`server block not found` even though I am 99% sure it should be

Joshument · February 13, 2023, 1:26am

My domain is: joshument.dev

I ran this command: certbot install --cert-name joshument.dev

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Could not install certificate
Could not automatically find a matching server block for joshument.dev. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.22.0

The operating system my web server runs on is (include version): FreeBSD 1.13.1-RELEASE-p1

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.31.0

I've tried searching for a solution but everything seems to point out the obvious. Here's the output of my nginx -T, which is what leads me to believe that it does exist:

nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
# configuration file /usr/local/etc/nginx/nginx.conf:

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    # server {
        #listen       80;
        #server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        #location / {
            #root   /usr/local/www/nginx;
            #index  index.html index.htm;
        #}

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page   500 502 503 504  /50x.html;
        #location = /50x.html {
            #root   /usr/local/www/nginx-dist;
        #}

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    # }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
    include "vdomains/*.conf";
}

# configuration file /usr/local/etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /usr/local/etc/nginx/vdomains/http.155.138.149.130.conf:
server {
    server_name 155.138.149.130; # virtual IP or domain name here
    listen 80;
    access_log  /var/log/nginx/155.138.149.130.access.log;  # log files
    error_log  /var/log/nginx/155.138.149.130.error.log;
    root /wwwjoshument;
    index index.html;

    location / {
        try_files $uri $uri/ $uri.html /index.html;
    }
    location /img {
        alias /wwwjoshument/img;
    }
}

# configuration file /usr/local/etc/nginx/vdomains/https.joshument.dev.conf:
server {
    server_name joshument.dev www.joshument.dev; # virtual IP or domain name here
    listen 80;
    access_log  /var/log/nginx/joshument.dev.access.log;  # log files
    error_log  /var/log/nginx/joshument.dev.error.log;
    root /wwwjoshument;
    index index.html;

    listen 443 ssl;

    ssl_certificate /usr/local/etc/letsencrypt/live/joshument.dev/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt/live/joshument.dev/privkey.pem;

    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;

    location / {
        try_files $uri $uri/ $uri.html /index.html;
    }
    location /img {
        alias /wwwjoshument/img;
    }
}
# the rest of this looked kind of private so I'm choosing not to include it, it was certbot generated though

Bruce5051 · February 13, 2023, 1:41am

Hello @Joshument, welcome to the Let's Encrypt community.

Here is a list of issued certificates crt.sh | joshument.dev, the latest being 2023-02-13.

Yet this SSL Server Test: joshument.dev (Powered by Qualys SSL Labs) show the certificate that Expired on 2023-02-05 is still being served.

Joshument · February 13, 2023, 2:20am

Yes, that appears to be the problem. Is there a reason why it's failing to find my server block?

rg305 · February 13, 2023, 3:56am

That single server block has both secure and insecure listening ports.

Joshument · February 13, 2023, 4:39am

commenting out either of them does not do anything - same issue occurs. I don't know why it would cause a problem anyways since it was like that the last time I generated the certificate?

schoen · February 13, 2023, 4:58am

My guess offhand is that Certbot's nginx configuration parser doesn't think the http block is a place where include directives should be processed. (I didn't check this, it's just a guess.)

Is it plausible to move that include outside of the http block?

If that fixes the problem, but nginx doesn't complain about the original version, then this does count as a minor Certbot bug because it's a discrepancy between the (somewhat weird and complex) nginx configuration language and Certbot's parser for it.

MikeMcQ · February 13, 2023, 5:04am

I don't think that is it. Certbot routinely inserts an include for that options-ssl-nginx.conf file in the port 443 server block. Unless it's some wierd combination of the include in a mixed port server block but that doesn't feel like a problem a parser would make.

schoen · February 13, 2023, 5:13am

@Joshument, does your /var/log/letsencrypt log show that the include is being followed?

jvanasco · February 13, 2023, 9:29am

Exactly why are you doing this and what are you trying to accomplish? IIRC, install is used to modify an existing cert. As @Bruce5051 mentioned you were issued a new certificate, and both the name of the existing certificate in the configuration file and the one you want to use are the same. It seems like you're trying to install the same certificate onto itself, which doesn't make sense to me as that would not change anything in the configuration (unless you somehow configured certbot with a new --config-dir). Am I missing something? AFAIK, you shouldn't need to do anything other than restarting nginx. You might want to first invoke nginx -t to ensure the config is valid; but I don't understand what you are trying to accomplish.

In terms of not finding a matching server block, I think that could be because the current block listens to both 80 and 443 (versions of certbot did not like that; I don't know if that has changed) or because you are trying to essentially do a null-op installation that would change nothing. There very well could be another reason, but those two pop out at me.

I strongly doubt that. Nginx allows include in any context, and has since the earliest releases. include was designed as a core component to not only work like apache's version, but also function as a way to build reusable macros. Certbot would be incompatible with a significant percentage of Nginx installations if it could not handle that.

rg305 · February 13, 2023, 9:34am

Does no one else see this?:

Joshument:

# configuration file /usr/local/etc/nginx/vdomains/https.joshument.dev.conf:
server {
    server_name joshument.dev www.joshument.dev; # virtual IP or domain name here
>>> listen 80; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    access_log  /var/log/nginx/joshument.dev.access.log;  # log files
    error_log  /var/log/nginx/joshument.dev.error.log;
    root /wwwjoshument;
    index index.html;

>>> listen 443 ssl; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

    ssl_certificate /usr/local/etc/letsencrypt/live/joshument.dev/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt/live/joshument.dev/privkey.pem;

    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;

    location / {
        try_files $uri $uri/ $uri.html /index.html;
    }
    location /img {
        alias /wwwjoshument/img;
    }
}

Osiris · February 13, 2023, 10:46am

With nginx that's very common I believe. However, I lack experience with Certbot & nginx, so perhaps Certbot chokes on it.

Joshument · February 13, 2023, 1:25pm

I dunno what I was doing wrong but it decides to work now, I guess I was just stupid with the nginx config lol. Thanks for the help though

jvanasco · February 13, 2023, 4:43pm

rg305:

Does no one else see this?:

I did, and think that may be the issue too. As I mentioned above, I recall some versions of Certbot's nginx installer did not like 80+443 on the same host.

system · March 15, 2023, 4:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.