Renouvellement de certificat


#61

#62

nginx don’t start
nginx.service - nginx - high performance web server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2018-12-17 19:52:42 CET; 15s ago
Docs: http://nginx.org/en/docs/
Process: 2333 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)

Dec 17 19:52:42 dedi-par-61445op-netcom systemd[1]: Starting nginx - high performance web server…
Dec 17 19:52:42 dedi-par-61445op-netcom nginx[2333]: nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/etc/nginx/ssl/server.crt
Dec 17 19:52:42 dedi-par-61445op-netcom nginx[2333]: nginx: [emerg] PEM_read_bio_X509_AUX(”/root/.acme.sh/cloud.hugoclo411.xyz_ecc/fullchain.cer") failed (SSL: er
Dec 17 19:52:42 dedi-par-61445op-netcom systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 17 19:52:42 dedi-par-61445op-netcom systemd[1]: Failed to start nginx - high performance web server.
Dec 17 19:52:42 dedi-par-61445op-netcom systemd[1]: nginx.service: Unit entered failed state.
Dec 17 19:52:42 dedi-par-61445op-netcom systemd[1]: nginx.service: Failed with result ‘exit-code’.


#63

show:
nginx -t


#64

nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/etc/nginx/ssl/server.crt”
nginx: [emerg] PEM_read_bio_X509_AUX("/root/.acme.sh/cloud.hugoclo411.xyz_ecc/fullchain.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed


#65

The problem is either:

  • your system doesn’t like ECC certs - try using RSA
  • your system doesn’t like the trust chain or root for the new cert - (don’t know how to fix that)

#66

Try with defaults for now:
acme.sh --issue -d cloud.hugoclo411.xyz --pre-hook “systemctl stop nginx” --standalone --post-hook “systemctl start nginx”

then you must update the cert path in nextcloud.conf to match new cert path


#67

/.acme.sh/cloud.hugoclo411.xyz_ecc# acme.sh --issue --force -d cloud.hugoclo411.xyz --pre-hook “systemctl stop nginx” --standalone --post-hook “systemctl start nginx”
[Mon Dec 17 20:02:53 CET 2018] Unknown parameter : stop


#68

I got that text from your post.


#69

Try:
acme.sh \
–issue \
-d cloud.hugoclo411.xyz \
–pre-hook “systemctl stop nginx” \
–standalone \
–post-hook “systemctl start nginx”


#70

Try:

acme.sh \
--issue \
-d cloud.hugoclo411.xyz \
--pre-hook “systemctl stop nginx” \
--standalone \
--post-hook “systemctl start nginx”

#71

Try it with single quotes:

acme.sh \
--issue \
-d cloud.hugoclo411.xyz \
--pre-hook 'systemctl stop nginx' \
--standalone \
--post-hook 'systemctl start nginx'

#72

Or all in one line (if you like):
acme.sh --issue -d cloud.hugoclo411.xyz --pre-hook 'systemctl stop nginx' --standalone --post-hook 'systemctl start nginx'


#73

This is not correct. Read the error message:

Expecting: TRUSTED CERTIFICATE

This means that the file listed, fullchain.cer, does not contain a PEM-formatted certificate. You can see
https://ma.ttias.be/nginx-ssl-certificate-errors-pem_read_bio_x509_aux-pem_read_bio_x509-ssl_ctx_use_privatekey_file/#PEM_read_bio_X509_AUX for somw discussion of this problem.


#74

/.acme.sh/cloud.hugoclo411.xyz_ecc# openssl rsa -noout -modulus -in /root/.acme.sh/cloud.hugoclo411.xyz_ecc/cloud.hugoclo411.xyz.key 2> /dev/null | openssl md5
(stdin)= d41d8cd98f00b204e9800998ecf8427e


#75

Please show:
/etc/nginx/sites-enabled/nextcloud.conf


#76

root@dedi-par-61445op-netcom:/etc/nginx/ssl# openssl x509 -noout -modulus -in /etc/nginx/ssl/server.crt 2> /dev/null | openssl md5
(stdin)= ae4b0067e587227124d2ed03ddde2e59
root@dedi-par-61445op-netcom:/etc/nginx/ssl# openssl rsa -noout -modulus -in etc/nginx/ssl/server.key 2> /dev/null | openssl md5
(stdin)= d41d8cd98f00b204e9800998ecf8427e


#77

server {

listen 80;
server_name cloud.hugoclo411.xyz;
    return 301 https://$host$request_uri;

}

server {
listen 443 ssl;
server_name cloud.hugoclo411.xyz;
index index.php;

    ssl on;
ssl_certificate /root/.acme.sh/cloud.hugoclo411.xyz_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/cloud.hugoclo411.xyz_ecc/cloud.hugoclo411.xyz.key;

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

#78

That seems to be a fail.
Please show:
ls -l /root/.acme.sh/cloud.hugoclo411.xyz_ecc/


#79

See:


#80

total 20
drwxr-xr-x 2 root root 4096 Dec 17 19:44 backup
-rw-r–r-- 1 root root 1647 Dec 17 19:36 ca.cer
-rw-r–r-- 1 root root 0 Dec 17 19:44 cloud.hugoclo411.xyz.cer
-rw-r–r-- 1 root root 866 Dec 17 19:44 cloud.hugoclo411.xyz.conf
-rw-r–r-- 1 root root 542 Dec 17 19:36 cloud.hugoclo411.xyz.csr
-rw-r–r-- 1 root root 215 Dec 17 19:36 cloud.hugoclo411.xyz.csr.conf
-rw-r–r-- 1 root root 0 Dec 17 19:44 cloud.hugoclo411.xyz.key
-rw-r–r-- 1 root root 0 Dec 17 19:44 fullchain.cer