Renouvellement de certificat


#21

The include is missing a semi-colon at the end:
include /etc/nginx/sites-enabled/rocket.conf;
[updated previous post - for future readers]


#22

Uniquely interesting problem…
Certbot finds the file for “chat.hugoclo411.xyz” and makes its’s required acme-challenge changes.
Reloads nginx and tries to validate the challenge.
The challenge fails and certbot puts everything back the way it was before.

It fails because the file it found was “included” but could not be used by nginx (because it contains a stream block).
Cerbot doesn’t not check for such situations.
Frankly no one checks for such situations.
The person that put the stream block in there should have checked if it worked or not - which it doesn’t; it can’t.


#23

root@dedi-par-61445op-netcom:/tmp# ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/chat.hugoclo411.xyz.conf


Cert is due for renewal, auto-renewing…
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] duplicate upstream “backend” in /etc/nginx/sites-enabled/rocket.conf:7
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] duplicate upstream “backend” in /etc/nginx/sites-enabled/rocket.conf:7\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,)
Attempting to renew cert (chat.hugoclo411.xyz) from /etc/letsencrypt/renewal/chat.hugoclo411.xyz.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] duplicate upstream “backend” in /etc/nginx/sites-enabled/rocket.conf:7\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,). Skipping.


Processing /etc/letsencrypt/renewal/hugoclo411.xyz.conf


Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/hugoclo411.xyz/fullchain.pem expires on 2019-01-29 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chat.hugoclo411.xyz/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
root@dedi-par-61445op-netcom:/tmp# service nginx start
Job for nginx.service failed because the control process exited with error code.
See “systemctl status nginx.service” and “journalctl -xe” for details.


#24

With this include nginx don’t start


#25

Hmm…
it is now being “included” twice.

Try changing the filename from .conf to .confx
then include it as the .confx name
mv /etc/nginx/sites-enabled/rocket.conf /etc/nginx/sites-enabled/rocket.confx
change
include /etc/nginx/sites-enabled/rocket.conf;
to
include /etc/nginx/sites-enabled/rocket.confx;

This is obviously just to get this tested.
We will have to get it all sorted properly before we are done :slight_smile:


#26

Ok, I’m thinking it will also fail for the opposite reason:
You can’t use an http server section outside the http {}

So, lets go for option #2:

Don’t forget to put it back:
mv /etc/nginx/sites-enabled/rocket.confx /etc/nginx/sites-enabled/rocket.conf


#27

/tmp# systemctl status nginx.service
● nginx.service - nginx - high performance web server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2018-12-16 12:14:51 CET; 15s ago
Docs: http://nginx.org/en/docs/
Process: 39528 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 2551 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 40586 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
Main PID: 3197 (code=exited, status=0/SUCCESS)

Dec 16 12:14:51 dedi-par-61445op-netcom systemd[1]: Starting nginx - high performance web server…
Dec 16 12:14:51 dedi-par-61445op-netcom nginx[40586]: nginx: [emerg] “upstream” directive is not allowed here in /etc/nginx/nginx.conf:10
Dec 16 12:14:51 dedi-par-61445op-netcom systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 16 12:14:51 dedi-par-61445op-netcom systemd[1]: Failed to start nginx - high performance web server.
Dec 16 12:14:51 dedi-par-61445op-netcom systemd[1]: nginx.service: Unit entered failed state.
Dec 16 12:14:51 dedi-par-61445op-netcom systemd[1]: nginx.service: Failed with result ‘exit-code’.


#28

With this option :

no error,
/tmp# acme.sh --issue -d chat.hugoclo411.xyz --pre-hook “systemctl stop nginx” --standalone --force --post-hook “systemctl start nginx” --ecc --keylength ec-384
[Sun Dec 16 12:21:27 CET 2018] Run pre hook:‘systemctl stop nginx’
[Sun Dec 16 12:21:28 CET 2018] Standalone mode.
[Sun Dec 16 12:21:28 CET 2018] Single domain=‘chat.hugoclo411.xyz’
[Sun Dec 16 12:21:28 CET 2018] Getting domain auth token for each domain
[Sun Dec 16 12:21:28 CET 2018] Getting webroot for domain=‘chat.hugoclo411.xyz’
[Sun Dec 16 12:21:28 CET 2018] Getting new-authz for domain=‘chat.hugoclo411.xyz’
[Sun Dec 16 12:21:29 CET 2018] The new-authz request is ok.
[Sun Dec 16 12:21:29 CET 2018] chat.hugoclo411.xyz is already verified, skip http-01.
[Sun Dec 16 12:21:29 CET 2018] Verify finished, start to sign.
[Sun Dec 16 12:21:32 CET 2018] Cert success.

