Setting up auto renew when standalone was installed AND creating a cert for a second URL connecting to the same site

mike44pt · June 2, 2022, 2:04am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: TheCarusoMethod.com MichaelCarusoPT.com

I ran this command:
[root@ip-172-31-24-254 ~]$systemctl stop nginx
[root@ip-172-31-24-254 ~]$certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/thecarusomethod.com.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for thecarusomethod.com
Performing the following challenges:
http-01 challenge for thecarusomethod.com
Waiting for verification...
Cleaning up challenges
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/thecarusomethod.com/fullchain.pem
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/thecarusomethod.com/fullchain.pem (success)

[root@ip-172-31-24-254 ~]$systemctl start nginx

My web server is (include version): AWS centos

The operating system my web server runs on is (include version): PHP 7.4.29

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site: Wordpress 6.0 (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Sorry I'm such a novice at this and have not had the time to put into learning more.
Certbot was setup by support person but I think they should not have used the standalone version because I have to stop nginx and run renew manually every few months.
Can I work around this to set up auto renew and include both addresses: TheCarusoMethod.com AND MichaelCarusoPT.com ? Thanks
Mike

rg305 · June 2, 2022, 3:11am

I couldn't agree more.

Yes; Definitely.

Let's start down that path, with the outputs of:
certbot certificates
nginx -T

mike44pt · June 2, 2022, 1:53pm

Thanks rg305, okay I’ll run those and post in a bit

Osiris · June 2, 2022, 1:55pm

With "with the outputs of" @rg305 meant for you to run the two commands below it and paste the output here.

mike44pt · June 3, 2022, 12:42am

[root@ip-172-31-24-254 ~]$certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
  Certificate Name: thecarusomethod.com
    Serial Number: 44947340ddf1aff17d2a036caa3342e7fd8
    Key Type: RSA
    Domains: thecarusomethod.com
    Expiry Date: 2022-08-30 23:44:20+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/thecarusomethod.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/thecarusomethod.com/privkey.pem

[root@ip-172-31-24-254 ~]$nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# NGINX Configuration
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
  worker_connections 1024;
}
http {
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;

  gzip                 on;
  sendfile             on;
  tcp_nopush           on;
  tcp_nodelay          on;
  server_tokens        off;
  keepalive_timeout    65;
  types_hash_max_size  2048;
  client_max_body_size 200m;
  include      /etc/nginx/mime.types;
  default_type application/octet-stream;
  server {
    listen       80 default_server;
    server_name  localhost;
    root         /srv/wordpress;
    index        index.php;
server_name  TheCarusoMethod.com ;
listen 443 ssl; # managed by Certbot
# RSA certificate
ssl_certificate /etc/letsencrypt/live/thecarusomethod.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/thecarusomethod.com/privkey.pem; # managed by Certbot
# Redirect non-https traffic to https
if ($scheme != "https") {
        return 301 https://$host$request_uri;
 } # managed by Certbot
    location = /favicon.ico {
      log_not_found off;
      access_log off;
    }
    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }
    location / {
      try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
      include /etc/nginx/fastcgi_params;
      fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param HTTP_PROXY "";
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
      expires max;
      log_not_found off;
    }
  }
}
# configuration file /etc/nginx/mime.types:
types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;
    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;
    font/woff                                        woff;
    font/woff2                                       woff2;
    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;
    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

rg305 · June 3, 2022, 4:42am

mike44pt:

  server {
    listen       80 default_server;
    server_name  localhost;
    root         /srv/wordpress;
    index        index.php;
server_name  TheCarusoMethod.com ;
listen 443 ssl; # managed by Certbot
# RSA certificate
ssl_certificate /etc/letsencrypt/live/thecarusomethod.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/thecarusomethod.com/privkey.pem; # managed by Certbot
# Redirect non-https traffic to https
if ($scheme != "https") {
        return 301 https://$host$request_uri;
 } # managed by Certbot
    location = /favicon.ico {
      log_not_found off;
      access_log off;
    }
    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }
    location / {
      try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
      include /etc/nginx/fastcgi_params;
      fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param HTTP_PROXY "";
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
      expires max;
      log_not_found off;
    }
  }

You are using one single server block to do HTTP and HTTPS.
Although that might be possible, it is not for the average admin.

I would highly recommend separating the two from each other.
And... putting both into dedicated included files [not within the main HTTP block].

mike44pt · June 3, 2022, 4:15pm

Thank you rg305.

This is way beyond what I can do, which is very little.

Where might I find someone that can help get this done? I can check with AWS support but they set this up this way in the first place.

rg305 · June 3, 2022, 5:53pm

I'm sorry, I wouldn't know.

jvanasco · June 3, 2022, 8:51pm

If you're willing to try...

Backup all the files.
Deleting these lines and restarting nginx should make your site only work on HTTP:

listen 443 ssl; # managed by Certbot
# RSA certificate
ssl_certificate /etc/letsencrypt/live/thecarusomethod.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/thecarusomethod.com/privkey.pem; # managed by Certbot
# Redirect non-https traffic to https
if ($scheme != "https") {
        return 301 https://$host$request_uri;
 } # managed by Certbot

you should be able to run certbot with the instructions here for nginx + centos

Ideally that should work for your needs.

certbot should realize you have active certificates and install them, and I think that should upgrade the renewal.

I'm not 100% sure that would work, but it looks like those are the only https lines, and removing them should be enough of a "reset" to let certbot do it's thing.

system · July 3, 2022, 8:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.