Tried to insert directive but found conflicting snakeoil

kiepownica@kiepownica:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 14,15
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Problem in /etc/nginx/sites-enabled/ tried to insert directive “[‘ssl_certificate’, ‘/etc/letsencrypt/live/’]” but found conflicting “[‘ssl_certificate’, ‘/var/lib/letsencrypt/snakeoil/0009_cert.pem’]”.


  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2020-07-29. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

I am running already multiple websites, but I tried to create one for a friend and I cannot get SSL cert :frowning:

1 Like

Hi @olokos

simple solution:

  • Make a backup
  • disable that port 443 vHost
  • run the same command again, Certbot should ask the same and should now be able to create the port 443 vHost
  • may be add some additional definitions you can see in the current config

I have just removed the entire 443 section leaving only

server {
        if ($host = {
                return 301 https://$host$request_uri;

        if ($host = {
                return 301 https://$host$request_uri;

        listen 80;
        listen [::]:80;

        return 404;

But I’m getting this anyway

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Problem in /etc/nginx/sites-enabled/ tried to insert directive "['ssl_certificate', '/etc/letsencrypt/live/']" but found conflicting "['ssl_certificate', '/var/lib/letsencrypt/snakeoil/0011_cert.pem']".

Please take note that snakeoil/number is incrementing with each attempt.

Removing both conditional redirects results in the same, just that snakeoil/ was generated.

1 Like


isn’t a disabled vHost. Or you have a configuration with an automated creation.

Or there are additional systems (server management software or something else).


The issue remains the same, I thought the way to go of adding a new SSL website was to create a new sites-enabled entry with everything ready, make a symlink in sites-enabled and then just certbot --nginx and select new websites, that’s what I always did.

I have just removed https blocks from the nginx config files and now I cannot even see the domain in certbot --nginx at all
Here’s how it looks like currently, modified as per your instructions.
With this config it doesn’t show up in certbot --nginx whatsoever


the wrong way. As written: Let Certbot create the port 443 vHost.


When I have no other configuration than port 80 vhost then it doesn’t display the website I’m trying to get ssl for at all in the list of domains. (sudo certbot -nginx)

When there is no port 443 specified in vhost then it also does not show up when running
sudo certbot -nginx

If the site is not linked in sites-enabled then the vhost is not visible when trying to invoke sudo certbot --nginx

I am not sure how should I proceed?

I just fixed it

Apparently I had to remove
ssl certificate and ssl_certificate_key from the vhost file and that worked perfectly!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.