How to deploy an existing certificate into a new webserver

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rescuerobot.org

I ran this command: certbot --apache

It produced this output: Successful

My web server is (include version): HP G5

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: Nil

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40.0

Using certbot --apache I obtained a certificate
Using certbot --nginx I wish to complete a new install on the same server.
Certbot documentation states: install:
" Options for modifying how a certificate is deployed" (none listed).
Is there a command: $certbot install --nginx
I have a certificate: I wish to deploy it a second time to the same server.
What method is best? Thanks, Kevin.

I'm confused... :confused:
Are you using Apache and nginx web servers in the same system?
If so, then you only need to install it.
Which you can do yourself or have certbot do it for you.
If you want certbot to do it for you, you will need to give it enough information to do that with.
Didn't we already cover this on another topic?

1 Like

@rg305 Sorry for the confusion. I am not using Apache and nginx web servers in the same system. I failed to complete my install of Apache. I backed up my folder /etc/letsencrypt from the failed install of Apache. I then commenced a new install of nginx as described in https://www.howtoforge.com/tutorial/how-to-install-drupal-with-nginx-and-ssl-on-ubuntu/
How do I best use $certbot command?
CASE 1: I have already successfully completed $certbot --apache what will happen if I follow this with $certbot --nginx ?
CASE 2: What will happen if I have already successfully completed $certbot --apache and I use $certbot -i nginx or $certbot install --nginx -d rescuerobot.org ?
CASE 3: What will happen if I have already successfully completed $certbot --apache and I use $certbot delete then running $certbot --nginx -d rescuerobot.org -d www.rescuerobot.org ?
I am a beginner and cautious that I get it right this time.
Kevin

Essentially: Nothing.
The previous --apache part may have stored some authentication settings in the renewal.conf file; But those would easily be updated with a successful --nginx run.
Case 2 should work but may keep some things in the renewal.conf file that would not be normally found there or no longer relevant.
Case 3 might be the simplest method to undo all and then set everything as expected quickly.
It would be like starting over again from the begging (without a cert).
The only difference it that would count one more issuance against your limits; but you should be far from reaching any of those limits.

Case 3 is the way to go.

1 Like

Thank you @rg305 I will give CASE 3 a go! Kevin

1 Like

@rg305 Almost there but not quite. I successfully used $certbot --nginx which porduced:

server {
    root /var/www/html/drupal;
    index  index.php index.html index.htm;
    server_name  www.rescuerobot.org

    client_max_body_size 100M;
    autoindex off;

    location ~ \..*/.*\.php$ {
        return 403;
    }

    location ~ ^/sites/.*/private/ {
        return 403;
    }

    # Block access to scripts in site files directory
    location ~ ^/sites/[^/]+/files/.*\.php$ {
        deny all;
    }

    location ~ (^|/)\. {
        return 403;
    }

    location / {
        try_files $uri /index.php?$query_string;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php?q=$1;
    }

    # Don't allow direct access to PHP files in the vendor directory.
    location ~ /vendor/.*\.php$ {
        deny all;
        return 404;
    }

    location ~ '\.php$|^/update.php' {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
        try_files $uri @rewrite;
    }
    location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
        try_files $uri /index.php?$query_string;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/rescuerobot.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/rescuerobot.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.rescuerobot.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name  www.rescuerobot.org

    client_max_body_size 100M;
    return 404; # managed by Certbot


}

This works for https://rescuerobot.org https://www.rescuerobot.org and http://www.rescuerobot.org ** but not for http://rescuerobot.org ** My web-server is running: please check. I am not capable of debugging the above script but I think there is something not quite right in this its php code.
http://rescuerobot.org goes to a 404 error page whereas all of the others correctly end up at:


The deletion of the old certificate worked correctly as shown in:
Install-Drupal-9-08092021.txt (17.1 KB)
Many thanks for your help.
Kevin

1 Like

The problem with the certs happened because you do not have an nginx server section for your apex domain (rescuerobot.org) - only www.rescuerobot.org.

You can manually change the server that listens on port 80 to this:

server {
    if ($host = www.rescuerobot.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = rescuerobot.org) {
        return 301 https://$host$request_uri;
    } # new

    listen 80;
    listen [::]:80;
    server_name  www.rescuerobot.org rescuerobot.org;   # change

    client_max_body_size 100M;
    return 404; # managed by Certbot
}

There are better ways to configure nginx for such a setup. This is just a quick way to get going. For details see nginx docs:
http://nginx.org/en/docs/http/request_processing.html

Update: The reason for the 404 for your apex domain was that your port 80 listener was the only server and thus your default server for that port (http inbound). But, after Certbot changed your server it only redirected requests to www.rescuerobot.org and issued a 404 for all other requests - blocking inbound requests for rescuerobot.org (and any others that would have fallen into the default server).

2 Likes

@MikeMcQ Thank you Mike for your help. Not sure whether my typing is ok but:

● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2021-09-06 21:03:36 UTC; 4min 7s ago
       Docs: man:nginx(8)
    Process: 15202 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)

Sep 06 21:03:36 kgwebsite systemd[1]: Starting A high performance web server and a reverse proxy server...
Sep 06 21:03:36 kgwebsite nginx[15202]: nginx: [emerg] unknown "request_url" variable
Sep 06 21:03:36 kgwebsite nginx[15202]: nginx: configuration file /etc/nginx/nginx.conf test failed
Sep 06 21:03:36 kgwebsite systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Sep 06 21:03:36 kgwebsite systemd[1]: nginx.service: Failed with result 'exit-code'.
Sep 06 21:03:36 kgwebsite systemd[1]: Failed to start A high performance web server and a reverse proxy server.

drupal08092021.txt (2.0 KB)
Not happy with "unknown "request_url" variable"?

1 Like

@kg1 It should be request_uri not request_url (uri - not url). This is same line as above it in my example that was placed there by certbot

2 Likes

@MikeMcQ Yes my duplication error!
Please check https://rescuerobot.org and https://www.rescuerobot.org and http://rescuerobot.org and http://www.rescuerobot.org for me as my pfSense firewall prevents me seeing output.
Thanks,
Kevin

2 Likes

:white_check_mark: correct certificates being served
:white_check_mark: http to https redirects in place

You should redirect to either rescuerobot.org or www.rescuerobot.org for SEO purposes.

1 Like

@kg1 Also tested your site here - gets an A - hurray!
https://www.ssllabs.com/ssltest/

1 Like

@kg1 And I agree with @griffin that you should improve your nginx server definitions to rationalize to one https name. The best way is to use separate server definitions. There are many good sites explaining this. I have no affiliation to the one below it just showed up quickly on google. It covers the topic fairly well. Good luck.

2 Likes

@MikeMcQ @griffin After 9 years on Drupal 7 I took the plunge. Being a beginner it took many mistakes, restarts from the beginning and many weeks of trying alternatives, I reversed out of $certbot --apache, I deleted the first certificate. My file above
Install-Drupal-9-08092021.txt (17.1 KB)
includes all the bits that technical writers don't include in their articles.
Thank you for your comments. I will read the references and improve the scripts above.
Kevin.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.