Nginx reverse proxy, Certs ok?


Please fill out the fields below so we can help you better.

My domain is:

I ran this command: certbot certonly --webroot -w /var/www/html/ -d

It produced this output:
lrwxrwxrwx 1 root root 37 Nov 1 09:23 cert.pem -> …/…/archive/
lrwxrwxrwx 1 root root 38 Nov 1 09:23 chain.pem -> …/…/archive/
lrwxrwxrwx 1 root root 42 Nov 1 09:23 fullchain.pem -> …/…/archive/
lrwxrwxrwx 1 root root 40 Nov 1 09:23 privkey.pem -> …/…/archive/

My operating system is (include version): Debian 8

My web server is (include version): nginx version: nginx/1.6.2

My hosting provider, if applicable, is: Private, nginx,

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No, Linux


Today I’ve tried to encrypt my git server with SSL. But I dont get it.

I used this:

certbot certonly --webroot -w /var/www/html/ -d

At this point I configured my nginx revers proxy for SSL.

server {
# if you wish, you can use the below line for listen instead
# which enables HTTP/2
# requires nginx version >= 1.9.5
listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
# Turn on OCSP stapling as recommended at
# requires nginx version >= 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
# Uncomment this line only after testing in browsers,
# as it commits you to continuing to serve your site over HTTPS
# in future
# add_header Strict-Transport-Security "max-age=31536000";
access_log /var/log/nginx/sub.log combined;
# maintain the .well-known directory alias for renewals
location /.well-known {
    alias /var/www/html/.well-known;
location / {
    # proxy commands go here as in your port 80 configuration
    rewrite /git(.*) /$1  break;
    proxy_set_header   Host $host;
    proxy_redirect     off;


When I try to start the nginx a failer appears.
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed

Is it normal, that the output from all the files is emty!? Is my certificate ok?

root@srvreverse:/etc/letsencrypt/live/ clear
root@srvreverse:/etc/letsencrypt/live/ cat
cert.pem chain.pem fullchain.pem privkey.pem
root@srvreverse:/etc/letsencrypt/live/ cat cert.pem
root@srvreverse:/etc/letsencrypt/live/ cat chain.pem
root@srvreverse:/etc/letsencrypt/live/ cat fullchain.pem
root@srvreverse:/etc/letsencrypt/live/ cat privkey.pem

Thank you!


The short answer is no, the files shouldn’t be empty.

The files in /etc/letsencrypt/live/ should be symlinks, pointing to the latest certs, which should be in /etc/letsencrypt/archive/


I thought so… in the archive the files are also empty.
Is it possible the renew the certificates? When I run the command that i have used again i get this message:


if you are “renewing” certs - where are the existing ones you are using ?

Did something empty the files ? were they ok ?

As they are now empty though ( and hence fairly useless ). I’d be tempted to delete them and start again, obtaining new certificates.


I created the certs today they have never worked… At the moment i dont use GitLab with certs.

I try to delete them and star the procedure again! Thank you for your reply!


It’s working fine now. Thank you serverco!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.