Problems Renewing on Fedora 29 KVM VPS

Help
1

Hello kind people! I'm still quite new at this kind of stuff so bear with me. I've read through several threads but I don't seem to see anyone in my exact situation. This is on a KVM VPS I'm using to give my home Jellyfin server remote access.

My domain is: smaman.ddns.net

I ran this command: sudo certbot renew

It produced this output:
aving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/smaman.ddns.net.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for smaman.ddns.net
nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:443, ignored
Waiting for verification...
Challenge failed for domain smaman.ddns.net
http-01 challenge for smaman.ddns.net
Cleaning up challenges
nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:443, ignored
Attempting to renew cert (smaman.ddns.net) from /etc/letsencrypt/renewal/smaman.ddns.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/smaman.ddns.net/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/smaman.ddns.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): Fedora 29 64 Bit

My hosting provider, if applicable, is: Racknerd, I think?

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Racknerd's NerdVM web-based control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.39.0

Thank you!

1 Like
2

That version may need an update.

That can't be good.

We should review your nginx config.
nginx -T

4 Likes
3

I checked with sudo dnf update certbot but it didn't seem to show any updates available.
When I tried sudo dnf install certbot it said:
Package certbot-0.39.0-1.fc29.noarch is already installed.

nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers PROFILE=SYSTEM;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }



    server {
    server_name smaman.ddns.net; # managed by Certbot
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/smaman.ddns.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/smaman.ddns.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

    server {
    if ($host = smaman.ddns.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen       80 ;
        listen       [::]:80 ;
    server_name smaman.ddns.net;
    return 404; # managed by Certbot


}}

# configuration file /etc/nginx/conf.d/jellyfin.conf:
    # Uncomment the commented sections after you have acquired a SSL Certificate
    server {
        listen 80;
        listen [::]:80;
         server_name smaman.ddns.net;
 
        # Uncomment to redirect HTTP to HTTPS
         return 301 https://$host$request_uri;
    }
 
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name smaman.ddns.net;
 
        ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
        client_max_body_size 20M;
 
        # use a variable to store the upstream proxy
        # in this example we are using a hostname which is resolved via DNS
        # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
        set $jellyfin 127.0.0.1;
        resolver 127.0.0.1 valid=30;
 
        ssl_certificate /etc/letsencrypt/live/smaman.ddns.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/smaman.ddns.net/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        add_header Strict-Transport-Security "max-age=31536000" always;
 
 
        # Security / XSS Mitigation Headers
        # NOTE: X-Frame-Options may cause issues with the webOS app
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
 
        # Content Security Policy
        # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
        # Enforces https content and restricts JS/CSS to origin
        # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
        # NOTE: The default CSP headers may cause issues with the webOS app
        #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
 
        location = / {
            return 302 http://$host/web/;
            return 302 https://$host/web/;
        }
 
        location / {
            # Proxy main Jellyfin traffic
            proxy_pass http://$jellyfin:8096;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Protocol $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
 
            # Disable buffering when the nginx proxy gets very resource heavy upon streaming
            proxy_buffering off;
        }
 
        # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
        location = /web/ {
            # Proxy main Jellyfin traffic
            proxy_pass http://$jellyfin:8096/web/index.html;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Protocol $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
        }
 
        location /socket {
            # Proxy Jellyfin Websockets traffic
            proxy_pass http://$jellyfin:8096;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Protocol $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
        }
    }
 

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
4

Probably because you're running an OS which was end-of-life three and a half years ago already.

Certbot recommends using snap to install Certbot, see Certbot Instructions | Certbot for more info.

4 Likes
5

These are conflicting:

These are conflicting:

3 Likes
6

Unfortunately it's the latest version of Fedora that Racknerd has available. I've tried updating the kernel myself but found out that's not really a thing you can do on a VPS.

In the process of uninstalling Certbot and reinstalling it with Snap, it seems to have fixed the problem! Probably resolved the conflicts that @rg305 mentioned in the process.

Thanks for all your help, everyone!

1 Like
7

What does nginx -t show?

3 Likes
8

Hmm, well it appears the conflicts are still there.

nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:80, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "smaman.ddns.net" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Going back to your previous reply, (and if this needs to be moved to its own thread, let me know) do I just need to comment out one of those entries in the config?

9

In short: Yes.
But which one?
[that is on you to decide]

5 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.