Nginx doesnt redirect after installing certbot

daniel0001 · November 20, 2023, 11:24am

My domain is:
arshaddadash.ir

I ran this command:
sudo certbot certonly --redirect --standalone -d arshaddadash.ir -d www.arshaddadash.ir

It produced this output /etc/www/sites-available/arsahddadash.ir:

server{

        gzip on;
        gzip_proxied any;
        gzip_types application/javascript application/x-javascript text/css text/javascript;
        gzip_comp_level 5;
        gzip_buffers 16 8k;
        gzip_min_length 256;

        location /_next/static/ {
                alias /var/www/arshaddadash.ir/build/static/;
                expires 365d;
                access_log off;
        }

        location / {
		return 301 https://$host$request_uri;
                proxy_pass http://127.0.0.1:3001; #change to 3001 for second app, but make sure second nextjs app starts on new port in packages.json "start": "next start -p 3001",
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/arshaddadash.ir/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/arshaddadash.ir/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
        if ($host = www.arshaddadash.ir) {
                return 301 https://$host$request_uri;
        } # managed by Certbot

        if ($host = arshaddadash.ir) {
                return 301 https://$host$request_uri;
        } # managed by Certbot

        listen 80;
        listen [::]:80;
        server_name _;
        return 404; # managed by Certbot
}

My web server is (include version):
nginx 1.18.0

The operating system my web server runs on is (include version):
ubuntu 20

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
aaPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Also, i have denied Nginx HTTP and only Nginx HTTPS is allowed. https://arshaddadash.ir, http://www.arshaddadash.ir, https://www.arshaddadash.ir are redirecting but the only problems is with http://arshaddadash.ir at the moment that is not redirecting.

Osiris · November 20, 2023, 11:42am

The certonly subcommand shouldn't make changes to the nginx configuration, so I believe the --redirect option wouldn't do anything.

You're probably more interested in the enhance or install subcommand.

No they're not.

rg305 · November 20, 2023, 1:38pm

Also, using --standalone implies nothing is listening on port 80.
So, what is there to --redirect ?

That won't fix a missing redirection.

So, you have a cert that covers two names and all you need is for one of those names to redirect.
That means you must not have those two names in one vhost.

One of the names redirects
The other name does not redirect.

Please show the full nginx config, with:

`nginx -T`

Note: The first server block shown has no server_name entry.

daniel0001 · November 21, 2023, 11:39am

thank you friends,

my certbot limitation has reached and it's blocked until the end of today,
once freed, I will test your solutions and send the output

Osiris · November 21, 2023, 11:47am

Why?

Why would Certbot be rate limited if you already have a certificate and it's just a local, "how to configure nginx" issue?

daniel0001 · November 21, 2023, 9:17pm

Thank you bro,
the --redirect flag solved the problem,

now there is another issue here,
the server is still listening in the device ip, I want to block all the traffic that is coming to the device Ip address?

daniel0001 · November 21, 2023, 9:18pm

due to over requesting of certs in a day

now it's installed correctly

Osiris · November 21, 2023, 9:30pm

But for local webserver configuration, it is absolutely unnecessary to re-issue the certificate? Because it wasn't a certificate issue? Why would you re-issue the certificate without any reason 4 times?

daniel0001 · November 24, 2023, 11:29am

it was just a mistake,
now it's solved.

so do you know how could I block the server's ip address in the config file.
it's still loading from the ip

MikeMcQ · November 24, 2023, 3:40pm

Your server is using your cert correctly and all of your redirects now look correct.

You will need to keep port 80 open so you can redirect HTTP requests and to perform the HTTP Challenge for your certificate.

But, you probably now need to change --standalone to --webroot or --nginx method. Let us start by you showing us result of this?

sudo certbot renew --dry-run

daniel0001 · November 25, 2023, 8:31am

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/arshaddadash.ir.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for arshaddadash.ir
http-01 challenge for www.arshaddadash.ir
Waiting for verification...
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/arshaddadash.ir/fullchain.pem

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/arshaddadash.ir/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

IMPORTANT NOTES:

Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

rg305 · November 25, 2023, 8:41am

Is there a problem that remains?

That is an nginx configuration issue - not a certificate issue.

daniel0001 · November 25, 2023, 9:12pm

the only thing is that the server is loading from direct ip.

MikeMcQ · November 25, 2023, 10:08pm

What do you mean by that?

Because if you mean something like https://IPaddress "works" then yes it will connect.

But, it will be rejected by browsers as the cert won't have a matching name to the URL (which is an IP address).

If you want to catch non-SNI requests in nginx you have to setup a default server block accordingly. You start with using server_name properly which you are not. This isn't the ideal forum to learn about basic nginx config though.

daniel0001 · November 26, 2023, 6:17am

OK thank you a million Mike,

certbot isn't having any problem,

it's solved by adding the following lines in the nginx config file:

if ($host = "serverip")
{
   return 404;
}