Nginx exiting because he can't find privkey and fullchain, but they exist

st3fus · February 3, 2023, 12:31am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.posology-api.com
I ran this command:

It produced this output:

My web server is (include version):
Nginx:latest
The operating system my web server runs on is (include version):
Ubuntu 22 EC2
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.32.2

So I created standalone certificates since as it seems you need to have a PhD in something to be able to get a bloody certificate for your domain, I still don't know why is this so complicated. I've got the files, they're located properly in /etc/letsencrypt/live/mydomain.com, I double checked that, also my docker-compose and nginx.conf are properly configured but once I up my application, nginx cries how he cant find the files that exist. Anyone has a simple solution/fix for this?

rg305 · February 3, 2023, 12:50am

That contradicts:

I would think the problem is within the complexity of your setup.
Which seems to...

I would simplify it wherever possible.

I'm not sure how you got to where you are.
But I'm pretty sure neither LE nor certbot put you on that road.

st3fus · February 3, 2023, 9:14am

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/posology-api.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/posology-api.com/privkey.pem
This certificate expires on 2023-05-03.

2023/02/02 23:54:11 [emerg] 7#7: cannot load certificate "/etc/letsencrypt/live/posology-api.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/posology-api.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx                 | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/posology-api.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/posology-api.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Nginx.conf

events {
	worker_connections 768;
	multi_accept       on;
}

http {

	large_client_header_buffers 16 5120k;
	fastcgi_read_timeout 900;
	proxy_read_timeout 900;   
	proxy_connect_timeout 900;
    proxy_send_timeout 900;    

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	proxy_buffer_size   128k;
	proxy_buffers   4 256k;
	proxy_busy_buffers_size   256k;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	gzip on;

	proxy_http_version      1.1;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        Host $http_host;
    proxy_intercept_errors  on;

	server {

		client_max_body_size 250M;
	    listen 80;
	    server_name posology-api.com;

		location /.well-known/acme-challenge/ {
			root /var/www/certbot;
		}

			location / {
				return 301 https://$host$request_uri;
		}
	}

	server {

	    client_max_body_size 250M;
	    listen 443 ssl;
	    server_name posology-api.com;

		ssl_certificate /etc/letsencrypt/live/posology-api.com/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/posology-api.com/privkey.pem;
		include /etc/letsencrypt/options-ssl-nginx.conf;
		ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

docker-compose

version: "3.8"
services:
  nginx:
    image: nginx:latest
    container_name: nginx
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./data/certbot/conf:/etc/letsencrypt/
      - ./data/certbot/www:/var/www/certbot/
    command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
    ports:
      - 80:80
      - 443:443
    networks:
      - net
  certbot:
    image: certbot/certbot:latest
    depends_on:
      - nginx
    container_name: certbot
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt/
      - ./data/certbot/www:/var/www/certbot/
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

st3fus · February 3, 2023, 9:23am

Could it be a permission issue? It's a fresh EC2 machine, haven't messed with pem file permissions at all..

rg305 · February 3, 2023, 9:47am

Anything is possible at this point...

Can you list those files from within the nginx container?

rg305 · February 3, 2023, 10:00am

Try these:

docker exec -it nginx ls -l /etc/letsencrypt/
docker exec -it nginx ls -l /etc/letsencrypt/live/posology-api.com/

st3fus · February 3, 2023, 11:49am

Sorry for late reply, I managed to solve it. I did use that init-letsencrypt.sh script everyone is telling it wrong, but as I cloned that guy's repo and executed the script, it went through and I just copied the 'data' folder to my project, ran docker-compose up and my app is now up on a https. Thank you for your time mate

system · March 5, 2023, 11:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.