Testing my certs shows one with port 80 blocked but not others

Hi Seth

  So trying out my new found knowledge I deleted the spurious domains from wordpress.ssl.conf. Bell-computing.com still works. As does pmcarpetsandflooring.co which is a subdomain of bell-computing.com

  Then deleted the staging.bell-computing.com certificate, restarted nginx and recreated the cert as follows:

  ./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/wordpress/public -d staging.bell-computing.com -d

  Then created staging.bell-computing.com.ssl.conf in vhosts.d See below. restarted nginx but qualys still claims certificate name mismatch and dry run renew says

     Domain: staging.bell-computing.com

     Type:   connection

     Detail: Fetching

                    4WNpbjR4kSRnlFaZERkjXifzCQ8:    Error getting validation data

  But there is no folder called //staging.bell-computing.com/  let alone .well-known - this is a wordpress multisite and all subdomains are contained in the same public folder ie the same webroot so how do I make it use /srv/users/serverpilot/apps/wordpress/public/.well-known/acme-challenge?

Here is the ssl.conf

  server {

      listen 443 ssl http2;

      listen [::]:443 ssl http2;

     server_name

         staging.bell-computing.com   

               ;     ssl on;     # letsencrypt certificates     ssl_certificate      /etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem;     ssl_certificate_key  /etc/letsencrypt/live/staging.bell-computing.com/privkey.pem;         #SSL Optimization     ssl_session_timeout 1d;     ssl_session_cache shared:SSL:20m;     ssl_session_tickets off;         # modern configuration     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;         ssl_prefer_server_ciphers on;         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';         # OCSP stapling         ssl_stapling on;         ssl_stapling_verify on;         # verify chain of trust of OCSP response         ssl_trusted_certificate /etc/letsencrypt/live/staging.bell-computing.com/chain.pem;         #root directory and logfiles         root /srv/users/serverpilot/apps/wordpress/wordpress_nginx/public;         access_log /srv/users/serverpilot/log/wordpress/wordpress_nginx.access.log main;         error_log /srv/users/serverpilot/log/wordpress/wordpress_nginx.error.log;         #proxyset         proxy_set_header Host $host;         proxy_set_header X-Real-IP $remote_addr;         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;         proxy_set_header X-Forwarded-SSL on;         proxy_set_header X-Forwarded-Proto $scheme;         #includes         include /etc/nginx-sp/vhosts.d/wordpress.d/*.nonssl_conf;         include /etc/nginx-sp/vhosts.d/wordpress.d/*.conf; }

Your e-mail replies are pretty hard to read on the forum because lines with indentation get formatted as preformatted code blocks (with arbitrary long lines). Could you try replying on the forum or else not indenting your replies?

Does /etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem already exist? What names does it cover?

Did you cut out some of the text from the error message? It should have been a complete URL.

Hi Seth

Your e-mail replies are pretty hard to read on the forum because lines with indentation get formatted as preformatted code blocks (with arbitrary long lines). Could you try replying on the forum or else not indenting your replies?

Sorry about that. Is this better?

patbell101:

Then created staging.bell-computing.com.ssl.conf in vhosts.d See below. restarted nginx but qualys still claims certificate name mismatch

Does /etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem already exist? What names does it cover?

I reverted my server to before I was doing this to retain working sites.
But what I had done was to use certbot delete and select staging.bell-computing.com
then I recreated the certificate with
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/wordpress/public -d staging.bell-computing.com -d www.staging.bell-computing.com
and added staging.bell-computing.com.ssl.conf to vhosts.d

When I test it with a renew dryrun it fails on a verification error. As far as I can see because it is challenging //staging.bell-computing.com/.well-known/acme-challenge which doesnt exist because staging.bell-competition.com is a subdomain of bell-competition.com.

Domain: staging.bell-computing.com
Type: connection
Detail: Fetching
http://staging.bell-computing.com/.well-known/acme-challenge/yYsecsG-XcUmduP0 4WNpbjR4kSRnlFaZERkjXifzCQ8:
Error getting validation data

I don’t understand this explanation—the location of the challenge file is chosen by the CA and is mandatory. The point of the webroot authentication is that you specify a directory where files could be placed in order to appear in corresponding locations on the public web site. Is /srv/users/serverpilot/apps/wordpress/public not such a directory for http://staging.bell-computing.com/? If it isn’t, you can’t use --webroot with your current configuration.

