Renouvellement de certificat


#1

Bonjour.

Je peux lire des réponses en Anglais : oui

Mon nom de domaine est : hugoclo411.xyz

J’ai exécuté cette commande : acme.sh --issue -d chat.hugoclo411.xyz --pre-hook “systemctl stop nginx” --standalone --post-hook “systemctl start nginx” --ecc --keylength ec-384

Elle a produit cette sortie :
[Fri Dec 14 17:18:32 CET 2018] Domains not changed.
[Fri Dec 14 17:18:32 CET 2018] Skip, Next renewal time is: Sun Feb 3 18:11:06 UTC 2019
[Fri Dec 14 17:18:32 CET 2018] Add ‘–force’ to force to renew.

Mon serveur Web est (inclure la version) : nginx

Quand je test mon certificat j’obtiens :slight_smile:|Common names |chat.hugoclo411.xyz|
|—|---|
|Alternative names |chat.hugoclo411.xyz cloud.hugoclo411.xyz|
|Valid from |Sun, 16 Sep 2018 03:41:14 UTC|
|Valid until |Sat, 15 Dec 2018 03:41:14 UTC (expires in 11 hours and 15 minutes)|
|Key |RSA 2048 bits (e 65537)|
|Weak key (Debian) |No|

test ssl

La commande me dit que mon certificat ne peut pas être renouvelé ac valide jusqu’en Février 2019 mais lorsque je le test il n’est plus valide le 15 décembre.
J’ai essayé avec --force cela renouvelle le certificat mais la date ne change pas.

autre commande aprés la 1er
acme.sh --install-cert -d chat.hugoclo411.xyz --ecc \

–cert-file /etc/nginx/acme.sh/chat.hugoclo411.xyz/cert.pem \

–key-file /etc/nginx/acme.sh/chat.hugoclo411.xyz/key.pem \

–fullchain-file /etc/nginx/acme.sh/chat.hugoclo411.xyz/fullchain.pem \

–reloadcmd "systemctl reload nginx.service"


#2

Perfect, I’ll write in English so others may help you if needed.

Your server did present a certificate that expires tomorrow.

But acme.sh is correct too: you did generate a new certificate: https://crt.sh/?q=%.hugoclo411.xyz

Maybe the reload/restart of nginx failed.

Did you try to reload it manually ?
systemctl reload nginx.service
can you run that command to check the configuration of your server:
nginx -t


#3

systemctl reload nginx.service
no change
nginx -t :
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/etc/nginx/ssl/server.crt”
nginx: [warn] conflicting server name “_” on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

thx


#4

and in your nginx configuration for chat.hugoclo411.xyz the ssl_certificate directive points to /etc/nginx/acme.sh/chat.hugoclo411.xyz/cert.pem right?


#5

I think :sweat_smile:.
How could i verify ?


#6

nginx -t shows /etc/nginx/nginx.conf so you need to look inside that file :slightly_smiling_face:


#7

Or maybe it’s:
nginx -T


#8

I think what you mean is: if you run nginx -T instead of nginx -t, it will dump all configuration files to stdout, which might be even more informative. Note however that it is only available on newer versions of Nginx.

https://nginx.org/en/docs/switches.html


#9

My first domain is hugoclo411.xyz
I renew certificate with : ./certbot-auto renew

chat.hugoclo411.xyz and cloud.hugoclo411.xyz are subdomaine

Nginx -T :
Here


#10

I see only cloud - and it is using chat cert:
server_name cloud.hugoclo411.xyz;
ssl_certificate /etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.hugoclo411.xyz/privkey.pem;

Please show:
certbot-auto certificates


#11

certbot-auto certificates :
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: chat.hugoclo411.xyz
    Domains: chat.hugoclo411.xyz cloud.hugoclo411.xyz
    Expiry Date: 2018-12-15 03:41:14+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/chat.hugoclo411.xyz/privkey.pem
  Certificate Name: hugoclo411.xyz
    Domains: hugoclo411.xyz cloud.hugoclo411.xyz
    Expiry Date: 2019-01-29 22:49:56+00:00 (VALID: 45 days)
    Certificate Path: /etc/letsencrypt/live/hugoclo411.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hugoclo411.xyz/privkey.pem