But on test : This certificate has expired (2 days ago) :cry:


#29

ACME.SH places the certs it gets into a different location than certbot.
You just need to point to those new files.
Change these lines:

To:
(you must find the new certs first)
find / -name fullchain.cer
(then show all the files in the folder you found)
ls -l /root/.acme.sh/{your-cert-name-folder}/
(it may look something like this)
ls -l /root/.acme.sh/chat.hugoclo411.xyz_ecc/
-rw-r–r--. 1 root root 1647 Dec 8 17:20 ca.cer
-rw-r–r--. 1 root root 3314 Dec 8 17:20 fullchain.cer
-rw-r–r--. 1 root root 1667 Dec 8 17:20 chat.hugoclo411.xyz.cer
-rw-r–r--. 1 root root 522 Dec 8 17:20 chat.hugoclo411.xyz.conf
-rw-r–r--. 1 root root 521 Dec 8 17:20 chat.hugoclo411.xyz.csr
-rw-r–r--. 1 root root 216 Dec 8 17:20 chat.hugoclo411.xyz.csr.conf
-rw-r–r--. 1 root root 359 Dec 8 17:08 chat.hugoclo411.xyz.key

You would use something like:
ssl_certificate /root/.acme.sh/chat.hugoclo411.xyz_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/chat.hugoclo411.xyz_ecc/chat.hugoclo411.xyz.key;

Then restart nginx


#30

Hello
with command : ls -l /root/.acme.sh/chat.hugoclo411.xyz_ecc
i have
total 32
drwxr-xr-x 2 root root 4096 Dec 5 19:11 backup
-rw-r–r-- 1 root root 1647 Dec 16 12:38 ca.cer
-rw-r–r-- 1 root root 1688 Dec 16 12:38 chat.hugoclo411.xyz.cer
-rw-r–r-- 1 root root 833 Dec 16 12:38 chat.hugoclo411.xyz.conf
-rw-r–r-- 1 root root 538 Dec 16 12:38 chat.hugoclo411.xyz.csr
-rw-r–r-- 1 root root 214 Dec 16 12:38 chat.hugoclo411.xyz.csr.conf
-rw-r–r-- 1 root root 359 Jul 4 21:19 chat.hugoclo411.xyz.key
-rw-r–r-- 1 root root 3335 Dec 16 12:38 fullchain.cer

My rocket.conf:
server {
listen 80;
server_name chat.hugoclo411.xyz;
return 301 https://chat.hugoclo411.xyz;
}

Upstreams

upstream backend {
server 127.0.0.1:3000;
}

HTTPS Server

server {
server_name chat.hugoclo411.xyz;

error_log /var/log/nginx/rocketchat.access.log;

listen 443 ssl http2;
ssl on;
ssl_certificate /root/.acme.sh/chat.hugoclo411.xyz_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/chat.hugoclo411.xyz_ecc/chat.hugoclo411.xyz.key;

 location / {
    proxy_pass http://backend/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

}

After restart nginx no change.


#31

Do you really need this section?:


#32

No :grinning:
I delete


#33

What is the problem or error message now?
show:
nginx -t


#34

nginx -t
nginx: [emerg] host not found in upstream “backend” in /etc/nginx/sites-enabled/rocket.conf:20
nginx: configuration file /etc/nginx/nginx.conf test failed

and if i put back #Upstream

nginx -t
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/etc/nginx/ssl/server.crt”
nginx: [warn] conflicting server name “_” on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@dedi-par-61445op-netcom:/etc/nginx/sites-enabled#


#35

Please show that file.


#36

server {
listen 80;
server_name chat.hugoclo411.xyz;
return 301 https://chat.hugoclo411.xyz;
}

Upstreams

upstream backend {
server 127.0.0.1:3000;
}

HTTPS Server

server {
server_name chat.hugoclo411.xyz;

error_log /var/log/nginx/rocketchat.access.log;

listen 443 ssl http2;
ssl on;
ssl_certificate /root/.acme.sh/chat.hugoclo411.xyz_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/chat.hugoclo411.xyz_ecc/chat.hugoclo411.xyz.key;

 location / {
    proxy_pass http://backend/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

}


#37

now please show it as when you have removed the remove the upstream.


#38

server {
listen 80;
server_name chat.hugoclo411.xyz;
return 301 https://chat.hugoclo411.xyz;
}

HTTPS Server

server {
server_name chat.hugoclo411.xyz;

error_log /var/log/nginx/rocketchat.access.log;

listen 443 ssl http2;
ssl on;
ssl_certificate /root/.acme.sh/chat.hugoclo411.xyz_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/chat.hugoclo411.xyz_ecc/chat.hugoclo411.xyz.key;

 location / {
    proxy_pass http://backend/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

}


#39

I think I see it now!!!
These two lines need to be combined:

Replace:
proxy_pass http://backend/;
with:
proxy_pass http://127.0.0.1:3000/;


#40

then retest
nginx -t