Nginx serving the wrong cert

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dev.kingsy.co.uk

I ran this command: certbot certonly --webroot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): dev.kingsy.co.uk
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/dev.kingsy.co.uk.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/dev.kingsy.co.uk/privkey.pem
    Your cert will expire on 2021-04-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Obviously this is a renew, the first time it executed it was just fine too.

My web server is (include version):

Nginx

The operating system my web server runs on is (include version): OpenBSD

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.5.0

If I view my cert it looks good

Certificate Name: dev.kingsy.co.uk
Serial Number: 45204f3cfeb496a8af45a1c14617dcf3b6f
Domains: dev.kingsy.co.uk
Expiry Date: 2021-04-14 13:16:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dev.kingsy.co.uk/privkey.pem

And the nginx config
server {
listen 80;
listen [::]:80;
server_name dev.kingsy.co.uk;
# enforce https
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.kingsy.co.uk;
root /var/www/sites/dev.kingsy.co.uk;
#root /var/www/sites/holding;
error_log /var/log/nginx/dev_nginx_error.log;
access_log /var/log/nginx/dev_nginx_access.log;
index index.php

ssl_certificate /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.kingsy.co.uk/privkey.pem;

client_max_body_size 20M;

location / {
  try_files $uri $uri/ /index.php?$args;
  auth_basic "Administrator’s Area";
  auth_basic_user_file /etc/nginx/.htpasswd;
}


location ~ \.php$ {
    try_files $fastcgi_script_name =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

index index.php index.htm index.html;

# Prevent PHP scripts from being executed inside the uploads folder.
location ~* /app/uploads/.*.php$ {
  deny all;
}

location ~ /\.git {
    deny all;
}

}

However if you visit

dev.kingsy.co.uk

Just type any old username / password so you get forbidden, you can see the cert is for www.kingsy.co.uk not dev.kingsy.co.uk. (Both are hosted on this machine) but I am so so confused as to WHY its serving the wrong cert.

As you can see from the nginx config the path to the dev. cert is correct. Could someone offer any advice?

Thanks

1 Like
2

Hi @d3fragg3d

did you restart your nginx?

That's always required. certonly doesn't restart your nginx.

1 Like
3

I have yes. I have restarted it multiple times.
I even tried disabling the www.kingsy.co.uk domain from nginx to ensure it was not interfering in some way.

1 Like
4

So your (ok looking) config may not be used.

What says

nginx -T
1 Like
5

Yeah all good there.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

The cert is definitely different to the www.kingsy.co.uk one too.

Certificate Name: dev.kingsy.co.uk
Serial Number: 45204f3cfeb496a8af45a1c14617dcf3b6f
Domains: dev.kingsy.co.uk
Expiry Date: 2021-04-14 13:16:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dev.kingsy.co.uk/privkey.pem

Certificate Name: www.kingsy.co.uk
Serial Number: 37402c3d8c30c2bf7f737a34f678cb4474e
Domains: www.kingsy.co.uk
Expiry Date: 2021-02-14 09:18:49+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/www.kingsy.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.kingsy.co.uk/privkey.pem

I am totally stumped

1 Like
6

Please read my reply correct.

1 Like
7

Please show the full configuration:
nginx -T

1 Like
8

Sorry for the delay. Here we go

# configuration file /etc/nginx/nginx.conf:
user  www;
worker_processes  1;

worker_rlimit_nofile 1024;
events {
    worker_connections  800;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    keepalive_timeout  65;
    gzip  on;
    server_tokens off;

    include /etc/nginx/sites-enabled/*;
}


# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.chart                 odc;
    application/vnd.oasis.opendocument.chart-template        otc;
    application/vnd.oasis.opendocument.database              odb;
    application/vnd.oasis.opendocument.formula               odf;
    application/vnd.oasis.opendocument.formula-template      otf;
    application/vnd.oasis.opendocument.image                 odi;
    application/vnd.oasis.opendocument.image-template        oti;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.graphics-template     otg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.presentation-template otp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.spreadsheet-template  ots;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.oasis.opendocument.text-master           odm;
    application/vnd.oasis.opendocument.text-template         ott;
    application/vnd.oasis.opendocument.text-web              oth;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-ns-proxy-autoconfig                pac;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/basic                           au snd;
    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/sites-enabled/budget-waste.co.uk:
server {
    listen 80;
    listen [::]:80;
    return 404;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/budget-waste.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/budget-waste.co.uk/privkey.pem;
    return 404;
}

