It thought getting an SSL certificate to secure a Linux (CentOS 7) VPS running an NGINX web server to server a Wordpress self hosted site on a subdomain (A record) would be a 10 minute thing. No go. The SSL certificate gets issued successfully, but my site gets completely broken when CertBot modifies my NGINX configuration files. So I’ve had to remove all the Certbot modifications to my NGINX config files so my site gets back to functioning properly.
I find the documentation on getting Let’s Encrypt SSL certificates to work outside of the very basic TLD domain on a standard stand alone Apache server quite lacking.
Note: My TLD runs on a completely different server and I don’t want that old server and old web site touched. I’m building a new web site using a subdomain (A record) and I need to put that new site on a new/different LInux server and encrypt the traffic to and from that new server(the A record points to the new server).
I thought this SSL certification issuance and configuration with the new site would be straight forward and quick, but Let’s Encrypt seems to be designed around very strict configurations that in my case, does not apply (though I’d think what I’m doing is very common).
Can someone point to very detailed (I’m very detailed, I mean proven step-by-step instructions) to get an NGINX web server(serves Wordpress application) running on Linux CentOS 7 working with a A record subdomain? I’m using Certbot on NGINX. Thanks in advance. Appreciated.
No. I do research for a living. I’ve built $B networks over 25 years (building advanced communications and computer systems is what I do). There is nothing on that site you generally reference (now detailed documentation in the tech industry is a big issue, but that’s a separate topic) that addresses my specific configuration with step-by-step instructions (please read my note carefully if you want to help). Please, if this information for my specific configuration is there (and I know it’s not, I’ve spent the last week researching this), please send the link and I’ll stand corrected.
Thanks for your help and time. Greatly appreciated.
No (I’ve seen that post years ago, it’s not what I’m doing here). You’re wasting my & other peoples time. I’m not asking you how to turn up an NGINX server. I can turn up NGINX servers in my sleep.
My post here specifically asks how to get the SSL certificates issues by Let’s Encrypt working with my NGINX server serving Wordpress using a subdomain (A record). Please stay off this string if you don’t have the full specific instructions to get my working server configuration secured with a Let’s Encrypt SSL certificate.
Thanks for your help and time. Greatly appreciated.
I’ve also seen and researched the instructions in that most recent article you just sent (thanks, you’re getting closer, but my setup is more involved that that article addresses).
That article makes the assumption that the TLD and the subdomains are on the same Linux/NGINX server. Those instructions don’t work in my setup (I’ve researched it thoroughly). If you use these instructions on my setup, my site breaks for both https and http (I explained the details in my original post). Also, having Wordpress CMS involved makes things more complex than that article addresses.
I need a set of instructions where the NGINX server (serving Wordpress CMS) that needs to be secured with the SSL certificate using a subdomain (via an A record) is separate. I don’t want the old server (with the TLD) touched.
You should simply run Certbot only on the server that hosts the subdomain.
If running Certbot with --nginx breaks your nginx configuration, that is probably a bug in Certbot which you're welcome to work with us to document and resolve.
As a workaround, you can run certbot certonly -a nginx which will obtain the certificate and save it in /etc/letsencrypt/livewithout attempting to install the certificate in your nginx configuration. At that point, you can edit your nginx configuration yourself to install the certificate and ensure that the changes don't cause your site to break.
Certbot's nginx installer is probably the most advanced tool of its kind for this purpose (attempting to edit nginx configurations to install certificates for you), unless you count control panels which offer similar functionality but often assume that you're using the control panel for all of your web server administration tasks. However, it's not perfect and may not yet be compatible with some nginx configurations. Users who run into problems can help us improve Certbot by sharing their logs and nginx config files so that we can figure out what Certbot got confused about. People on this forum who had trouble with our nginx installer have already helped us to identify and fix a number of bugs.
All of the other Let's Encrypt clients (as well as certbot certonly) will simply obtain a certificate as a set of PEM files, which you'll then have to edit your server configuration yourself in order to make use of. (There are lots of tutorials and lots of documentation about how to do that.)
You’re getting closer to my original question with regards to getting an SSL certificate to work on my new server/site using a subdomain. The standard Certbot scenario (addressed in those instructions you sent) won’t work for my new site that I’m using a subdomain (A record). I need to secure this new site with an SSL certificate.
Your suggestions are probably in the right direction, but now I’m going to have to go into trail and error mode (using the scientific method) and try out different controlled experiments until I determine what works for my configuration. I was hoping someone else with have the solution properly documented in detail, given I’m sure someone out there has already run into this before, as my configuration should be a fairly common scenario.
People use certbot --nginx every day to obtain certificates related to subdomains. They simply run it on the server that the subdomain is pointed to. If they need to specify a particular name, they add -d subdomain.example.com after --nginx. Certbot runs on the server that the subdomain is pointed to and obtains a certificate for the requested name, then attempts to install it by modifying the nginx configuration.
If this process then breaks their site, that is a bug in Certbot that we need more details in order to be able to fix.
There’s no difference from Certbot’s point of view between running on the example.com server (obtaining a certificate for example.com) and running on the subdomain.example.com server (obtaining a certificate for subdomain.example.com). The status of the name as a base domain or a subdomain isn’t relevant to what Certbot is doing or its ability to obtain or install a certificate.
Understand what you’re saying. I hear you. I thought the points you’re making would in fact be the case going into all this.
Those Certbot client instructions for NGINX don’t work for my configuration using a subdomain. The certificate installs successfully on my new NGINX server site, but unfortunately, this said site that worked a couple minutes before in unsecured mode, after Certbot installs the certificate on the server and edits the NGINX config files, that said same site is then rendered completely useless for both https://sub.domain.com and http://sub.domain.com
I’ll let you determine if it’s a bug, but there’s definitely something wrong(or not accounted for) specific to my configuration. My site works 100% unsecured.
What info do you all need from me to help you, help me figure this out? So I don’t need to play systems developer (which my clients don’t pay me for, nor should they) until I figure out a solution. (which can takes weeks, I just went through similar issues with a phone system and a computer server where I debugged issues with my vendors equipment they either didn’t know about or were pretending not to now about, and that took weeks).
Associated nginx configuration files that were modified by Certbot (perhaps grep -r certbot /etc/nginx will identify them), and ideally all of the configuration files in /etc/nginx
Sorry. Maybe I’m missing it. How do I sent this private and confidential information you’re requesting to you directly? I don’t want it on a public community site.
New users can’t send private messages on the forum, but I started a private message thread with you so you could use that. Or you can use my forum username @eff.org.
The main things you can provide to help the forum help you:
Your domain name. This will wind up in the public Certificate Transparency logs upon successful issuance, so this is not confidential information. 90% of the time, a forum member can diagnose a problem immediately once they know the domain name.
Certbot version. This is not confidential information: All versions of Certbot are publicly known.
Flags you ran Certbot with.
How your site broke after using Certbot. For instance, did you get a connection refused error? Did you get a certificate error? Did the page load, but with missing styles or JavaScript?