Ssl certificate issue

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:giveaway.ozonechain.io

I ran this command:certbot certonly --nginx -d "giveaway.ozonechain.io"

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/giveway.ozonechain.io/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/giveway.ozonechain.io/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/giveway.ozonechain.io/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/giveway.ozonechain.io/fullchain.pem, r) error:10000080:BIO routines::no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):nginx

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:yes

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

my nginx file is server {
listen 80;
server_name giveway.ozonechain.io;

return 301 https://$host$request_uri;

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name giveway.ozonechain.io;

ssl_certificate /etc/letsencrypt/live/giveway.ozonechain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/giveway.ozonechain.io/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
# ssl_dhparam /etc/nginx/ssl/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

ssl_trusted_certificate /etc/letsencrypt/live/giveway.ozonechain.io/chain.pem; 

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

location / {
    include proxy_params;
    proxy_pass http://127.0.0.1:3000;
}

error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

access_log /var/log/nginx/giveway.ozonechain.io.access;
error_log /var/log/nginx/giveway.ozonechain.io.error;

}

3

What's the output of the command sudo certbot certificates?

2 Likes
4

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

1 Like
5

Then you've deleted a previously issued certificate without removing said certificate from your nginx configuration, thus breaking said nginx configuration, as expected.

See also:

https://eff-certbot.readthedocs.io/en/stable/using.html#safely-deleting-certificates

2 Likes
6

no i have not deleted, just now i created server and just now gave the certbot command to generate certificate

7

i generated ssl certificates
its present in /etc/letsencrypt/live
but nginx is not active with error cannot load certificate "/etc/letsencrypt/live/giveway.ozonechain.io/fullchain.p>
server {
listen 80;
server_name giveway.ozonechain.io;

return 301 https://$host$request_uri;

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name giveway.ozonechain.io;

ssl_certificate /etc/letsencrypt/live/giveway.ozonechain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/giveway.ozonechain.io/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
# ssl_dhparam /etc/nginx/ssl/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

ssl_trusted_certificate /etc/letsencrypt/live/giveway.ozonechain.io/chain.pem; 

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

location / {
    include proxy_params;
    proxy_pass http://127.0.0.1:3000;
}

error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

access_log /var/log/nginx/giveway.ozonechain.io.access;
error_log /var/log/nginx/giveway.ozonechain.io.error;

}

8

Ah, did you copy the nginx configuration from somewhere else in that case?

Please show the (new) output of sudo certbot certificates again.

2 Likes
9

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: giveaway.ozonechain.io
Serial Number: 465599e986d84de2432888c2d933917b39c
Key Type: ECDSA
Domains: giveaway.ozonechain.io
Expiry Date: 2024-03-12 10:43:40+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/giveaway.ozonechain.io/fullchain.pem
Private Key Path: /etc/letsencrypt/live/giveaway.ozonechain.io/privkey.pem

10

nginx configuration file i copied from different server but chnaged domain name is that should be fine rt?

11

Your nginx is configured for the giveway subdomain, but your new certificate is for giveaway. A subtle, but important detail.

1 Like
12

Thank you website is secure

1 Like
13

Great!

Please make sure you don't have any un-used certificates laying around.

2 Likes
14

No, the nginx config cannot refer to cert files that do not exist. nginx will fail to start.

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.