server {
    listen 80;
    listen [::]:80;
    server_name budget-waste.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name budget-waste.co.uk;
    root /var/www/sites/budget-waste.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/budget_waste_nginx_error.log;
    access_log  /var/log/nginx/budget_waste_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/budget-waste.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/budget-waste.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/budgetaggregates.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name budgetaggregates.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name budgetaggregates.co.uk;
    root /var/www/sites/budgetaggregates.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/budgetaggregates_nginx_error.log;
    access_log  /var/log/nginx/budgetaggregates_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/budgetaggregates.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/budgetaggregates.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/budgettopsoil.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name budgettopsoil.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name budgettopsoil.co.uk;
    root /var/www/sites/budgettopsoil.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/budgettopsoil_nginx_error.log;
    access_log  /var/log/nginx/budgettopsoil_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/budgettopsoil.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/budgettopsoil.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/dev.kingsy.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name dev.kingsy.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name dev.kingsy.co.uk;
    root /var/www/sites/dev.kingsy.co.uk;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/dev_nginx_error.log;
    access_log  /var/log/nginx/dev_nginx_access.log;
    index index.php

    ssl_certificate /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.kingsy.co.uk/privkey.pem;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
      auth_basic "Administrator’s Area";
      auth_basic_user_file /etc/nginx/.htpasswd;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/durhamskipservices.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name durhamskipservices.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name durhamskipservices.co.uk;
    root /var/www/sites/durhamskipservices.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/durhamskipservices.co.uk_nginx_error.log;
    access_log  /var/log/nginx/durhamskipservices.co.uk_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/durhamskipservices.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/durhamskipservices.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/edinburghskipservices.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name edinburghskipservices.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name edinburghskipservices.co.uk;
    root /var/www/sites/edinburghskipservices.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/edinburghskipservices.co.uk_nginx_error.log;
    access_log  /var/log/nginx/edinburghskipservices.co.uk_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/edinburghskipservices.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/edinburghskipservices.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/expresswastesolutions.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name expresswastesolutions.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name expresswastesolutions.co.uk;
    root /var/www/sites/expresswastesolutions.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/expresswastesolutions.co.uk_nginx_error.log;
    access_log  /var/log/nginx/expresswastesolutions.co.uk_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/expresswastesolutions.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/expresswastesolutions.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/greenfieldtopsoil.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name greenfieldtopsoil.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name greenfieldtopsoil.co.uk;
    root /var/www/sites/greenfieldtopsoil.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/greenfieldtopsoil.co.uk_nginx_error.log;
    access_log  /var/log/nginx/greenfieldtopsoil.co.uk_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/greenfieldtopsoil.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/greenfieldtopsoil.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/hls-uk.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name hls-uk.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name hls-uk.co.uk;
    root /var/www/sites/hls-uk.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/hls-uk.co.uk_nginx_error.log;
    access_log  /var/log/nginx/hls-uk.co.uk_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/hls-uk.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hls-uk.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/mail:
server {
    listen 80;
    listen [::]:80;
    server_name mail.kingsy.co.uk;

    # Commend and uncomment to renew SSL
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name mail.kingsy.co.uk;
    root /var/www/roundcubemail/public_html;
    error_log   /var/log/nginx/mail.log;
    access_log  /var/log/nginx/mail.log;

    ssl_certificate /etc/letsencrypt/live/mail.kingsy.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.kingsy.co.uk/privkey.pem;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}


