Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
[root@localhost ~]# nginx -t
It produced this output:
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/site.com.conf:7
nginx: configuration file /etc/nginx/nginx.conf test failed
My web server is (include version):
The operating system my web server runs on is (include version):
centos 7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
The server configuration file (site.com.conf) was created manually by me. I edited or created this file in the '/etc/nginx/conf.d/' directory on my server.
In that case, I have limited experience, so I kindly request specific advice and commands to execute on the server. This will help me better understand and implement the necessary changes.
you mention a certbot version, so I assume it's installed: did you already get a certificate? Or do you still need to get one?
is there a specific reason you already made the TLS server block without a certificate? Are you following a specific guide for example? Or any other reason?
are you comfortable with Certbot handeling the generation of the TLS server block?
I had Certbot installed previously, but I had to remove it. I then reinstalled it. However, I encountered an issue: when I have the listen 443 ssl http2; block, I can't start Nginx with these settings, and therefore, I can't create a certificate.
No, I didn't intentionally create a TLS server block without a certificate. I didn't follow any specific guide, and I didn't take any specific actions to block this capability.
I can't specify a particular reason for creating the TLS server block without a certificate. I probably did it by mistake or without any specific reason.
I'm not confident that I'm an experienced Certbot user, and I need help with setting up an SSL certificate.
Certbot can set up the TLS (port 443) server block for you.
My advice would be to remove the port 443 (with the listen 443 ssl http2 part) and keep the port 80 server block. When doing so, you also need to remove the return 301 https://site.com$request_uri; from the port 80 server block: it's added later again by certbot.
You will need to add all the relevant stuff like the location directives to your port 80 server block: certbot should copy them over to the port 443 ssl server block when certbot generates it, using the port 80 server block as a template.
When you have a running nginx on port 80 again, you can run sudo certbot --nginx, should be able to get a certificate and it should be installed into nginx automatically.
I hope all those location statements don't mess up the nginx authenticator, but you should try it now. 50/50 it works out of the box like that, but there's also a chance you might need to make a specific override for the /.well-known/acme-challenge/ location.
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for site.com and www.site.com
Performing the following challenges:
http-01 challenge for site.com
http-01 challenge for www.site.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/site.com.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/site.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/site.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/site.com.conf
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/site.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/site.com/privkey.pem
Your certificate will expire on 2023-11-29. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew all of your certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by:
[root@localhost ~]# nginx -t
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/site.com.conf:8
nginx: configuration file /etc/nginx/nginx.conf test failed
[root@localhost ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Seems to be working partly from my end: the request for http://recipe.org.ua/ was redirected to https://recipe.org.ua/ and the latter has a Let's Encrypt certificate issued just seconds ago.
You might want to check the nginx configuration again, especially the newly generated port 443 ssl server block to see what Certbot made of it.
At least the /admin/ section requires HTTP authentication like the nginx configuration would suggest. So that makes me believe Certbot actually copied over the directives from the HTTP to the HTTPS server block.
Was you site even running properly on HTTP before you got the certificate?
For all my websites, I have a configuration like this:
ssl_certificate /etc/letsencrypt/live/recipe.org.ua/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/recipe.org.ua/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
"Previously, each website had its own configuration... Did I do something wrong?"
please clarify the question, I didn't understand. I lack sufficient knowledge in this matter.
ssl_certificate /etc/letsencrypt/live/site2.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/site2.com/privkey.pem; # managed by Certbot
now
ssl_certificate /etc/letsencrypt/live/recipe.org.ua/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/recipe.org.ua/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
It would be weird for all websites to have that specific certificate set up, as your certificate is only for recipe.org.ua and www.recipe.org.ua. Not any other website.
Hm, that shouldn't have happened. If you requested a cert for just the recipe.org.ua site, Certbot should leave the other websites alone, unless those were somehow misconfigured in their server_name directive?