#12

Somewhere you will need:
server_name chat.hugoclo411.xyz;

For LE to be able to validate both domains and renew your cert (that has both names on it)


#13

Maybe you do have a vhost config file chat.hugoclo411.xyz.
But the file was just not correctly included into the main config.
Please show:
grep -Eri 'chat.hugo|server_name|server_alias|:443|ssl_cert|include' /etc/nginx/


#14
/etc/nginx/fastcgi_params:fastcgi_param  SERVER_NAME        $server_name;
/etc/nginx/ssl/params.conf:    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
/etc/nginx/conf.d/php.conf:     include /etc/nginx/fastcgi_params;
/etc/nginx/conf.d/default.conf:    server_name  localhost;
/etc/nginx/conf.d/default.conf:    #    include        fastcgi_params;
/etc/nginx/conf.d/php-manager.conf:    include /etc/nginx/fastcgi_params;
/etc/nginx/nginx.conf:    include /etc/nginx/mime.types;
/etc/nginx/nginx.conf:    include /etc/nginx/sites-enabled/*.conf;
/etc/nginx/nginx.conf:    include /etc/nginx/ssl/params.conf;
/etc/nginx/sites-enabled/rocket.conf:    server_name chat.hugoclo411.xyz;
/etc/nginx/sites-enabled/rocket.conf:    return 301 https://chat.hugoclo411.xyz;
/etc/nginx/sites-enabled/rocket.conf:    server_name chat.hugoclo411.xyz;
/etc/nginx/sites-enabled/rocket.conf:    ssl_certificate /etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem; # managed by Certbot
/etc/nginx/sites-enabled/rocket.conf:    ssl_certificate_key /etc/letsencrypt/live/chat.hugoclo411.xyz/privkey.pem; # managed by Certbot
/etc/nginx/sites-enabled/pyload.conf:        server_name pyload.hugoclo411.xyz;
/etc/nginx/sites-enabled/pyload.conf:    server_name pyload.hugoclo411.xyz;                                
/etc/nginx/sites-enabled/pyload.conf:#    ssl_certificate /etc/letsencrypt/live/pyload.hugoclo411.xyz/fullchain.pem; # managed by Certbot
/etc/nginx/sites-enabled/pyload.conf: #  ssl_certificate_key /etc/letsencrypt/live/pyload.hugoclo411.xyz/privkey.pem; # managed by Certbot
/etc/nginx/sites-enabled/gateone.conf: server_name _;
/etc/nginx/sites-enabled/gateone.conf: ssl_certificate /etc/nginx/ssl/server.crt;
/etc/nginx/sites-enabled/gateone.conf: ssl_certificate_key /etc/nginx/ssl/server.key;
/etc/nginx/sites-enabled/rutorrent.conf:        server_name _;
/etc/nginx/sites-enabled/rutorrent.conf:        ssl_certificate /etc/letsencrypt/live/hugoclo411.xyz/fullchain.pem;
/etc/nginx/sites-enabled/rutorrent.conf:        ssl_certificate_key /etc/letsencrypt/live/hugoclo411.xyz/privkey.pem;
/etc/nginx/sites-enabled/rutorrent.conf:        include /etc/nginx/conf.d/ciphers.conf;
/etc/nginx/sites-enabled/rutorrent.conf:                include /etc/nginx/fastcgi_params;
/etc/nginx/sites-enabled/rutorrent.conf:                include /etc/nginx/conf.d/php.conf;
/etc/nginx/sites-enabled/rutorrent.conf:                include /etc/nginx/conf.d/cache.conf;
/etc/nginx/sites-enabled/rutorrent.conf:                include scgi_params;
/etc/nginx/sites-enabled/rutorrent.conf:                include /etc/nginx/conf.d/php.conf;
/etc/nginx/sites-enabled/rutorrent.conf:                include /etc/nginx/conf.d/cache.conf;
/etc/nginx/sites-enabled/nextcloud.conf:    server_name cloud.hugoclo411.xyz;
/etc/nginx/sites-enabled/nextcloud.conf:        server_name cloud.hugoclo411.xyz;
/etc/nginx/sites-enabled/nextcloud.conf:    ssl_certificate /etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem; # managed by Certbot
/etc/nginx/sites-enabled/nextcloud.conf:    ssl_certificate_key /etc/letsencrypt/live/chat.hugoclo411.xyz/privkey.pem; # managed by Certbot
/etc/nginx/sites-enabled/nextcloud.conf:        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
/etc/nginx/sites-enabled/nextcloud.conf:#       include /etc/nginx/conf.d/ciphers.conf;                 #à désactiver si vous ne faites pas le tuto Logjam
/etc/nginx/sites-enabled/nextcloud.conf:                include fastcgi_params;
/etc/nginx/sites-enabled/composer.lock:                    "src/functions_include.php"
/etc/nginx/sites-enabled/composer.lock:                    "src/functions_include.php"
/etc/nginx/sites-enabled/composer.lock:                    "src/functions_include.php"
/etc/nginx/sites-enabled/shellinabox.conf:        server_name hugoclo411.xyz;
/etc/nginx/scgi_params:scgi_param  SERVER_NAME        $server_name;
/etc/nginx/nginx.conf.save.1:    include /etc/nginx/mime.types;
/etc/nginx/nginx.conf.save.1:    include /etc/nginx/sites-enabled/*.conf;
/etc/nginx/nginx.conf.save.1:    include /etc/nginx/ssl/params.conf;
/etc/nginx/uwsgi_params:uwsgi_param  SERVER_NAME        $server_name;

