I'm having trouble installing the SSL certifiacte on my server with Nginx. The domain name is: celmade-cosmetics.com, it's been purchased on Hostinger alongside the VPS server where I'm trying to install this certificate.
These are the error logs I keep getting and I'm not sure where to start in order to fix this issue.
root@srv413305:/etc/nginx/sites-available# sudo certbot --nginx -d celmade-cosmetics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/celmade-cosmetics.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Could not install certificate
NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
certbot install --cert-name celmade-cosmetics.com
Could not automatically find a matching server block for celmade-cosmetics.com. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
upstream odoo {
server localhost:8069 weight=1 fail_timeout=3000s;
}
upstream polling {
server localhost:8072 weight=1 fail_timeout=3000s;
}
server {
server_name celmade-cosmetics.com;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
keepalive_timeout 60;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://odoo;
# Force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Set timeouts
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# By default, do not forward anything
proxy_redirect off;
}
location /longpolling/ {
proxy_pass http://polling;
# Force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Set timeouts
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# By default, do not forward anything
proxy_redirect off;
}
# Cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the Odoo web interface a bit.
location ~* /[0-9a-zA-Z_]*/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
access_log /var/log/nginx/odoo-ssl.access.log;
error_log /var/log/nginx/odoo-ssl.error.log;
}
While the nginx documentation mentions the listen directive is actually optional and defaults to *:80, maybe Certbot requires a listen directive in the server block?
Agree with Osiris you probably need to add a listen 80; to that server block. And, one for IPv6 if you support that.
But, don't you also want the www.celmade-cosmetics.com domain in your certificate? I see a couple weeks ago you got a cert with the root and www names so wonder why you omit www now.
If you change your server_name to below I think certbot will ask you if you want to expand the cert (reply yes).
listen 80;
listen [::]:80; # if you support IPv6 use this too
server_name celmade-cosmetics.com www.celmade-cosmetics.com;
As an aside, listen 80might behave differently in different nginx versions. Newer ones listen on both IPv4 and IPv6, if you specify a wildcard IPv6. Older ones might need two listen directives. It's a bit confusing.
I tried installing the certificate an I'm still getting the issue:
root@srv413305:/etc/nginx/sites-available# certbot --nginx -d celmade-cosmetics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for celmade-cosmetics.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/celmade-cosmetics.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/celmade-cosmetics.com/privkey.pem
This certificate expires on 2023-12-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Could not install certificate
NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
certbot install --cert-name celmade-cosmetics.com
Could not automatically find a matching server block for celmade-cosmetics.com. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Even after updating the nginx file (tried both with and without listen [::]:80):
upstream odoo {
server localhost:8069 weight=1 fail_timeout=3000s;
}
upstream polling {
server localhost:8072 weight=1 fail_timeout=3000s;
}
server {
listen 80;
# listen [::]:80; # if you support IPv6 use this too
server_name celmade-cosmetics.com www.celmade-cosmetics.com;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
keepalive_timeout 60;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://odoo;
# Force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Set timeouts
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# By default, do not forward anything
proxy_redirect off;
}
location /longpolling/ {
proxy_pass http://polling;
# Force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Set timeouts
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# By default, do not forward anything
proxy_redirect off;
}
# Cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the Odoo web interface a bit.
location ~* /[0-9a-zA-Z_]*/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
access_log /var/log/nginx/odoo-ssl.access.log;
error_log /var/log/nginx/odoo-ssl.error.log;
}
In the future, please don't delete perfectly fine certificates if there's no issue with the certificate itself. An installing issue is not a certificate issue, so deleting and issuing a new cert is not helpful and can lead to hitting rate limits.
With regard to the nginx certificate installation issue: I'd have to dig deeper.
Your active nginx config does not have that server block. Are you sure that server block conf file is in the sites-enabled folder with a .conf extension?
It needs to be so your main nginx conf include statement sees it
@MikeMcQ yes I have the config file inside the /etc/nginx/sites-enabled but not with the .conf extension. I will add it right now, my conf file name is celmade-cosmetics.com should I change it now to celmade-cosmetics.com.conf?
