Problem to create ssl cert on nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: odisseo.io

I ran this command:

  1. create a directory
    /etc/letsencrypt

  2. cd /etc

  3. cd letsencrypt
    sudo wget https://dl.eff.org/certbot-auto

sudo chmod a+x certbot-auto

cd
cd
then I stopped all service
sudo /etc/letsencrypt/certbot-auto --nginx
It produced this output:
Congratulations! You have successfully enabled https://odisseo.io

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=odisseo.io


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/odisseo.io/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/odisseo.io/privkey.pem
    Your cert will expire on 2019-01-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the ā€œcertonlyā€ option. To non-interactively renew all
    of your certificates, run ā€œcertbot-auto renewā€

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Letā€™s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

**then when i go I go to set up the deafult_ssl.vhost file adding this two line
ssl_certificate ā€œ/etc/letsencrypt/live/odisseo.io/fullchain.pemā€;
ssl_certificate_key ā€œ/etc/letsencrypt/live/odisseo.io/privkey.pemā€;
and I restart nginx it return two permission errors, fopen I cant read file **

For me is the first time and my head is on fire ā€¦

this is the file deafult_ssl.vhost
server {
listen 443 ssl;
#listen [::]:443 ssl;
server_name _;
include /jet/etc/nginx/conf.d/document_root.settings;

 #   ssl_certificate "/jet/etc/pki/tls/certs/www.crt";
  #  ssl_certificate_key "/jet/etc/pki/tls/private/www.key";


  
  ssl_certificate /etc/letsencrypt/live/odisseo.io/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/odisseo.io/privkey.pem;	
  
  
# ssl params

    #ssl_session_cache shared:SSL:1m;
    #ssl_session_timeout  10m;
    #ssl_ciphers PROFILE=SYSTEM;
    #ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /jet/etc/nginx/conf.d/*.inc;
    include /jet/etc/nginx/sites-enabled/*;

}

My web server is (include version): Google Cloud Platform, Compute Engine , http://jetware.io/appliances/jetware/lemp7_optimized_g2-170723/profile

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I donā€™t know):yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @RickyIta68

there is a running nginx-server. And the https - version has a self signed certificate.

So it looks that your domain uses an individual server configuration, not the default configuration.

Check these two directories

if there is a configuration file with

server_name odisseo.io

and add there the certificate files.

Hi Jurgen, thanks for the reply ā€¦
now I will give a look to all the configuration files and also I will post the exact wording of the error as reported on the console. I am sorry when I wrote yesterday I was very tired and I posted everything very quickly. I will see to be more precise in the description.

this is the exact error when I do the command : $ nginx -s reload

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/odisseo.io/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(ā€™/etc/letsencrypt/live/odisseo.io/fullchain.pemā€™,ā€˜rā€™) error:2006D002:BIO routines:BIO_new_file:system lib)

I tryed also to give through sudo chmod the permission 600 to private key and 644 to the public key but the error reappears identical.

Maybe Iā€™m missing something in the configuration.

Hi @RickyIta68,

You should not modify the perms inside /etc/letsencrypt/, instead reload nginx as root or using sudo:

sudo nginx -s reload

Cheers,
sahsanu

thanks, I tryed now with sudo nginx -s reload and I have now this error :
nginx: [alert] kill(28794, 1) failed (3: No such process)

Restart nginx:

sudo service nginx restart

or

sudo systemctl restart nginx

I did it but nginx seems to be capricious:

sudo service nginx restart
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

$ sudo systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

You should use the two commands to know what is the error preventing nginx to start:

sudo systemctl status nginx.service

sudo journalctl -xe

thanks Sahsanu ...
I did it ...
sudo systemctl status nginx.service
ā— nginx.service - A high performance web server and a reverse p
roxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor pres
et: enabled)
Active: failed (Result: exit-code) since Wed 2018-10-17 20:2
2:00 UTC; 11min ago
Docs: man:nginx(8)
Process: 25833 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry Q
UIT/5 --pidfile /run/nginx.pid (code=exited, status=1/FAILURE)
Process: 12993 ExecStart=/usr/sbin/nginx -g daemon on; master_process on
; (code=exited, status=1/FAILURE)
Process: 12991 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_p
rocess on; (code=exited, status=0/SUCCESS)
Main PID: 24524 (code=killed, signal=KILL)

Oct 17 20:21:58 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:443 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:80 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:443 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:80 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:443 failed (98: Address already in use)
Oct 17 20:22:00 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] still
could not bind()
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: nginx.service:
Control process exited, code=exited status=1
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: Failed to star
t A high performance web server and a reverse proxy server.
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: nginx.service:
Unit entered failed state.
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: nginx.service:
Failed with result 'exit-code'.

with the second command : sudo journalctl -xe
I recived a very long text result :
there are some red lines :

Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: Failed to star
t A high performance web server and a reverse proxy server.