#15

Let’s see the rocket.conf file

/etc/nginx/nginx.conf: include /etc/nginx/sites-enabled/*.conf;
/etc/nginx/sites-enabled/rocket.conf: server_name chat.hugoclo411.xyz;
The config include statement should include it.
But it was not found in the nginx -T upload.


#16

server {
listen 80;
server_name chat.hugoclo411.xyz;
return 301 https://chat.hugoclo411.xyz;
}

Upstreams

upstream backend {
server 127.0.0.1:3000;
}

HTTPS Server

server {
server_name chat.hugoclo411.xyz;

error_log /var/log/nginx/rocketchat.access.log;

listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.hugoclo411.xyz/privkey.pem; # managed by Certbot

 location / {
    proxy_pass http://backend/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

}


#17

You can’t use streams in an included file that is being insert into an http block.

You will have to manually include it above the http block in the main nginx.conf file.

So it is not being used now.


#18

So what should I do please?


#19

Try:
Edit the file:
/etc/nginx/nginx.conf
Add above the first http {
include /etc/nginx/sites-enabled/rocket.conf;

If that fails, undo the change and try:
Edit the file:
/etc/nginx/sites-enabled/rocket.conf
remove the section:

# Upstreams
upstream backend {
server 127.0.0.1:3000;
}

Then insert that section into the nginx.conf file above the http {

Or ask yourself “Do I really even need the upstream section?”
It wasn’t being used…
What is it supposed to be doing?
How can I otherwise do that?


#20

root@dedi-par-61445op-netcom:/tmp# ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/chat.hugoclo411.xyz.conf


Cert is due for renewal, auto-renewing…
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] invalid number of arguments in “include” directive in /etc/nginx/nginx.conf:13
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] invalid number of arguments in “include” directive in /etc/nginx/nginx.conf:13\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,)
Attempting to renew cert (chat.hugoclo411.xyz) from /etc/letsencrypt/renewal/chat.hugoclo411.xyz.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] invalid number of arguments in “include” directive in /etc/nginx/nginx.conf:13\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,). Skipping.


Processing /etc/letsencrypt/renewal/hugoclo411.xyz.conf


Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/hugoclo411.xyz/fullchain.pem expires on 2019-01-29 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)