# configuration file /etc/nginx/sites-enabled/rubbishremovalgateshead.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name rubbishremovalgateshead.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name rubbishremovalgateshead.co.uk;
    root /var/www/sites/rubbishremovalgateshead.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/rubbishremovalgateshead_nginx_error.log;
    access_log  /var/log/nginx/rubbishremovalgateshead_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/rubbishremovalgateshead.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rubbishremovalgateshead.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/skip-hire-gateshead.co.uk:
server {
    listen 80;
    listen [::]:80;
    server_name skip-hire-gateshead.co.uk;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name skip-hire-gateshead.co.uk;
    root /var/www/sites/skip-hire-gateshead.co.uk/web;
    #root /var/www/sites/holding;
    error_log   /var/log/nginx/skip-hire-gateshead_nginx_error.log;
    access_log  /var/log/nginx/skip-hire-gateshead_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/skip-hire-gateshead.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/skip-hire-gateshead.co.uk/privkey.pem;

    #allow 86.25.200.26;
    #deny  all;

    client_max_body_size 20M;

    location / {
      try_files $uri $uri/ /index.php?$args;
    }


    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    index index.php index.htm index.html;

    # Prevent PHP scripts from being executed inside the uploads folder.
    location ~* /app/uploads/.*.php$ {
      deny all;
    }

    location ~ /\.git {
        deny all;
    }
}

# configuration file /etc/nginx/sites-enabled/www.kingsy.co.uk:
upstream nodejs_upstream {
    server 127.0.0.1:3000;
    keepalive 64;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.kingsy.co.uk;
    root /var/www/sites/kingsy.co.uk;
    error_log   /var/log/nginx/kingsy_nginx_error.log;
    access_log  /var/log/nginx/kingsy_nginx_access.log;

    ssl_certificate /etc/letsencrypt/live/www.kingsy.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.kingsy.co.uk/privkey.pem;

    client_max_body_size 20M;

    location / {
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header Host $http_host;

    	proxy_http_version 1.1;
    	proxy_set_header Upgrade $http_upgrade;
    	proxy_set_header Connection "upgrade";

    	proxy_pass http://nodejs_upstream/;
    	proxy_redirect off;
    	proxy_read_timeout 240s;
    }

}
1 Like
9

For legibility, please edit the post above and add three backticks above and below it.
Like:

```
your post
your post
your post
```

1 Like
10

Apologies for that, done

2 Likes
11

I can't find anything wrong with the config...

That only leaves one thing: nginx is having "issues".
At your earliest convenience, I would stop nginx and check to see if any nginx processes are still running. If so, that could explain what is going on here.
You would have to kill those remaining processes and then restart nginx.

1 Like
12

ok will do,
I could also remove ALL other websites from the config and leave only dev.kingsy.co.uk perhaps and try again?

1 Like
13

No that won't fix a "stray" process.

1 Like
14

Simple 3-step test:
ps -ef | grep nginx
systemctl stop nginx
ps -ef | grep nginx

If you still see any nginx, then we found the problem.
[you should see them only before the stop]

1 Like
15

Interesting!!!
So after stopping nginx, removing all other config

nginx -t now says

kingsy# nginx -t
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/dev.kingsy.co.uk:9
nginx: configuration file /etc/nginx/nginx.conf test failed

1 Like
16

Lets have a look at that "missing" file:
ls -l /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem
cat /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem

and
cat /etc/nginx/sites-enabled/dev.kingsy.co.uk

1 Like
17

OH NO!!!!!!
It was a missing semi colon.....

    index index.php

    ssl_certificate /etc/letsencrypt/live/dev.kingsy.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.kingsy.co.uk/privkey.pem;

WHY in the world wouldnt nginx -t flag that before I stopped it?

Thats so so annoying. :smiley: :smiley:

2 Likes
18

Now it works - https://dev.kingsy.co.uk/ has a certificate.

1 Like
19

Agreed.
With a missing semi-colon, it should NOT have passed the test.
[false positive]

1 Like
20

I am gutted, so sorry to waste both of your time. but I was really really stuck with that.

I very much appreciate your fast responses and ultimately helping out with an issue that wasn't related to lets encrypt.

Amazing thanks so much.

2 Likes