OK now we’re getting to the core of the problem I think. With a wordpress multisite the domain names requiring certification are all found in the “root” domain of the multisite. In my case the “root” is …wordpress/public/ for all the subdomains (determined by wordpresses database) but the subdomain is for example staging.bell-computing.com. The reason pmcarpetsandflooring works is that it is mapped to a “real” domain. So I can’t use webroot. So what do I do?

I haven’t reread the earlier history of the thread and don’t remember that much about your configuration, so I apologize if you’ve already given a reason that one or more of these options won’t work for you.

  • Change your nginx configuration to create an exception so that /.well-known/acme-challenge URLs are mapped to a static location on the filesystem rather than served by WordPress.
  • Use --nginx instead.
  • Use the DNS challenge instead, via a DNS provider API.

Can you explain the steps for me to create an exception?
and
What does using --nginx require?

https://community.letsencrypt.org/search?q=nginx%20location%20.well-known

Usually nothing!

Thanks so much, I’ll give these a try on Monday.

Pat

I ran “sudo apt install python-certbot-nginx”

but still I get “The nginx plugin is not working;”

Is it not in certbot’s path? How do I add it?

Could you give the exact command you ran and the exact output from Certbot?

./certbot-auto --nginx -d staging.bell-computing.com -d www.staging.bellcomputing.com
Upgrading certbot-auto 0.25.1 to 0.26.1…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

Thanks!

If you’re using certbot-auto, then packages you install with commands like sudo apt install python-certbot-nginx don’t affect Certbot because certbot-auto manages its own Python environment separate from the OS version.

This often relates to the plugin’s inability to find your copy of nginx. Is nginx located in an unusual path? Can you post the log from /var/log/letsencrypt?

2018-08-06 16:58:28,492:DEBUG:certbot.main:certbot version: 0.26.1
2018-08-06 16:58:28,492:DEBUG:certbot.main:Arguments: [’–nginx’, ‘-d’, ‘staging.bell-computing.com’, ‘-d’, ‘www.staging.bellcomputing.com’]
2018-08-06 16:58:28,492:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-08-06 16:58:28,505:DEBUG:certbot.log:Root logging level set at 20
2018-08-06 16:58:28,505:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-06 16:58:28,506:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-08-06 16:58:28,511:DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#nginx):
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/disco.py”, line 132, in prepare
self._initialized.prepare()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py”, line 139, in prepare
raise errors.NoInstallationError
NoInstallationError
2018-08-06 16:58:28,511:DEBUG:certbot.plugins.selection:No candidate plugin
2018-08-06 16:58:28,512:DEBUG:certbot.plugins.selection:No candidate plugin
2018-08-06 16:58:28,512:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2018-08-06 16:58:28,512:INFO:certbot.main:Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
2018-08-06 16:58:28,513:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1233, in certonly
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, “certonly”)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/selection.py”, line 237, in choose_configurator_plugins
diagnose_configurator_problem(“authenticator”, req_auth, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/selection.py”, line 341, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
PluginSelectionError: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

Thanks, where is nginx installed on your system?

I forgot that you’re using ServerPilot. With ServerPilot you have to specify the nginx installation paths to Certbot.

Hi Seth

How can I locate where nginx is installed?

and then how do I specify this to Certbot?

Please bear with me, this is new stuff to me (as if you couldn’t tell :grinning:)

After looking at other threads, I’m actually more confused about the nature of Certbot’s interaction with ServerPilot. It’s definitely a recurrent source of confusion and difficulty on this forum.

Do you have any support channel through which you could ask ServerPilot for help with this? I would certainly be interested to know what the official recommendation from their side is. (Other threads also show some Certbot users figuring out ways to get it to work, but again, not always in a super-easy or straightforward way.)

The official answer is to subscribe to a paying package where they will do it for you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.