New Ubuntu Doesn't have /etc/ssl/fullchain.pem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: moria.cozyhobbit.com

I ran this command: sudo certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

2024/08/25 22:57:11 [emerg] 5361#5361: cannot load certificate "/etc/ssl/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/ssl/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\n2024/08/25 22:57:11 [emerg] 5361#5361: cannot load certificate "/etc/ssl/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/ssl/fullchain.pem, r) error:10000080:BIO routines::no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

My web server is (include version): nginx 1.24

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is: Linode - not applicable

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0

Welcome to the community @satcomjimmy

Certbot and --nginx plugin require a working nginx install. But, it looks like yours fails due to a missing ssl_certificate file. You can't reference files in nginx that don't exist.

Do you know where in your nginx config you listed that file? Have you tried to configure an HTTPS (port 443) server block before you got any certs?

What does this show?

sudo nginx -t

Hi guys! (and gals)
This is an issue

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Of course there is going to be a problem loading the page!

Thanks!
So am I in a chicken/egg scenario? The app instructions say I need a cert to install nginx but nginx is needed to get the let's encrypt cert. Sorry to say I am not good at nginx yet either, so I have not done anything special on the nginx config. I ended up running the install and then retrying certbot.
nginx -t gives me this:
2024/08/26 22:54:57 [emerg] 18020#18020: cannot load certificate "/etc/ssl/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/ssl/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Hi @Rip thanks, I thought that was open automatically after installing nginx, but I assume I need something running to listen on port 80?

There shouldn't be any instructions saying that Certbot installs nginx.

Using Certbot --nginx requires an nginx server to already be working and able to handle HTTP requests on port 80.

Once Certbot --nginx is used to get a cert (by satisfying the HTTP Challenge) it will create a server block within nginx for HTTPS on port 443.

Yes, because their nginx is broken due to referring to cert file that does not exist !

What does this show?

sudo nginx -T

Hi @satcomjimmy looks like Mike is on the job here.
Dont assume anything. your nginx has to serve port 80 before anything else happens.
I am not an nginx expert but I see some replying...

Thanks guys, I'll work on nginx and go back to certbot

Nothing with broken config sadly

before you dissapear and make a bunch of changes, please provide info based on Mike and Rudy's responses... You will save a lot of time and anguish. Trust me. (take a leap)

So, where is this being loaded?:

Would have to manually review starting at nginx.conf and chase all the include

So if you are comfortable with the configuration GREAT..
I would recommend that you share the config with us since we are now involved and let us (no really including me in this case) to help you resolve this efficiently and quickly.
My 2 ¢

Lol, comfortable with nginx? Not yet.

user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml applic>

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

show these files too

Default:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}

moria.cozyhobbit.com:

server {
    listen 80;
    server_name moria.cozyhobbit.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name moria.cozyhobbit.com;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_timeout 1d;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY13>

    # Comment this in if you know what you are doing
    # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    add_header Referrer-Policy same-origin;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # If you have the fileserver too, then you have to add your fileserver URL e.g. https://fs01.example.com as connect-src too:
    add_header Content-Security-Policy "default-src 'none';  manifest-src 'self'; connect-src 'self' https://static.psono.com http>

    ssl_certificate /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;

    client_max_body_size 256m;

    gzip on;
    gzip_disable "msie6";

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml appli>

    root /var/www/html;
   location ~* \.(?:ico|css|js|gif|jpe?g|png|eot|woff|woff2|ttf|svg|otf)$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_hide_header Content-Security-Policy;

        proxy_pass          http://localhost:10200;
        proxy_redirect      http://localhost:10200 https://moria.cozyhobbit.com;
    }


    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_hide_header Content-Security-Policy;

        proxy_pass          http://localhost:10200;
        proxy_read_timeout  90;

        proxy_redirect      http://localhost:10200 https://moria.cozyhobbit.com;
    }
}

sudo systemctl status nginx

× nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Mon 2024-08-26 00:42:39 UTC; 22h ago
       Docs: man:nginx(8)
    Process: 872 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
        CPU: 11ms

Aug 26 00:42:38 moria.cozyhobbit.com systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Aug 26 00:42:38 moria.cozyhobbit.com nginx[872]: 2024/08/26 00:42:38 [emerg] 872#872: cannot load certificate "/etc/ssl/fullchain.pem": BIO_new_file() failed (SSL:>
Aug 26 00:42:38 moria.cozyhobbit.com nginx[872]: nginx: configuration file /etc/nginx/nginx.conf test failed
Aug 26 00:42:39 moria.cozyhobbit.com systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Aug 26 00:42:39 moria.cozyhobbit.com systemd[1]: nginx.service: Failed with result 'exit-code'.
Aug 26 00:42:39 moria.cozyhobbit.com systemd[1]: Failed to start nginx.service - A high performance web server and a reverse proxy server.

What instructions did you follow to create that config file?

I am inclined to suggest switching to certbot certonly --webroot method with --deploy-hook to reload nginx. But, would like more background. Besides, heading out for a bit now anyway.

Hi Mike! Yeah but we are all learning here ;@)
What about the ports?
There is a "how to".