Oct 17 20:21:11 lemp7-optimized-g2-1-vm systemd[1]: Failed to star
t A high performance web server and a reverse proxy server.

Oct 17 17:37:34 lemp7-optimized-g2-1-vm sshd[11809]: error: maximu
m authentication attempts exceeded for root from 109.173.19.23 port 39365
ssh2 [preauth]

There is something already listening on port 443, maybe is nginx itself or is another service:

sudo netstat -ptan | grep :443

or

sudo ss -tlpn | cat | grep :443

But maybe the fast solution is to restart your server.

sudo ss -tlpn | cat | grep :443
LISTEN 0 128 *:443 : users:(("nginx",pid=3520,fd=8),("nginx",pid=3518,fd=8))

So for some reason nginx is not stopping, you could kill the nginx processes or restart your server.

sudo killall nginx

or

sudo kill 3520 3518

If the processes donā€™t die, force the kill

sudo killall -s KILL nginx

or

sudo kill -9 3520 3518

restart
/jet/etc/init/exim: not running (no pid-file)
/jet/etc/init/nginx: not running (no pid-file)
/jet/etc/init/exim: start error
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/odisseo.io/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/odisseo.io/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
/jet/etc/init/nginx: start error

sudo nginx -s reload is ok
but with nginx -s reload
nginx: [error] open() ā€œ/jet/run/nginx/nginx.pidā€ failed (2: No such file or directory)

I didnā€™t see that you are using something called jetware, Iā€™ve no idea how you should start/stop these services, you should read the doc to do that, also, for some reason your services are not starting as root, they are in a jail (chroot) or are doing something more but whatever is the reason, the services are not starting because they canā€™t access the files inside /etc/letsencrypt/live/odisseo.io/, so, or you check the reason your jetware services canā€™t access those files or you can manually copy the cert (fullchain.pem and privkey.pem) (as root) to a path that jetware can access ( I suppose inside /jet/ dir) and modify nginx and exim to use that path.

Great, I understand I will try tomorrow, Iā€™m really melted now :blush: thank you very much

I hope you can get it up and running soon, anyway, I see there is an appliance including Letā€™s Encrypt http://jetware.io/appliances/jetware/lemp7_optimized_ssl_le so maybe you should take a look to that.

thank you , yes, I will give a look

1 Like

Hi,

As I said, the problem is that you are using jetware and the services are started as a normal user inside an isolated environment create by jetware so nginx canā€™t access /etc/letsencrypt/live/ dir to read the cert and privkey for your domain so you could copy it inside the jet env.

1.- Create a dir where you will save the fullchain.pem and privkey.pem files.

mkdir /jet/prs/le/

2.- Copy the files using sudo:

sudo cp /etc/letsencrypt/live/odisseo.io/fullchain.pem /jet/prs/le/
sudo cp /etc/letsencrypt/live/odisseo.io/privkey.pem /jet/prs/le/

3.- Now change the perms and owner of these files (change the word user by your real user and group by the real group for your user):

sudo chmod 600 /jet/prs/le/*.pem
sudo chown user:group /jet/prs/le/*.pem

4.- Modify the nginx conf file default_ssl.vhost and replace the path in ssl directives:

This:

  ssl_certificate /etc/letsencrypt/live/odisseo.io/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/odisseo.io/privkey.pem;	

Should be replace by this:

  ssl_certificate /jet/prs/le/fullchain.pem;
  ssl_certificate_key /jet/prs/le/privkey.pem;	

5.- Reload nginx using /jet/enter command

/jet/enter reload nginx

The problem is that you should create a script to perform these steps automatically and modify the renewal conf for your domain so certbot-auto can renew your cert and copy the files to the jetware env and reload nginx automatically or as I commented in another post, use the jetwareā€™s appliance that includes the Letā€™s Encrypt package, it should be easierā€¦

Good luck,
sahsanu