Nginx reverse proxy, Certs ok?


#1

Please fill out the fields below so we can help you better.

My domain is: nextsw.ch

I ran this command: certbot certonly --webroot -w /var/www/html/ -d git.nextsw.ch

It produced this output:
lrwxrwxrwx 1 root root 37 Nov 1 09:23 cert.pem -> …/…/archive/git.nextsw.ch/cert1.pem
lrwxrwxrwx 1 root root 38 Nov 1 09:23 chain.pem -> …/…/archive/git.nextsw.ch/chain1.pem
lrwxrwxrwx 1 root root 42 Nov 1 09:23 fullchain.pem -> …/…/archive/git.nextsw.ch/fullchain1.pem
lrwxrwxrwx 1 root root 40 Nov 1 09:23 privkey.pem -> …/…/archive/git.nextsw.ch/privkey1.pem

My operating system is (include version): Debian 8

My web server is (include version): nginx version: nginx/1.6.2

My hosting provider, if applicable, is: Private, nginx,

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No, Linux

Hello

Today I’ve tried to encrypt my git server with SSL. But I dont get it.

I used this: https://certbot.eff.org/all-instructions/#debian-8-jessie-nginx

certbot certonly --webroot -w /var/www/html/ -d gitlab.nextsw.ch

At this point I configured my nginx revers proxy for SSL.

server {
# if you wish, you can use the below line for listen instead
# which enables HTTP/2
# requires nginx version >= 1.9.5
listen 443 ssl;

server_name git.nextsw.ch;
ssl_certificate /etc/letsencrypt/live/git.nextsw.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.nextsw.ch/privkey.pem;
# Turn on OCSP stapling as recommended at
# https://community.letsencrypt.org/t/integration-guide/13123
# requires nginx version >= 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
# Uncomment this line only after testing in browsers,
# as it commits you to continuing to serve your site over HTTPS
# in future
# add_header Strict-Transport-Security "max-age=31536000";
access_log /var/log/nginx/sub.log combined;
# maintain the .well-known directory alias for renewals
location /.well-known {
    alias /var/www/html/.well-known;
}
location / {
    # proxy commands go here as in your port 80 configuration
    rewrite /git(.*) /$1  break;
    proxy_pass      http://192.168.1.220;
    proxy_set_header   Host $host;
    proxy_redirect     off;
}

}
(http://serverfault.com/questions/768509/lets-encrypt-with-an-nginx-reverse-proxy/784940)

When I try to start the nginx a failer appears.
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/git.nextsw.ch/fullchain.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed

Is it normal, that the output from all the files is emty!? Is my certificate ok?

root@srvreverse:/etc/letsencrypt/live/git.nextsw.ch# clear
root@srvreverse:/etc/letsencrypt/live/git.nextsw.ch# cat
cert.pem chain.pem fullchain.pem privkey.pem
root@srvreverse:/etc/letsencrypt/live/git.nextsw.ch# cat cert.pem
root@srvreverse:/etc/letsencrypt/live/git.nextsw.ch# cat chain.pem
root@srvreverse:/etc/letsencrypt/live/git.nextsw.ch# cat fullchain.pem
root@srvreverse:/etc/letsencrypt/live/git.nextsw.ch# cat privkey.pem

Thank you!


#2

The short answer is no, the files shouldn’t be empty.

The files in /etc/letsencrypt/live/git.nextsw.ch should be symlinks, pointing to the latest certs, which should be in /etc/letsencrypt/archive/git.nextsw.ch/


#3

I thought so… in the archive the files are also empty.
Is it possible the renew the certificates? When I run the command that i have used again i get this message:


#4

if you are “renewing” certs - where are the existing ones you are using ?

Did something empty the files ? were they ok ?

As they are now empty though ( and hence fairly useless ). I’d be tempted to delete them and start again, obtaining new certificates.


#5

I created the certs today they have never worked… At the moment i dont use GitLab with certs.

I try to delete them and star the procedure again! Thank you for your reply!


#6

It’s working fine now. Thank you serverco!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.