Hi everyone!
I am so discouraged right now… Every time I try to use certbot, it seems I am doing it all wrong… Sometimes it does automatically update the certificates but it does not reload nginx, sometimes it does not update at all, …
This time, I had a perfectly fine running server (serving multiple websites), and when I tried to update the certificates manually, it told me that the challenge failed: for domain static.amore.education
it was giving me a app.amore.education/.well-known/...
url (what the hell?)
I decided to remove the certificates and try again from a clean slate.
Everything went fine. I updated my nginx vhost to serve ssl on 443 instead of 80. I tested the configuration using nginx -t
and it went fine… Yay, victory! …
…Until I finally restarted nginx to update the vhost, and then all my hosted websites went down.
On Firefox I get Secure Connection Failed An error occurred during a connection to app.amore.education. PR_END_OF_FILE_ERROR
On Chrome I get ERR_CONNECTION_CLOSED
(and sometimes “reset”)
On SSLLabs I get Assessment failed: No secure protocols supported
On Edge I get Ce site utilise peut-être des paramètres de sécurité TLS obsolètes ou non sécurisés.
(this site may be using obsolete or unsecured TLS security parameters)
And all my other SSL-served websites are now down (I still have a 80-served website and it works fine)
Even when I switched my amore.education website back to non-secure 80, my other websites were still failing (e.g. https://www.chacomdif.fr)
Last but not least, I just removed certbot and used certbot-auto with version 1.3.0 and I generated the certificates again, but it still does not work
I checked the vhost file 50 times (see below) and I don’t see what’s wrong… (heck, it was working fine, before I tried to update the certificates in the first place)
My domain is: {app,static,api}.amore.education
I ran this command: certbot certonly --webroot
(and then certbot-auto certonly --webroot
)
It produced this output:
root@toto-paris-01:/etc/nginx/sites-available# certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): app.amore.education api.amore.education static.amore.education
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.amore.education
http-01 challenge for app.amore.education
http-01 challenge for static.amore.education
Input the webroot for api.amore.education: (Enter 'c' to cancel): /var/www/amore/public/webhost
Select the webroot for app.amore.education:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/amore/public/webhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Select the webroot for static.amore.education:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/amore/public/webhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Input the webroot for static.amore.education: (Enter 'c' to cancel): /var/www/amore/public/static
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/app.amore.education/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/app.amore.education/privkey.pem
Your cert will expire on 2020-07-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
My web server is (include version):
nginx 1.10.3
The operating system my web server runs on is (include version):
debian 9.11 (SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux)
My hosting provider, if applicable, is:
vultr
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
certbot 0.28.0
(and then certbot 1.3.0
)
Exerpt of my vhost file:
server {
listen 80;
server_name amore.education;
return 301 https://app.$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name amore.education;
return 301 https://app.$server_name$request_uri;
}
server {
listen 80;
server_name app.amore.education api.amore.education static.amore.education;
return 301 https://$server_name$request_uri;
}
server {
include snippets/ssl.conf;
#rewrite_log on;
server_name app.amore.education;
root /var/www/amore/public/webhost;
index webapp.php;
error_log /var/log/nginx/amore-webapp.error.log; # debug;
access_log /var/log/nginx/amore-webapp.access.log;
include snippets/restrictions.conf;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|eot|ttf|otf|woff|woff2)$ {
try_files $uri =404;
fastcgi_hide_header Set-Cookie;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Max-Age' 86400;
expires 1y;
log_not_found off;
access_log off;
include snippets/preflight_204.conf;
}
location ~ \.php$ {
# fastcgi_param MY_COUNTRY zt;
include snippets/myfastcgi.conf;
}
location / {
try_files $uri @app; # /webapp.php?_url=$request_uri;
}
location @app {
rewrite ^ /webapp.php?_url=$request_uri last;
}
}
And snippets/ssl.conf:
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/app.amore.education/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.amore.education/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/app.amore.education/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
Does someone understand what’s the elephant in the room that I am not seeing right now?
Please help
Thanks, and take care of you all,
Renaud