Hello i am unable to Generate SSL for following domain
Heres the output i get after running ssl generation command
Please Help me urgently whats the issue is this dns problem required
Check that your website's webroot in nginx is indeed /usr/share/nginx/html otherwise certbot will be writing files but requests to https://walletlytest.xyz/.well-known/acme-challenge won't return the correct information.
I note that your website currently has a cert that resolves to aaagroup.xyz which implies you have multiple sites on this server, which also implies that /usr/share/nginx/html is not the actual webroot for this site (is it a subfolder of that?)
1 Like
the multiple domain is serving same site whitelabeling
@Naveed10 Cross posting isn't going to help. You'll eventually get help on your original thread: SSL Not Generating
2 Likes
@Naveed10 welcome to the LE community forum 
The "python/urllib" errors seem to be caused when certbot has been installed via pip.
In any case, I would recommend that you uninstall certbot (don't delete anything manually).
Then reinstall it from APT or SNAPS.
@Naveed10 You seem to have a server config problem or using the wrong -w location in your Certbot command. This was pointed out by @webprofusion in post #2 in this thread.
The path used for -w should match the root folder in the nginx server definition for walletlytest.xyz
If you still can't get it to work, please run sudo nginx -T and post the results. Use three backticks (```) before and after the output to have it nicely formatted. Or, save the output to a file and upload it.
1 Like
That is a different error.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/aaagroup.xyz.conf:
server {
listen 80;
listen [::]:80;
server_name www.aaagroup.xyz aaagroup.xyz;
root /usr/share/nginx/html;
return 301 https://$host$request_uri;
}
server{
listen 443 ssl;
listen [::]:443 ssl;
server_name www.aaagroup.xyz aaagroup.xyz;
root /home/ubuntu/walletly2-live-react-frontend-v1/build;
location / {
try_files $uri /index.html;
}
ssl_certificate /etc/letsencrypt/live/aaagroup.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aaagroup.xyz/privkey.pem;
location /api/ {
proxy_pass http://0.0.0.0:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location ~ /.well-known {
root /usr/share/nginx/html;
allow all;
}
}
# configuration file /etc/nginx/conf.d/business.futuremoneyclub.com.au.conf:
server {
if ($host = business.futuremoneyclub.com.au) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name business.futuremoneyclub.com.au;
root /usr/share/nginx/html;
return 301 https://$host$request_uri;
}
server{
listen 443 ssl;
listen [::]:443 ssl;
server_name business.futuremoneyclub.com.au;
root /home/ubuntu/walletly2-live-react-frontend-v1/build;
location / {
try_files $uri /index.html;
}
location /api/ {
proxy_pass http://0.0.0.0:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location ~ /.well-known {
root /usr/share/nginx/html;
allow all;
}
ssl_certificate /etc/letsencrypt/live/business.futuremoneyclub.com.au/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/business.futuremoneyclub.com.au/privkey.pem; # managed by Certbot
}
# configuration file /etc/nginx/conf.d/v2-live-walletly.conf:
server {
server_name api.walletly.ai;
root /home/ubuntu/walletly2-live-react-frontend-v1/build;
location / {
try_files $uri /index.html;
}
location /api/ {
proxy_pass http://0.0.0.0:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/api.walletly.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/api.walletly.ai/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = api.walletly.ai) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name api.walletly.ai;
listen 80;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
I am first generating the ssl and then the conf file for that ssl is being made by script of code
@Naveed10 Thanks. I will look at it. Please change the backtick marks on top and bottom to just 3 backticks: ```
I should have been clearer about that. I have the info ok - changing will help others
1 Like
thanks i urgently need the answer
the command i am running is following
sudo certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -n -d ${domain} -d www.${domain} --expand
1 Like
@Naveed10 Your certbot certonly command for ... -d walletlytest.xyz ... is failing because you do not have a server definition by that name in your nginx conf. In that case, nginx will use the default server which in your case is the first server defined for www.aaagroup.xyz aaagroup.xyz;
You need to add a server definition for walletlytest.xyz in a similar manner as you have all your other servers defined.
i am trying to generate ssl first then i have default.conf file in which current domain is replaced by placeholder and we move that conf file to conf.d folder
Hmmm. I think I understand. Is the nginx conf you showed the active conf when running the certbot command? Or do you run nginx with just the default conf template for that?
Also, this will not change anything but I think you should move your:
location ~ /.well-known {
root /usr/share/nginx/html;
allow all;
}
from the server definitions for 443 and put it in the port 80 section. The challenge requests from Lets Encrypt will come to port 80 so you can process it more quickly there. You currently redirect all port 80 (http) requests to 443 (https) which is slower and adds complication.
You need a functional HTTP site before you can secure it (via HTTP authentication).
Add something like:
server {
server_name walletlytest.xyz www.walletlytest.xyz;
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
location ~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
allow all;
}
location / {
return 301 https://$host$request_uri;
}
}
@rg305 Rudy, I think they are trying to automate the creation of a long series of server defs. They seem to use a different conf when actually running the certbot request. I say this because the posted conf redirects all http traffic to https. But, the errors they posted earlier show a request to just the http well-known endpoint (which was not redirected).
Also, the default server in the posted conf has a root folder different than used in their -w webroot path. So, I think there is a different conf used.
So, I think their process goes like this:
- Start nginx with just a single default server for port 80
- Run a series of certbot commands to generate certs. Create a 'master' server def file with names from each successful cert. The default nginx server will process any server name challenge request due to nginx SNI name selection. The SNI name wont match anything so just falls into default server.
- Stop nginx and restart it using the 'master' conf just created
I could be wrong, but that's how I interpret the explanation. A couple things do not fit that idea well such as they have a location statement for /.well-known in their port 443 listener in the 'master' which would not be needed. Unless they plan to renew via the master conf with a different process than this initial setup.
I would be inclined to do such a thing differently. This method, if that's what they are doing, is trickier to debug and not very intuitive.
1 Like