SSL problem with certbot

My domain is:
mmbot.online
I ran this command:

The operating system my web server runs on is (include version):
ubuntu 20.04
My hosting provider, if applicable, is:
ovh.com
I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Hello I made an certificate today with upper link instructions.
When I put certbot certificates in terminal i got :
"Found the following certs:
Certificate Name: mmbot.online
Domains: mmbot.online *.mmbot.online
Expiry Date: 2021-07-05 20:13:45+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mmbot.online/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mmbot.online/privkey.pem"

but the website is not avilable under https://mmbot.online
what I could made wrong any ideas?
Thanks for all answers <3 !

2 Likes

Hi @hubertNow Welcome to the community.

So at first glance I can see that you have obtained certificates for mmbot.online
But you didn't tell us which server you are using or the actual command you used to obtain your certificate(s).

The command you used makes a huge difference if certbot updates your server configuration for you or not. The output you gave us is good, and it shows where the certificates live on your server.

But the link you provided offers solutions for apache and nginx. Which do you use?
We definitely can help you out, but we need more info to do it.

Rip

3 Likes

Which steps of the guide did you follow? It seems you've gotten a wildcard certificate using step 4. Step 3 however includes the part where a non-wildcard certificate is installed into your webserver, which is required for the certificate to actually do something. That installation step is missing from step 4 entirely.

You seem to be running nginx (not sure why you removed the question about the webserver from the questionnaire.......), so you might be able to install it into your webserver by running:

  • certbot install --nginx --cert-name mmbot.online

Sometimes the install subcommand doesn't work, but we'll tackle that later if it doesn't.

Also note that if you probably used the --manual process like in the guide, you can't automatically renew the certificate when it expires (which is 90 days from issuance). Do you actually require a wildcard certificate or could you just as easily have things working with a certificate with mmbot.online and www.mmbot.online (and perhaps a few more subdomains)? That would make your life much more easily..

4 Likes

Welcome to the Let's Encrypt Community, Hubert :slightly_smiling_face:

I noticed that your HTTPS port 443 is closed. Do you have a router or firewall filtering that port?

4 Likes

Hi guys! Thanks for so much support so starting from the beginning sorry for not precisely describe which commend I used.

I used for ngnix
when I put certbot install --nginx --cert-name mmbot.online, right now this is output which I got
" Which server blocks would you like to modify?


1: File: /etc/nginx/sites-enabled/default

Addresses: 80 default_server, [::]:80 default_server

Names: _

HTTPS: No

2: File: /etc/nginx/sites-enabled/default

Addresses: 443 ssl, 80, [::]:80, [::]:443 ssl

Names: mmbot.online

HTTPS: Yes


Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):"

last question was about firewall or filtering port,I'm sorry I have no idea I'm just started my career with front-end so terminal for me is a little black magic :frowning:

3 Likes

This is a wildcard certificate, which you likely acquired using manual authentication in certbot by satisfying a dns-01 challenge. Am I correct in assuming that you had to manually add DNS TXT records when you got your certificate? Since it's not possible to use the nginx authenticator to acquire a wildcard certificate since it only supports the http-01 challenge and not the dns-01 challenge necessary to acquire a wildcard certificate, you clearly don't want to use nginx for authentication unless you are OK with not using a wildcard certificate, which is usually the case for the majority of people who initially acquire a wildcard certificate. Installing a wildcard certificate with the nginx installer, on the other hand, is perfectly fine.

As for the port 443 filter, you would need to check the settings in your hosting with ovh.com.

Maybe these might help?

3 Likes

What is the output of this:

sudo nginx -T

Please put 3 backticks ``` on the lines above and below the output to make it more readable.

3 Likes
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

this is output of sudo nginx -T

3 Likes

Well... there's no port 443 SSL server block.


Firstly, remove TLSv1 and TLSv1.1 from the ssl_protocols in your http block. They are considered insecure.


Secondly, in your server block change this:

server_name _;

to this:

server_name mmbot.online www.mmbot.online;


Thirdly, try running these (in this order):

sudo nginx -s reload

sudo certbot certonly --nginx -d "mmbot.online,www.mmbot.online" --dry-run

4 Likes

I used nano /etc/nginx/nginx.conf

and change

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

to

 ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

secondly I used nano /etc/nginx/sites-enabled/default
and change

# Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

to

# Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name mmbot.online www.mmbot.online;

and then I run commands:
sudo nginx -s reload

sudo certbot certonly --nginx -d "mmbot.online,www.mmbot.online" --dry-run

and got this output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mmbot.online
http-01 challenge for www.mmbot.online
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

but still cant enter https://mmbot.online
:frowning:

2 Likes

Sooory i didnt see this one is for PHP and now i change this section:

#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name mmbot.online www.mmbot.online;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

and got this output

Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mmbot.online
http-01 challenge for www.mmbot.online
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
root@vps-c0a9c57f:~# 
root@vps-c0a9c57f:~# nano /etc/nginx/sites-enabled/default
root@vps-c0a9c57f:~# sudo nginx -s reload
root@vps-c0a9c57f:~# sudo certbot certonly --nginx -d "mmbot.online,www.mmbot.online" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mmbot.online
http-01 challenge for www.mmbot.online
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.
2 Likes

Now try running this... :slightly_smiling_face:

sudo certbot --cert-name mmbot.online --nginx -d "mmbot.online,www.mmbot.online"

4 Likes

You are my GOD THANK YOU SO MUCH IT ALL WORKING NOW !!!!!! <3<3<3<3

3 Likes

Excellent! :partying_face:

You're very welcome. :blush:

If you run into anything else, you know where to find us.

3 Likes

You might test your renewal too, just to be safe:

sudo certbot renew --dry-run

3 Likes

I ran an SSL Labs Server Test on your website. It passed with an "A" rating. :slightly_smiling_face:

https://www.ssllabs.com/ssltest/analyze.html?d=mmbot.online

3 Likes

What does it mean? I'm sorry for my questions but I started my adventure with front-end and some things for me are completely new :smiley:

2 Likes

It means that your server configuration and certificate are strong enough to resist basically all known attacks and weaknesses. :wink:

3 Likes

I promise that if my advanture with front-end will grow NEVER EVER TAKE MONEY FROM CUSTOMERS FOR SSL and I will tell everyone who will be interested about this service and website !
Once again THANKK YOOOOU VERY MUCH <3!

5 Likes

You're quite welcome! May your adventure continue and find even greater prosperity!

5 Likes