Nginx doesnt redirect after installing certbot

My domain is:
arshaddadash.ir

I ran this command:
sudo certbot certonly --redirect --standalone -d arshaddadash.ir -d www.arshaddadash.ir

It produced this output /etc/www/sites-available/arsahddadash.ir:

server{

        gzip on;
        gzip_proxied any;
        gzip_types application/javascript application/x-javascript text/css text/javascript;
        gzip_comp_level 5;
        gzip_buffers 16 8k;
        gzip_min_length 256;

        location /_next/static/ {
                alias /var/www/arshaddadash.ir/build/static/;
                expires 365d;
                access_log off;
        }

        location / {
		return 301 https://$host$request_uri;
                proxy_pass http://127.0.0.1:3001; #change to 3001 for second app, but make sure second nextjs app starts on new port in packages.json "start": "next start -p 3001",
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/arshaddadash.ir/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/arshaddadash.ir/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
        if ($host = www.arshaddadash.ir) {
                return 301 https://$host$request_uri;
        } # managed by Certbot

        if ($host = arshaddadash.ir) {
                return 301 https://$host$request_uri;
        } # managed by Certbot

        listen 80;
        listen [::]:80;
        server_name _;
        return 404; # managed by Certbot
}

My web server is (include version):
nginx 1.18.0

The operating system my web server runs on is (include version):
ubuntu 20

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
aaPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Also, i have denied Nginx HTTP and only Nginx HTTPS is allowed. https://arshaddadash.ir, http://www.arshaddadash.ir, https://www.arshaddadash.ir are redirecting but the only problems is with http://arshaddadash.ir at the moment that is not redirecting.

The certonly subcommand shouldn't make changes to the nginx configuration, so I believe the --redirect option wouldn't do anything.

You're probably more interested in the enhance or install subcommand.

No they're not.

Also, using --standalone implies nothing is listening on port 80.
So, what is there to --redirect ?

That won't fix a missing redirection.

So, you have a cert that covers two names and all you need is for one of those names to redirect.
That means you must not have those two names in one vhost.

  • One of the names redirects
  • The other name does not redirect.

Please show the full nginx config, with:

nginx -T

Note: The first server block shown has no server_name entry.

4 Likes

thank you friends,

my certbot limitation has reached and it's blocked until the end of today,
once freed, I will test your solutions and send the output

1 Like

Why?

Why would Certbot be rate limited if you already have a certificate and it's just a local, "how to configure nginx" issue?

4 Likes

Thank you bro,
the --redirect flag solved the problem,

now there is another issue here,
the server is still listening in the device ip, I want to block all the traffic that is coming to the device Ip address?

1 Like

due to over requesting of certs in a day :grinning:

now it's installed correctly

But for local webserver configuration, it is absolutely unnecessary to re-issue the certificate? Because it wasn't a certificate issue? Why would you re-issue the certificate without any reason 4 times?

3 Likes

it was just a mistake,
now it's solved.

so do you know how could I block the server's ip address in the config file.
it's still loading from the ip

Your server is using your cert correctly and all of your redirects now look correct.

You will need to keep port 80 open so you can redirect HTTP requests and to perform the HTTP Challenge for your certificate.

But, you probably now need to change --standalone to --webroot or --nginx method. Let us start by you showing us result of this?

sudo certbot renew --dry-run
4 Likes

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/arshaddadash.ir.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for arshaddadash.ir
http-01 challenge for www.arshaddadash.ir
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/arshaddadash.ir/fullchain.pem



** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/arshaddadash.ir/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

Is there a problem that remains?

That is an nginx configuration issue - not a certificate issue.

4 Likes

the only thing is that the server is loading from direct ip.

What do you mean by that?

Because if you mean something like https://IPaddress "works" then yes it will connect.

But, it will be rejected by browsers as the cert won't have a matching name to the URL (which is an IP address).

If you want to catch non-SNI requests in nginx you have to setup a default server block accordingly. You start with using server_name properly which you are not. This isn't the ideal forum to learn about basic nginx config though.

5 Likes

OK thank you a million Mike,

certbot isn't having any problem,

it's solved by adding the following lines in the nginx config file:

if ($host = "serverip")
{
   return 404;
}
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.