My NGINX script, at /etc/nginx/nginx.conf, is a non-usual "all in one file" script, with all servers there. But was working fine (!) with all my certbot-certificates...
After rewrite script with a simple refactoring (put all repeated code into a snipets)... When I run certbot --nginx --cert-name domain1 return this error:
Cannot find a cert or key directive in /etc/nginx/nginx.conf for set(['domain1', 'www.domain1']). VirtualHost was not modified.
It is because all the lines marked as "managed by Certbot" was grouped in one included file, snippets/ssl-domain1.conf, that repeat all time.
... So snippets file reduce pollution, reduce parsing work, and not cause "Cannot find" error.
The scripts
File /etc/nginx/nginx.conf:
....
http {
....
server {
server_name domain1;
location / {
proxy_pass https://heroku.com;
}
include snippets/ssl-domain1.conf
} # end server
... many other servers ...
} # end http
File /etc/nginx/snippets/ssl-domain1.conf, to be managed by Certbot!
##
# SSL configs managed by Certbot.
#
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/domain1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
NOTE: there are a issue #583, perhaps about similar bug... But I need solution/workaround "for now", and it is not so evident that is similar.
Hi @ppKrauss! As I mentioned in #4757, you can work around this by enclosing the contents of /etc/nginx/snippets/ssl-domain1.conf in a server {} block. That is, /etc/nginx/snippets/ssl-domain1.conf should look like:
##
# SSL configs managed by Certbot.
#
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/domain1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
Or, if you need it in multiple servers, you can try moving the include /etc/nginx/snippets/ssl-domain1.conf; into each server block in the main nginx.conf.
Just tested with this latter method, it works great! /etc/nginx/nginx.conf should look like:
....
http {
....
server {
server_name domain1;
location / {
proxy_pass https://heroku.com;
}
include snippets/ssl-domain1.conf;
} # end server
server {
server_name www.domain1;
location / {
proxy_pass https://heroku.com;
}
include snippets/ssl-domain1.conf;
} # end server
... do the same for each server ...
} # end http
Hi @erica, thanks for all explanations and suggestions!
I was testing and, YES (!), include snippets/ssl-domain1.conf is working fine when I use it in a sites-available/ file with server declarations.
Some minor questions:
no problem about “cross-domain”? … A snippets/ssl-domain1.conf used into a sites-available/domain2 PS: on my tests seems all fine.
no problem about deleting the certbot-comments? Comments like # managed by Certbot
no problem about "cross-domain"?
... A snippets/ssl-domain1.conf used into a sites-available/domain2
PS: on my tests seems all fine.
Should be fine as long as both domains continue to be on the cert, which they will be as long as you use certbot renew.
no problem about deleting the certbot-comments?
Comments like # managed by Certbot
In our current implementation, this is fine, as long as you use certbot renew or certbot certonly, and don't use certbot's installation functionality, accessed by running just certbot or certbot install. This could in theory change in the future though.