Renewal is failing


#22

Please show:
ls -l /etc/nginx/sites-enabled/


#23
lrwxrwxrwx 1 root   root       45 Aug 29 21:02 bookiza_production -> /etc/nginx/sites-available/bookiza_production
lrwxrwxrwx 1 root   root       45 Nov 16 19:00 bubblin_production -> /etc/nginx/sites-available/bubblin_production
lrwxrwxrwx 1 root   root       35 Nov  8  2014 longview -> /etc/nginx/sites-available/longview
-rw-r--r-- 1 marvin deployers 869 Sep 20 18:50 old_domain_directive

After I deleted “~”, from the server, unable to ssh as marvin. Right now using root credentials, will have to set up passwordless ssh again. brb.


#24

I think you may have accidentally deleted your home directory instead of the file under /etc. Did you add -r to the rm command?

Since bash expands ~ to your home directory, it’s tricky to delete a file that has the literal name “~”. You need to specify the full path, starting with “/”. And don’t add -r :slight_smile:


#25

Please show the contents of those 4 files:
/etc/nginx/sites-available/bookiza_production
/etc/nginx/sites-available/bubblin_production
/etc/nginx/sites-available/longview
/etc/nginx/sites-enabled/old_domain_directive


#26

Or just the current directory (.):

$ rm ./~


#27

Yeah, I deleted the /Home dir for my deployer user. Yay, medal of honor!

It was a quick mistake, -rf flag is somewhat wired to my fingers next to rm :frowning: Thankfully, I have backups enabled so it was easy to go back. Everything is back to normal now. I’ll share my nginx.conf(s) here shortly, as the LS certs for bookiza are about to expire in the next 24 hours.

Brb, with coffee.


#28

That rewrite produces the duplicate path, because $1 and $request_uri both contain the whole path.

You can remove “$1”, or remove “$request_uri”.

You can also change the whole thing to “return 301 https://$host$request_uri;” like Certbot uses, since it’s a slightly shorter way to do the same thing.

You can only specify the ipv6only option on one listen directive for an IP and port. (It’s a socket option, and there’s only one socket for an IP:port, so it affects every listen directive.)

So you have to remove “ipv6only=on” from all but one “listen [::]:80”.

Moreover, ipv6only=on has been the default since Nginx 1.3.4, so unless you’re running an older version, you can remove it from all of them.


#29

Ok. Let me proceed with this step first. I’m on Nginx 1.10.3.


#30

1. old_domain_directive

server {
  server_name bubbl.in www.bubbl.in;
  rewrite ^ https://bubblin.io$request_uri permanent;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/bookiza.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bookiza.io/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot

}

server {
    if ($host = www.bubbl.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = bubbl.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen 80;
  server_name bubbl.in www.bubbl.in;
  return 404; # managed by Certbot
}


2. longview

This comes from Linode people.

server {
        listen 127.0.0.2:80;
        server_name 127.0.0.2;

        location /nginx_status {
                stub_status on;
                allow 127.0.0.1;
                deny all;
        }
}

3. bookiza_production

This is for a static site with just on HTML page.

server {
  root /var/www/bookiza.io;
  index index.html;
  server_name bookiza.io www.bookiza.io;

  location / {
         try_files $uri $uri/ =404;
  }

    location ~* \.(jpg|jpeg|png|gif|ico)$ {
       expires 30d;
    }

    location ~* \.(css|js)$ {
       expires 7d;
    }

    listen [::]:443 http2 ssl ipv6only=on; # managed by Certbot
    listen 443 http2 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/bookiza.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bookiza.io/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

   gzip on;
   gzip_types application/javascript image/* text/css;
   gunzip on;
}




server {
    if ($host = www.bookiza.io) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = bookiza.io) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  # listen 80;
  # listen [::]:80 ipv6only=on;
  server_name bookiza.io www.bookiza.io;
  # return 301 https://$host$request_uri;
  # return 404; # managed by Certbot

}

4. bubblin_production

This is for a rails app that’s using a puma app server down the line.

upstream puma_bubblin_production {
  server unix:/var/www/bubblin.io/shared/tmp/sockets/puma.sock fail_timeout=0;
}

server {
    listen 80;
    listen [::]:80 ipv6only=on;
    server_name bubblin.io www.bubblin.io;
    # rewrite ^(.*) https://$host$1$request_uri permanent;
    return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name www.bubblin.io;
  ssl_certificate /etc/letsencrypt/live/www.bubblin.io/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.bubblin.io/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

  rewrite ^ https://bubblin.io$request_uri permanent;

}

server {
  server_name bubblin.io;
  root /var/www/bubblin.io/current/public;
  try_files $uri/index.html $uri @puma_bubblin_production;

  client_max_body_size 4G;
  keepalive_timeout 10;

  error_page 500 502 504 /500.html;
  error_page 503 @503;

  location @puma_bubblin_production {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_redirect off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header X-Forwarded-Proto http;
    proxy_pass http://puma_bubblin_production;
    # limit_req zone=one;
    access_log /var/www/bubblin.io/shared/log/nginx.access.log;
    error_log /var/www/bubblin.io/shared/log/nginx.error.log;
  }

  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  location = /50x.html {
    root html;
  }

  location = /404.html {
    root html;
  }

  location @503 {
    error_page 405 = /system/maintenance.html;
    if (-f $document_root/system/maintenance.html) {
      rewrite ^(.*)$ /system/maintenance.html break;
    }
    rewrite ^(.*)$ /503.html break;
  }

  if ($request_method !~ ^(GET|HEAD|PUT|PATCH|POST|DELETE|OPTIONS)$ ){
    return 405;
  }

  if (-f $document_root/system/maintenance.html) {
    return 503;
  }

  listen 443 ssl http2; # managed by Certbot
  listen [::]:443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/bubblin.io/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/bubblin.io/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

  # Add HSTS header with preloads
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";


}

Apart from these I also have the following snippet inside nginx/conf.d/ directory:

security.conf

  # Set HSTS and Referer policy here:
  # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

  # add_header X-Frame-Options sameorigin;

  add_header X-Content-Type-Options nosniff;

  # add_header X-XSS-Protection "1; mode=block;";

   add_header Referrer-Policy "strict-origin";

This is the complete set up on my server at the moment.


#31

The bubblin_production seems to cover both names and both ports “correctly”.
But the bookiza_production seems to only cover both names for https correctly, then has a block for both names without a listen statement.

You should make it more like the working file.


#32

new certificate deployed with reload of nginx server; :grinning:

The issue was that ipv6only=on can be set only once and that we were doing on bubblin’s configuration already. It cannot be applied again on a single installation of nginx, even for another domain. Here’s what bookiza’s nginx.conf on port 80 finally looks like:

server {
    listen 80;
    listen [::]:80;  // Removed ipv6only=on from here.
    server_name bookiza.io www.bookiza.io;
    return 301 https://$host$request_uri;
}

:partying_face: