Raspbian trouble

howdy y’all. Thanks in advance for your help. I’m trying to get a cert on my Raspberry Pi Zero. I installed certbot-audo but was getting an error so tried to install with apt-get (https://certbot.eff.org/lets-encrypt/debianstretch-other) but that was giving me “illegal instruction” errors so I uninstalled that version and went back to troubleshooting the certbot-auto.

When visiting https://teafry.me Firefox gives me a " (Error code: ssl_error_bad_cert_domain)" error.

running: ./certbot-auto --nginx -d www.teafry.me -d teafry.me
gives me:

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] open() “/etc/letsencrypt/options-ssl-nginx.conf” failed (2: No such file or directory) in /etc/nginx/nginx.conf:46
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.

and, here is my nginx.conf for good measure,
(I commented out the letsencrypt stuff because nginx wouldn’t restart with that in there, said it couldn’t find ta file or something…)

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;


server {

	##
	# I'm adding this section to fix www
	##

	server_name www.teafry.me;
	return 301 $scheme://teafry.me$request_uri;

listen 80; # managed by Certbot

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/www.teafry.me/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/www.teafry.me/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/www.teafry.me-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.teafry.me-0001/privkey.pem; # managed by Certbot

}

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;


##
# SSI STUFF (who knows if this is right hahaha)
##

ssi on;

}

#mail {

# See sample authentication script at:

# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}

My domain is: teafry.me

I ran this command: ./certbot-auto --nginx
(among others…)

It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: www.teafry.me


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1


Congratulations! You have successfully enabled https://www.teafry.me

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.teafry.me


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.teafry.me-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.teafry.me-0001/privkey.pem
    Your cert will expire on 2019-07-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): nginx version: nginx/1.10.3

The operating system my web server runs on is (include version): Raspbian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is: me
I can login to a root shell on my machine (yes or no, or I don’t know): yep
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.33.1

Hi @broabprobe

you have two certificates created ( https://check-your-website.server-daten.de/?q=teafry.me ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1361021584 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-07 14:00:45 2019-07-06 14:00:45 teafry.me, www.teafry.me duplicate nr. 1
1360805988 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-07 12:20:07 2019-07-06 12:20:07 www.teafry.me duplicate nr. 1

The last certificate has both domain names.

But you use the certificate with one domain name:

CN=www.teafry.me
	07.04.2019
	06.07.2019
expires in 90 days	www.teafry.me - 1 entry

So your non-www version isn’t secure.

But you have a second problem, a direct loop:

https://teafry.me/ 69.5.112.49
	301
	https://teafry.me/
	Error direct loop

https + non-www redirects to the same domain.

Check your vHosts with

nginx -T

to find your working vHost with your www version. Then add there the non-www version

server_name example.com www.example.com;

and remove the vHost with the non-www version.

So both domains use the same vHost with the same certificate.

Perhaps the wrong redirect is in the wrong vHost. So removing the wrong vHost -> removes the loop.

You are attempting to get a cert for two names:

Yet, your config only has one name:

as also shown by (the single entry):

furthermore, when a connections is made to the www it is redirected to the site without www:

So… where is the site without the www ?

Thanks JuergenAuer and rg305!

PHEW. Well I messed around in the config files for a while, deleted the default config that was being loaded and switched the cert to the one that was commented out… and it seems to be working now! Thanks v much!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.