Problem to create ssl cert on nginx

RickyIta68 · October 16, 2018, 8:36pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: odisseo.io

I ran this command:

create a directory
/etc/letsencrypt
cd /etc
cd letsencrypt
sudo wget https://dl.eff.org/certbot-auto

sudo chmod a+x certbot-auto

cd
cd
then I stopped all service
sudo /etc/letsencrypt/certbot-auto --nginx
It produced this output:
Congratulations! You have successfully enabled https://odisseo.io

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=odisseo.io

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/odisseo.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/odisseo.io/privkey.pem
Your cert will expire on 2019-01-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly” option. To non-interactively renew all
of your certificates, run “certbot-auto renew”
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

**then when i go I go to set up the deafult_ssl.vhost file adding this two line
ssl_certificate “/etc/letsencrypt/live/odisseo.io/fullchain.pem”;
ssl_certificate_key “/etc/letsencrypt/live/odisseo.io/privkey.pem”;
and I restart nginx it return two permission errors, fopen I cant read file **

For me is the first time and my head is on fire …

this is the file deafult_ssl.vhost
server {
listen 443 ssl;
#listen [::]:443 ssl;
server_name _;
include /jet/etc/nginx/conf.d/document_root.settings;

 #   ssl_certificate "/jet/etc/pki/tls/certs/www.crt";
  #  ssl_certificate_key "/jet/etc/pki/tls/private/www.key";


  
  ssl_certificate /etc/letsencrypt/live/odisseo.io/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/odisseo.io/privkey.pem;	
  
  
# ssl params

    #ssl_session_cache shared:SSL:1m;
    #ssl_session_timeout  10m;
    #ssl_ciphers PROFILE=SYSTEM;
    #ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /jet/etc/nginx/conf.d/*.inc;
    include /jet/etc/nginx/sites-enabled/*;

}

My web server is (include version): Google Cloud Platform, Compute Engine , http://jetware.io/appliances/jetware/lemp7_optimized_g2-170723/profile

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

JuergenAuer · October 16, 2018, 9:17pm

Hi @RickyIta68

there is a running nginx-server. And the https - version has a self signed certificate.

So it looks that your domain uses an individual server configuration, not the default configuration.

Check these two directories

if there is a configuration file with

server_name odisseo.io

and add there the certificate files.

RickyIta68 · October 17, 2018, 7:51pm

Hi Jurgen, thanks for the reply …
now I will give a look to all the configuration files and also I will post the exact wording of the error as reported on the console. I am sorry when I wrote yesterday I was very tired and I posted everything very quickly. I will see to be more precise in the description.

RickyIta68 · October 17, 2018, 8:05pm

this is the exact error when I do the command : $ nginx -s reload

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/odisseo.io/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(’/etc/letsencrypt/live/odisseo.io/fullchain.pem’,‘r’) error:2006D002:BIO routines:BIO_new_file:system lib)

I tryed also to give through sudo chmod the permission 600 to private key and 644 to the public key but the error reappears identical.

Maybe I’m missing something in the configuration.

sahsanu · October 17, 2018, 8:13pm

Hi @RickyIta68,

You should not modify the perms inside /etc/letsencrypt/, instead reload nginx as root or using sudo:

sudo nginx -s reload

Cheers,
sahsanu

RickyIta68 · October 17, 2018, 8:18pm

thanks, I tryed now with sudo nginx -s reload and I have now this error :
nginx: [alert] kill(28794, 1) failed (3: No such process)

sahsanu · October 17, 2018, 8:20pm

Restart nginx:

sudo service nginx restart

or

sudo systemctl restart nginx

RickyIta68 · October 17, 2018, 8:26pm

I did it but nginx seems to be capricious:

sudo service nginx restart
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

$ sudo systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

sahsanu · October 17, 2018, 8:29pm

You should use the two commands to know what is the error preventing nginx to start:

sudo systemctl status nginx.service

sudo journalctl -xe

RickyIta68 · October 17, 2018, 8:49pm

thanks Sahsanu ...
I did it ...
sudo systemctl status nginx.service
● nginx.service - A high performance web server and a reverse p
roxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor pres
et: enabled)
Active: failed (Result: exit-code) since Wed 2018-10-17 20:2
2:00 UTC; 11min ago
Docs: man:nginx(8)
Process: 25833 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry Q
UIT/5 --pidfile /run/nginx.pid (code=exited, status=1/FAILURE)
Process: 12993 ExecStart=/usr/sbin/nginx -g daemon on; master_process on
; (code=exited, status=1/FAILURE)
Process: 12991 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_p
rocess on; (code=exited, status=0/SUCCESS)
Main PID: 24524 (code=killed, signal=KILL)

Oct 17 20:21:58 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:443 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:80 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:443 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:80 failed (98: Address already in use)
Oct 17 20:21:59 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] bind(
) to 0.0.0.0:443 failed (98: Address already in use)
Oct 17 20:22:00 lemp7-optimized-g2-1-vm nginx[12993]: nginx: [emerg] still
could not bind()
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: nginx.service:
Control process exited, code=exited status=1
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: Failed to star
t A high performance web server and a reverse proxy server.
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: nginx.service:
Unit entered failed state.
Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: nginx.service:
Failed with result 'exit-code'.

with the second command : sudo journalctl -xe
I recived a very long text result :
there are some red lines :

Oct 17 20:22:00 lemp7-optimized-g2-1-vm systemd[1]: Failed to star
t A high performance web server and a reverse proxy server.

