My domain is: supgezel.nl
I ran this command:sudo certbot --nginx -d supgezel.nl -d www.supgezel.nl
It produced this output:Rate Limits - Let's Encrypt
My web server is (include version):google cloud console
The operating system my web server runs on is (include version):debian 10
My hosting provider, if applicable, is:* google cloud console
I can login to a root shell on my machine (yes or no, or I don't know):Yes, i'm root.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No
The Certbot version:certbot 0.31.0
More info:sudo certbot delete assuming I could easely create a new certificate with this command sudo certbot --nginx -d supgezel.nl -d www.supgezel.nl.
What options are left, other then wait for 168 hours?
If not deleted all, without saving, where could I found .pem files?
Is there a restore options from previous certs?
I tried a subdomain sup.supgezel.nl sudo certbot --nginx -d sup.supgezel.nl -d www.sup.supgezel.nl This cert won't redirect to https.
1 Like
rg305
June 16, 2021, 6:23pm
2
Hi @acnimda and welcome to the LE community forum
Redirection is not a characteristic found in a cert, nor one it can control.nginx)]
You can see that certs are being issued.certbot certificates]nginx/1.14.2 & certbot/0.31.0]
In order to fix the problem, we must find the problem.nginx configuration.nginx -T
1 Like
Thnx for the warm welcome @rg305 nginx -T:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/sup.supgezel.nl.conf:
upstream sup-supgezel-php-handler {
# server unix:/var/run/php/php7.4-fpm.sock;
server unix:/var/run/php/php8.0-fpm.sock;
}
server {
# listen 80;
# listen [::]80;
# listen 443;
# listen [::]443;
# listen 443 ssl;
# You will need to change the server_name option to your domain name
# server_name example.com www.example.com;
# server_name _;
server_name sup.supgezel.nl www.sup.supgezel;
root /var/www/supgezel.nl/web;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location @rewrite {
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
# Handle image styles for Drupal 7+
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~* /\.(?!well-known\/) {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
deny all;
}
# Media: images, icons, video, audio, HTC
location ~* \.(png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# js and css always loaded
location ~* \.(js|css)$ {
try_files $uri @rewrite;
expires -1;
log_not_found off;
}
# pass the PHP scripts to FastCGI server listening on socket
location ~ '\.php$|^/update.php' {
include snippets/fastcgi-php.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass sup-supgezel-php-handler;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param SCRIPT_NAME $fastcgi_script_name;
# fastcgi_index index.php;
include fastcgi_params;
fastcgi_intercept_errors off;
# fastcgi_read_timeout should match max_execution_time in php.ini
fastcgi_read_timeout 10m;
# fastcgi_param SERVER_NAME $host;
# fastcgi_param HTTPS $fcgi_https;
}
}
# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/sites-enabled/supgezel.nl.conf:
upstream supgezel-php-handler {
# server unix:/var/run/php/php7.4-fpm.sock;
server unix:/var/run/php/php8.0-fpm.sock;
}
server {
# listen 80;
# listen [::]80;
# listen 443;
# listen [::]443;
# listen 443 ssl;
# You will need to change the server_name option to your domain name
# server_name example.com www.example.com;
# server_name _;
server_name supgezel.nl www.supgezel;
root /var/www/supgezel.nl/web;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location @rewrite {
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
# Handle image styles for Drupal 7+
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~* /\.(?!well-known\/) {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
deny all;
}
# Media: images, icons, video, audio, HTC
location ~* \.(png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# js and css always loaded
location ~* \.(js|css)$ {
try_files $uri @rewrite;
expires -1;
log_not_found off;
}
# pass the PHP scripts to FastCGI server listening on socket
location ~ '\.php$|^/update.php' {
include snippets/fastcgi-php.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass supgezel-php-handler;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param SCRIPT_NAME $fastcgi_script_name;
# fastcgi_index index.php;
include fastcgi_params;
fastcgi_intercept_errors off;
