Hi to all, this my first post here and my first attempt to renew a certificate after three months of usage...
Right now, Nginx is working as proxy, redirecting all traffic to https, and to port 8069 (it is the port that Odoo uses to load its ecommerce site)
I understand certbot needs to find .well-known folder, but I cannot find it anywhere (and lack knowledge on how to search for it)
Any help is greatly appreciated. Thanks to all the community.
The operating system my web server runs on is (include version): Centos 7
My hosting provider, if applicable, is: VPS server hosted in Uruguay.
I can login to a root shell on my machine: YES
I'm using a control panel to manage my site: NO, shell access.
The version of my client is: Certbot 1.0.0
I understand that the bot is not being able to find the .well-known folder... but I am not sure how to allow the access to this folder. Tried adding an "allow all" directive on Nginx config file but did not work (added all config files as a comment below)
Also I notice that all traffic is being directed from http to https, not sure if that is also a part of the problem. and don't know how to avoid that for the "...well-known.." url.
All help is much much appreciated since the certificate expired today, and all traffic is now seeing a horrible message
Below I am copying the rest of the configuration for nginx that is inherited: from ODOO. Sorry I am very new to this (nginx, letsencrypt and odoo)... so I may have made a lot of errors in these config files.
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
Ok, I was not able to solve this issue, but was able to install a new certificate (expired today).
The method I used was simply renewing the certificate using the --manual and the -dns as prefered method of validation (I only had to create a TXT record and wait).
After issuing that certificat, had another error, so I run certbot again, and it offered to reinstall it and it works.
Anyway I would like to understand what is wrong in my configuration to be able to allow a chron process to retrieve new certificate every time is needed.
Thanks to all in advance.
There are multiuple service/name overlaps:
The "server_name granel.uy" appears in all of your server sections and they use the same ports (80 & 443).
This seems very buggy.
Please confirm that your nginx config is useable with: nginx -t
If it fails that test, stop here and correct the problem(s).
If it passes the test, then post the complete output of: nginx -T
NOTE: In order to see/read your post correctly please either use the Preformatted text option or preceed and follow the post with lines that only contian three back tics " ``` "
Hi! rg305, thanks for your response!
And sorry for my post with that horrible formatting.
Will try to answer your questions:
Yes, it works. But with a warning here goes response of -t command:
nginx: [warn] conflicting server name "granel.uy" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Ok, here goes the full response of -T command:
nginx: [warn] conflicting server name "granel.uy" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
server_name granel.uy
179.27.98.87
;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
#include /etc/nginx/default.d/*.conf;
location ^~ /.well-known/acme-challenge/ {
allow all;
root var/lib/letsencrypt/;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/granel.uy/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/granel.uy/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# server {
# if ($host = www.granel.uy) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# if ($host = granel.uy) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name granel.uy
# 179.27.98.87
# ;
# return 404; # managed by Certbot
#}
server {
if ($host = www.granel.uy) {
return 301 https://granel.uy$request_uri;
} # managed by Certbot
if ($host = granel.uy) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
#server_name www.granel.uy granel.uy; # managed by Certbot
return 404; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/granel.uy/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/granel.uy/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# server {
# if ($host = www.granel.uy) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# listen 80 ;
#
# listen [::]:80 ;
# server_name www.granel.uy;
# return 404; # managed by Certbot
#
#
#}
}
# configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-http-perl.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";
# configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-mail.conf:
load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";
# configuration file /usr/share/nginx/modules/mod-stream.conf:
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/odoo.conf:
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name granel.uy;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name granel.uy;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
# ssl on;
ssl_certificate /etc/letsencrypt/live/granel.uy/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/granel.uy/privkey.pem;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://granel.uy:8072;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://granel.uy:8069;
}
# common gzip
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
Only edited a few commented lines, but left others that I had to commento in order to avoid a problem I had yesterday that was not able to load www.granel.uy becasue there were too many redirects (that was the browser message)
Thanks again for your help, and sorry if I am making newbie errors, but I am new with web server configurations, nginx, etc.
Thanks!
That warning should not be ignored [and should be corrected].
From what I can see, you have four distinct server sections.
One uses both ports (80 and 443) and has no server_name - making it the default config for all unmatched requests:
server {
if ($host = www.granel.uy) {
return 301 https://granel.uy$request_uri;
} # managed by Certbot
if ($host = granel.uy) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
return 404; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/granel.uy/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/granel.uy/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Another uses port 80 and redirects requests to granel.uy to HTTPS:
The default site section and the main site section appear to be correct.
The port 80 redirect section also looks good.
I think the problem is in the last section; which, to me, is completely unnecessary and could/should be removed.
