Nginx reverse proxy, Certs ok?

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: certbot certonly --webroot -w /var/www/html/ -d

It produced this output:
lrwxrwxrwx 1 root root 37 Nov 1 09:23 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 38 Nov 1 09:23 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 42 Nov 1 09:23 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 40 Nov 1 09:23 privkey.pem -> ../../archive/

My operating system is (include version): Debian 8

My web server is (include version): nginx version: nginx/1.6.2

My hosting provider, if applicable, is: Private, nginx,

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No, Linux


Today I've tried to encrypt my git server with SSL. But I dont get it.

I used this:

certbot certonly --webroot -w /var/www/html/ -d

At this point I configured my nginx revers proxy for SSL.

server {
# if you wish, you can use the below line for listen instead
# which enables HTTP/2
# requires nginx version >= 1.9.5
listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
# Turn on OCSP stapling as recommended at
# requires nginx version >= 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
# Uncomment this line only after testing in browsers,
# as it commits you to continuing to serve your site over HTTPS
# in future
# add_header Strict-Transport-Security "max-age=31536000";
access_log /var/log/nginx/sub.log combined;
# maintain the .well-known directory alias for renewals
location /.well-known {
    alias /var/www/html/.well-known;
location / {
    # proxy commands go here as in your port 80 configuration
    rewrite /git(.*) /$1  break;
    proxy_set_header   Host $host;
    proxy_redirect     off;

(https - Lets Encrypt with an nginx reverse proxy - Server Fault)

When I try to start the nginx a failer appears.
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed

Is it normal, that the output from all the files is emty!? Is my certificate ok?

root@srvreverse:/etc/letsencrypt/live/ clear
root@srvreverse:/etc/letsencrypt/live/ cat
cert.pem chain.pem fullchain.pem privkey.pem
root@srvreverse:/etc/letsencrypt/live/ cat cert.pem
root@srvreverse:/etc/letsencrypt/live/ cat chain.pem
root@srvreverse:/etc/letsencrypt/live/ cat fullchain.pem
root@srvreverse:/etc/letsencrypt/live/ cat privkey.pem

Thank you!

The short answer is no, the files shouldn’t be empty.

The files in /etc/letsencrypt/live/ should be symlinks, pointing to the latest certs, which should be in /etc/letsencrypt/archive/

I thought so… in the archive the files are also empty.
Is it possible the renew the certificates? When I run the command that i have used again i get this message:

if you are “renewing” certs - where are the existing ones you are using ?

Did something empty the files ? were they ok ?

As they are now empty though ( and hence fairly useless ). I’d be tempted to delete them and start again, obtaining new certificates.

I created the certs today they have never worked… At the moment i dont use GitLab with certs.

I try to delete them and star the procedure again! Thank you for your reply!

It’s working fine now. Thank you serverco!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.