Oct 17 20:21:11 lemp7-optimized-g2-1-vm systemd[1]: Failed to star
t A high performance web server and a reverse proxy server.

Oct 17 17:37:34 lemp7-optimized-g2-1-vm sshd[11809]: error: maximu
m authentication attempts exceeded for root from 109.173.19.23 port 39365
ssh2 [preauth]

sahsanu · October 17, 2018, 8:53pm

There is something already listening on port 443, maybe is nginx itself or is another service:

sudo netstat -ptan | grep :443

or

sudo ss -tlpn | cat | grep :443

But maybe the fast solution is to restart your server.

RickyIta68 · October 17, 2018, 8:58pm

sudo ss -tlpn | cat | grep :443
LISTEN 0 128 *:443 : users:(("nginx",pid=3520,fd=8),("nginx",pid=3518,fd=8))

sahsanu · October 17, 2018, 9:04pm

So for some reason nginx is not stopping, you could kill the nginx processes or restart your server.

sudo killall nginx

or

sudo kill 3520 3518

If the processes don’t die, force the kill

sudo killall -s KILL nginx

or

sudo kill -9 3520 3518

RickyIta68 · October 17, 2018, 9:08pm

restart
/jet/etc/init/exim: not running (no pid-file)
/jet/etc/init/nginx: not running (no pid-file)
/jet/etc/init/exim: start error
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/odisseo.io/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/odisseo.io/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
/jet/etc/init/nginx: start error

RickyIta68 · October 17, 2018, 9:15pm

sudo nginx -s reload is ok
but with nginx -s reload
nginx: [error] open() “/jet/run/nginx/nginx.pid” failed (2: No such file or directory)

sahsanu · October 17, 2018, 9:18pm

I didn’t see that you are using something called jetware, I’ve no idea how you should start/stop these services, you should read the doc to do that, also, for some reason your services are not starting as root, they are in a jail (chroot) or are doing something more but whatever is the reason, the services are not starting because they can’t access the files inside /etc/letsencrypt/live/odisseo.io/, so, or you check the reason your jetware services can’t access those files or you can manually copy the cert (fullchain.pem and privkey.pem) (as root) to a path that jetware can access ( I suppose inside /jet/ dir) and modify nginx and exim to use that path.

RickyIta68 · October 17, 2018, 9:22pm

Great, I understand I will try tomorrow, I’m really melted now thank you very much

sahsanu · October 17, 2018, 9:23pm

I hope you can get it up and running soon, anyway, I see there is an appliance including Let’s Encrypt http://jetware.io/appliances/jetware/lemp7_optimized_ssl_le so maybe you should take a look to that.

RickyIta68 · October 17, 2018, 9:24pm

thank you , yes, I will give a look

sahsanu · October 17, 2018, 11:00pm

Hi,

As I said, the problem is that you are using jetware and the services are started as a normal user inside an isolated environment create by jetware so nginx can’t access /etc/letsencrypt/live/ dir to read the cert and privkey for your domain so you could copy it inside the jet env.

1.- Create a dir where you will save the fullchain.pem and privkey.pem files.

mkdir /jet/prs/le/

2.- Copy the files using sudo:

sudo cp /etc/letsencrypt/live/odisseo.io/fullchain.pem /jet/prs/le/
sudo cp /etc/letsencrypt/live/odisseo.io/privkey.pem /jet/prs/le/

3.- Now change the perms and owner of these files (change the word user by your real user and group by the real group for your user):

sudo chmod 600 /jet/prs/le/*.pem
sudo chown user:group /jet/prs/le/*.pem

4.- Modify the nginx conf file default_ssl.vhost and replace the path in ssl directives:

This:

  ssl_certificate /etc/letsencrypt/live/odisseo.io/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/odisseo.io/privkey.pem;

Should be replace by this:

  ssl_certificate /jet/prs/le/fullchain.pem;
  ssl_certificate_key /jet/prs/le/privkey.pem;

5.- Reload nginx using /jet/enter command

/jet/enter reload nginx

The problem is that you should create a script to perform these steps automatically and modify the renewal conf for your domain so certbot-auto can renew your cert and copy the files to the jetware env and reload nginx automatically or as I commented in another post, use the jetware’s appliance that includes the Let’s Encrypt package, it should be easier…

Good luck,
sahsanu