IMPORTANT NOTES: - We were unable to install your certificate, however, we successfully restored your server to its prior configuration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: businessmarketingstudio.com

I ran this command: sudo certbot --authenticator webroot --webroot-path /var/www/businessmarketingstudio --installer nginx -d businessmarketingstudio.com -d www.businessmarketingstudio.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/www.businessmarketingstudio.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/businessmarketingstudio for set([‘www.businessmarketingstudio.com’, ‘businessmarketingstudio.com’])
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/businessmarketingstudio for set([‘www.businessmarketingstudio.com’, ‘businessmarketingstudio.com’])
nginx: [emerg] “ssl_dhparam” directive is duplicate in /etc/nginx/sites-enabled/businessmarketingstudio:78
Rolling back to previous server configuration…
nginx restart failed:

IMPORTANT NOTES:

• We were unable to install your certificate, however, we
  successfully restored your server to its prior configuration.
• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/www.businessmarketingstudio.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/www.businessmarketingstudio.com/privkey.pem
  Your cert will expire on 2018-04-12. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the “certonly” option. To non-interactively renew all of
  your certificates, run “certbot renew”

My web server is (include version): nginx version: nginx/1.10.3

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have this configuration on my Digital Ocean domain:

tmp.png1620×1294 206 KB

Also, I can attach the nginx conf if needed.

Please do.

Specifically /etc/nginx/sites-enabled/businessmarketingstudio, or nginx -T to print the entire configuration.

Hre is it: https://pastebin.com/rH0NqvdW

Odd. It doesn’t specify ssl_dhparam or include anything.

What’s in Certbot’s /etc/letsencrypt/options-ssl-nginx.conf?

/var/log/letsencrypt/letsencrypt.log may also have more information about what Certbot was trying to do.

https://pastebin.com/9th57dQp this is for /etc/letsencrypt/options-ssl-nginx.conf

https://pastebin.com/9QJ4YQw2 and the second this you requested

Seems /etc/letsencrypt/options-ssl-nginx.conf includes one ssl_dhparam setting (line 26)...

...but Certbot tries to add a second one to the server block (line 44).

I guess the quickest fix is to remove the one in /etc/letsencrypt/options-ssl-nginx.conf.

You could replace /etc/letsencrypt/ssl-dhparams.pem with a copy of /etc/ssl/certs/dhparam.pem to get the same effect.

Thank you very much. This solved my issue.

I have the same issue, or at least the same error message. Can you please break down the solution? not sure which file to edit and to add/remove?

@ameenaziz You should remove the line which starts by ssl_dhparam in /etc/letsencrypt/options-ssl-nginx.conf.

@Zoddo ssl_dhparam doesn’t exist in my /etc/letsencrypt/options-ssl-nginx.conf. ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.