How to update certbot version on nginx/centos

I have some enabled certs on my server that are currently working.

Today I have tried to add a subdomain and certify it on my server, I ran: sudo certbot certonly --expand -d blog.newsite.io and went through the required steps.

Everything outputted ‘success’ however when I view my site it is still not protected.

I have tried to run certbot certificates to see which have been activated/nonactive but it is saying that certificates is an unrecognized argument which makes me think I need to update my version.

My current certbot --version is: 0.9.3

Will updating remove or affect my current configurations on my server?

Thank you

Note that certbot certonly obtains a certificate but doesn’t install it. So when you use this command you need to manually configure your nginx to use the certificate you just obtained, and reload it after (and after renewal as well).

Also, I think you need to specify the existing domains as well as the new domain, if you want to expand an existing certificate. Just specifying the new domain will give you a new certificate. (I guess that would be obvious if you were using a version of certbot that supported certbot certificates)

Sorry, I don’t know much about running certbot on centos; maybe someone else can help with that. But: which version of centos are you using? and have you tried the instructions on https://certbot.eff.org/ for nginx on your version of centos?

Thanks @jmorahan,

I’ve ran through the certbot.eff and was able to update my certbot :slight_smile:

Right now, I have been running sudo certbot --nginx

I select to attempt to reinstall the existing certificates but it is giving me:

nginx: [emerg] "ssl_certificate" directive is duplicate in /etc/nginx/conf.d/blog.example.net.conf:35

strange thing is that subdomain is one of my already existing and working domains and not the new subdomain I am trying to add.

Here are the contents of the conf file it is referring to:

server {
    listen      80;
    listen 443;

    server_name blog.example.net www.blog.example.net;

    access_log  /var/log/nginx/ghost.access.log;
    error_log   /var/log/nginx/ghost.error.log;

    #return 301 https://$server_name$request_uri;

    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location ^~ /.well-known {
      allow all;
      root /var/www/blog.example.net/html;
    }

location / {
        proxy_pass  http://127.0.0.1:2000;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;

        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto https;
    }

 include snippets/ssl-blog.example.net.conf;
    include snippets/ssl-params.conf;

}

and here is the conf file of the newdomain I am trying to install and have protected:

server {
    listen      80;

    server_name blog.newdomain.io www.blog.newdomain.io;

    access_log  /var/log/nginx/ghost.access.log;
    error_log   /var/log/nginx/ghost.error.log;

    #return 301 https://$server_name$request_uri;

    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location ^~ /.well-known {
      allow all;
      root /var/www/blog.newdomain.io/html;
    }

location / {
        proxy_pass  http://127.0.0.1:2001;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;

        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto https;
    }

}

Are you sure that's correct? I think this would end up with you enabling https on port 80 as well as 443. Not sure if that's the problem but I can imagine that it might possibly confuse certbot when it's trying to figure out what file to update. Normally you would have a separate server block for port 80 where you would redirect to https.

(I'm just guessing though, I'm not familiar with nginx config syntax so I may be wrong about that)

BTW what version of certbot are you on now?

You’re right. It depends on if those snippets files contain “ssl on;”, but it’s going to run the same protocol on ports 80 and 443, either HTTP or HTTPS.

("ssl on;" is deprecated and you’re supposed to use e.g. “listen 80; listen 443 ssl;” which will do the right thing.)

I’m not sure how confused Certbot would get; it might work, or fail to reconfigure, or reconfigure in a syntactically valid way but fail the challenge with a weird error if port 443 is doing HTTP.

Edit: On second thought, everything mayyy work fine if the default virtual host is configured correctly.

1 Like

@jmorahan I had 443 ssl; originally, but had just removed it for that to see if it changed anything.

I have added them back in but nothing has really changed that I can tell.

I have updated it as your feedback and now I am running v 0.19.0

Hope this helps

Hmm, that’s beyond my nginx knowledge then I’m afraid, maybe the nginx experts here can help.

However you should at least be able to run certbot certificates now, and see what you’ve got already. If you have a valid cert from a previous run it may just be a matter of configuring nginx to use it.

@jmorahan ah, I see, no worries. Thanks for your help so far.

And yes! It does work, this is what it returns, maybe this will be clearer to you even.

Note: all domains with example are currently working. newdomain is working as well, but the subdomain blog.newdomain.io is what is not working and I am trying to add.

  Certificate Name: blog.example.net
    Domains: blog.example.net www.blog.example.net
    Expiry Date: 2018-02-28 01:21:48+00:00 (VALID: 72 days)
    Certificate Path: /etc/letsencrypt/live/blog.example.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/blog.example.net/privkey.pem

  Certificate Name: blog.newdomain.io
    Domains: blog.newdomain.io www.blog.newdomain.io
    Expiry Date: 2018-01-20 01:28:08+00:00 (VALID: 33 days)
    Certificate Path: /etc/letsencrypt/live/blog.newdomain.io/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/blog.newdomain.io/privkey.pem

  Certificate Name: newdomain.io
    Domains: newdomain.io www.newdomain.io
    Expiry Date: 2018-02-28 01:21:59+00:00 (VALID: 72 days)
    Certificate Path: /etc/letsencrypt/live/newdomain.io/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/newdomain.io/privkey.pem

  Certificate Name: example.net
    Domains: newdomain.io blog.newdomain.io blog.example.net example.ca example.net www.blog.newdomain.io www.blog.example.net www.newdomain.io www.example.ca www.example.net
    Expiry Date: 2018-03-17 01:16:52+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.net/privkey.pem

It seems you already have two certificates that are valid for blog.newdomain.io - the certificates named blog.newdomain.io and example.net. So to get it initially working, you may just need to configure nginx to use one of those - if you could get certbot --nginx working, it should do that automatically for you, but you can also do it manually if you know how. In that case you may also need to configure certbot to reload nginx after a successful renewal, which you can do by placing a script to reload it in /etc/letsencrypt/renewal-hooks/deploy/.

Getting certbot --nginx working would probably be better, but I’m not sure how to help you with that at this point (but maybe someone else can).

@mnordhoff do you have any ideas on how I can get my certbot --nginx working as jmorahan has suggested?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.