How to work with NGINX's snippets? there are a workaround for now?

My NGINX script, at /etc/nginx/nginx.conf, is a non-usual "all in one file" script, with all servers there. But was working fine (!) with all my certbot-certificates...

After rewrite script with a simple refactoring (put all repeated code into a snipets)... When I run certbot --nginx --cert-name domain1 return this error:

Cannot find a cert or key directive in /etc/nginx/nginx.conf for set(['domain1', 'www.domain1']). VirtualHost was not modified.

It is because all the lines marked as "managed by Certbot" was grouped in one included file, snippets/ssl-domain1.conf, that repeat all time.

... So snippets file reduce pollution, reduce parsing work, and not cause "Cannot find" error.

The scripts

File /etc/nginx/nginx.conf:

....
http {
   ....   
server {
        server_name domain1;
        location / {
                proxy_pass https://heroku.com;
        }
include snippets/ssl-domain1.conf

} # end server
... many other servers ...
} # end http

File /etc/nginx/snippets/ssl-domain1.conf, to be managed by Certbot!

##
# SSL configs managed by Certbot.
#
listen 80; 
listen 443 ssl; 
ssl_certificate /etc/letsencrypt/live/domain1/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/domain1/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;

if ($scheme != "https") {
  return 301 https://$host$request_uri;
} 

NOTE: there are a issue #583, perhaps about similar bug... But I need solution/workaround "for now", and it is not so evident that is similar.

@erica, would you be willing to handle this?

Hi @ppKrauss! As I mentioned in #4757, you can work around this by enclosing the contents of /etc/nginx/snippets/ssl-domain1.conf in a server {} block. That is, /etc/nginx/snippets/ssl-domain1.conf should look like:

##
# SSL configs managed by Certbot.
#
server {
  listen 80; 
  listen 443 ssl; 
  ssl_certificate /etc/letsencrypt/live/domain1/fullchain.pem; 
  ssl_certificate_key /etc/letsencrypt/live/domain1/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;

  if ($scheme != "https") {
    return 301 https://$host$request_uri;
  }
}
1 Like

Or, if you need it in multiple servers, you can try moving the include /etc/nginx/snippets/ssl-domain1.conf; into each server block in the main nginx.conf.

1 Like

Just tested with this latter method, it works great! /etc/nginx/nginx.conf should look like:

....
http {
   ....   
server {
        server_name domain1;
        location / {
                proxy_pass https://heroku.com;
        }
        include snippets/ssl-domain1.conf;

} # end server

server {
        server_name www.domain1;
        location / {
                proxy_pass https://heroku.com;
        }
        include snippets/ssl-domain1.conf;

} # end server
... do the same for each server ...
} # end http

Also, since you’ve manually modified your Nginx config files, you’ll want to run certbot as one of:

  • certbot certonly --nginx --cert-name domain1
  • certbot renew
  • certbot renew --cert-name domain1

We intentionally don’t modify directives in files included in the server block, specifically because they’re often used across server blocks.

Hi @erica, thanks for all explanations and suggestions!
I was testing and, YES (!), include snippets/ssl-domain1.conf is working fine when I use it in a sites-available/ file with server declarations.

Some minor questions:

  • no problem about “cross-domain”?
    … A snippets/ssl-domain1.conf used into a sites-available/domain2
    PS: on my tests seems all fine.

  • no problem about deleting the certbot-comments?
    Comments like # managed by Certbot

no problem about "cross-domain"?
... A snippets/ssl-domain1.conf used into a sites-available/domain2
PS: on my tests seems all fine.

Should be fine as long as both domains continue to be on the cert, which they will be as long as you use certbot renew.

no problem about deleting the certbot-comments?
Comments like # managed by Certbot

In our current implementation, this is fine, as long as you use certbot renew or certbot certonly, and don't use certbot's installation functionality, accessed by running just certbot or certbot install. This could in theory change in the future though.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.