including at the platform level?
3 Likes
Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Mar 15 18:12:13 UTC 2024] Create account key ok.
[Fri Mar 15 18:12:13 UTC 2024] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Fri Mar 15 18:12:13 UTC 2024] Registered
[Fri Mar 15 18:12:13 UTC 2024] ACCOUNT_THUMBPRINT='wIjlJDBIqOjQWEEIoBwMLr3bJVFcl0RmgO6bQ8k2QH0'
[Fri Mar 15 18:12:13 UTC 2024] Single domain='host.wis.systems'
[Fri Mar 15 18:12:14 UTC 2024] Getting webroot for domain='host.wis.systems'
[Fri Mar 15 18:12:14 UTC 2024] Verifying: host.wis.systems
[Fri Mar 15 18:12:14 UTC 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Mar 15 18:12:17 UTC 2024] Invalid status, host.wis.systems:Verify error detail:3.141.73.0: Invalid response from http://host.wis.systems/.well-known/acme-challenge/sO4SMYA6HE5ilpC0t8bLlLqXmBVICQII2IRy3qCGByY: 404
[Fri Mar 15 18:12:17 UTC 2024] Please add '--debug' or '--log' to check more details.
[Fri Mar 15 18:12:17 UTC 2024] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
I get this error now. That ip adderss is the ip of the machine i am on.
here is my ping as well:
ping host.wis.systems
PING host.wis.systems (3.141.73.0) 56(84) bytes of data.
64 bytes from ec2-3-141-73-0.us-east-2.compute.amazonaws.com (3.141.73.0): icmp_seq=1 ttl=63 time=1.01 ms
The 404 is an http Not Found error. The Let's Encrypt made an HTTP request to your domain to check the challenge token. That token was placed by acme.sh in the -w folder you indicated.
Your nginx is saying it could not find the challenge token to return it to LE. This is almost always because the -w folder you gave to acme.sh does not match the root value for this domain in your nginx config. There may be other causes.
If you want help debugging that, please show entire output of this. It will be long and capital T is essential
sudo nginx -T
3 Likes
So do I need to put it as my path to my nginx default file? in /etc/nginx/sites-avaiable?
The domain is hosted on ionos, I just added a dns record with my aws public ip, and i am hosting a nginx webserver from my vm there
Also, I get permission denied for anything in /etc/nginx
ubuntu@ip-172-31-5-221:~/acme.sh$ ./acme.sh --issue -d host.wis.systems -w /etc/nginx/
[Fri Mar 15 18:52:54 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Mar 15 18:52:54 UTC 2024] Single domain='host.wis.systems'
[Fri Mar 15 18:52:55 UTC 2024] Getting webroot for domain='host.wis.systems'
[Fri Mar 15 18:52:55 UTC 2024] Verifying: host.wis.systems
mkdir: cannot create directory ‘/etc/nginx//.well-known’: Permission denied
./acme.sh: 4978: cannot create /etc/nginx//.well-known/acme-challenge/BiiLzaFf1zqplvyqYOOVktAfa4KgpWqXC6T8lS16Fa8: Directory nonexistent
[Fri Mar 15 18:52:55 UTC 2024] host.wis.systems:Can not write token to file : /etc/nginx//.well-known/acme-challenge/BiiLzaFf1zqplvyqYOOVktAfa4KgpWqXC6T8lS16Fa8
[Fri Mar 15 18:52:55 UTC 2024] Please add '--debug' or '--log' to check more details.
[Fri Mar 15 18:52:55 UTC 2024] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
That is a poor choice for the -w folder
2 Likes
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.5.0-1014-aws x86_64)
- Documentation: https://help.ubuntu.com
- Management: https://landscape.canonical.com
- Support: Ubuntu Pro | Ubuntu
System information as of Fri Mar 15 19:14:29 UTC 2024
-
Ubuntu Pro delivers the most comprehensive open source security and
compliance features.
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
Last login: Fri Mar 15 18:12:00 2024 from 3.16.146.4
`ubuntu@ip-172-31-5-221:~$ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 3000M;
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
# Default server configuration
#
upstream flaskhelloworld {
server 127.0.0.1:8000;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name portal.wis.systems;
# ssl_certificate_key /etc/ssl/certs/wis.key;
# ssl_certificate /etc/ssl/certs/wis_cer.cer;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
allow all;
root /var/www/letsencrypt;
proxy_pass http://flaskhelloworld;
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
First, you should become more familiar with how nginx is configured. It will help you in the long-run to understand it since you are becoming its administrator.
As for this specific problem there are a couple issues
You do not have a server block for the name host.wis.systems and you should make one. Since there isn't one nginx would use the default server block. That server block has a root folder of /var/www/html which does not match the -w /home/ubuntu folder in your first example and certainly not the /etc/nginx which you should not use as a root folder at all.
The one server block you have for port 80 has two server_name statements. nginx only supports one so it probably ignores the first one.
I suggest in your new server block for your host subdomain use something like /var/certbot and then make that folder with the needed permissions for your system. Then use that folder as the -w folder value in your acme.sh command.
Something like this example
server {
listen 80;
listen [::]:80; # if using IPv6
server_name example.com www.example.com;
location /.well-known/acme-challenge/ {
root /var/certbot; # make/use folder as you prefer
}
location / {
return 301 https://$host$request_uri;
}
}
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.