# fastcgi_read_timeout should match max_execution_time in php.ini
fastcgi_read_timeout 10m;
# fastcgi_param SERVER_NAME $host;
# fastcgi_param HTTPS $fcgi_https;
}
}
2 Likes
@rg305 I see where my .pem files are stored now, thnx sudo certbot certificates
sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: sup.supgezel.nl
Domains: sup.supgezel.nl www.sup.supgezel.nl
Expiry Date: 2021-09-13 18:58:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/sup.supgezel.nl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sup.supgezel.nl/privkey.pem
2 Likes
rg305
June 16, 2021, 6:57pm
5
Some interesting things found:
all listen statements have been remarked out of the config:
# listen 80;
# listen [::]80;
# listen 443;
# listen [::]443;
# listen 443 ssl;
# listen 80;
# listen [::]80;
# listen 443;
# listen [::]443;
# listen 443 ssl;
some FQDNs are improper:
server_name sup.supgezel.nl www.sup.supgezel;
server_name supgezel.nl www.supgezel;
double negate used rather than accept used:
location ~* /\.(?!well-known\/) {
deny all;
}
1 Like
rg305
June 16, 2021, 6:57pm
6
Items #1 and #2 need to be corrected.#3 is probably useable - just uncommon.#3 reads:
1 Like
I uncomment these, because in earlier experience certbot added aditional # listen 80; # managed by Certbot
1 Like
rg305
June 16, 2021, 7:02pm
8
Each of those HTTP sections needs:
listen 80;
listen [::]80;
[the other listens should be deleted]
1 Like
rg305
June 16, 2021, 7:03pm
9
Should be:
server_name sup.supgezel.nl www.sup.supgezel.nl;
and
server_name supgezel.nl www.supgezel.nl;
[include the ".nl" on both]
1 Like
rg305
June 16, 2021, 7:05pm
10
I see only one cert listed by certbot certificates
1 Like
while using listen [::]80;nginx: [emerg] invalid host in "[::]80" of the "listen" directive in /etc/nginx/sites-enabled/supgezel.nl.conf:7
1 Like
While only using listen 80; I can't connect to the site due to unsafe connections.
1 Like
rg305
June 16, 2021, 7:36pm
13
Ok then leave the listen [::]80 out.
Please show the error message - while I re-review the config.
1 Like
My supgezel.nl.conf:
server {
listen 80;
# listen [::]80;
listen 443;
I ran sudo nginx -t && sudo nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
visiting supgezel.nl
# This site can’t be reached
**supgezel.nl** unexpectedly closed the connection.
1 Like
I can visit supgezel.nl. Might be a caching issue somewhere.
1 Like
Osiris
June 16, 2021, 7:50pm
17
acnimda:
supgezel.nl
You probably shouldn't leave your Drupal installer out in the open like this..
2 Likes
Hi thnx, I know @Osiris @rg305 SSL_ERROR_RX_RECORD_TOO_LONG
1 Like
rg305
June 16, 2021, 8:09pm
19
acnimda:
any suggenstions?
You need to understand basic web serving and the KISS pronciple.certbot with --nginx is used]certbot but should be readied now]
Once the HTTPS is enabled and working properly, you can modify the HTTP vhost config to redirect to HTTPS.
Please show the latest version of the vhost config file.
1 Like
# configuration file /etc/nginx/sites-enabled/supgezel.nl.conf:
upstream supgezel-php-handler {
# server unix:/var/run/php/php7.4-fpm.sock;
server unix:/var/run/php/php8.0-fpm.sock;
}
server {
listen 80;
listen 443;
server_name supgezel.nl www.supgezel;
root /var/www/supgezel.nl/web;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location @rewrite {
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
# Handle image styles for Drupal 7+
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~* /\.(?!well-known\/) {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
deny all;
}
# Media: images, icons, video, audio, HTC
location ~* \.(png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# js and css always loaded
location ~* \.(js|css)$ {
try_files $uri @rewrite;
expires -1;
log_not_found off;
}
# pass the PHP scripts to FastCGI server listening on socket
location ~ '\.php$|^/update.php' {
include snippets/fastcgi-php.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass supgezel-php-handler;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param SCRIPT_NAME $fastcgi_script_name;
# fastcgi_index index.php;
include fastcgi_params;
fastcgi_intercept_errors off;
# fastcgi_read_timeout should match max_execution_time in php.ini
fastcgi_read_timeout 10m;
# fastcgi_param SERVER_NAME $host;
# fastcgi_param HTTPS $fcgi_https;
}
}
# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
1 Like
due to run 