Trouble with installing a SSL Certificate

I'm having trouble installing the SSL certifiacte on my server with Nginx. The domain name is: celmade-cosmetics.com, it's been purchased on Hostinger alongside the VPS server where I'm trying to install this certificate.

These are the error logs I keep getting and I'm not sure where to start in order to fix this issue.

root@srv413305:/etc/nginx/sites-available# sudo certbot --nginx -d celmade-cosmetics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/celmade-cosmetics.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Could not install certificate

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name celmade-cosmetics.com

Could not automatically find a matching server block for celmade-cosmetics.com. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
upstream odoo {
    server localhost:8069 weight=1 fail_timeout=3000s;
}

upstream polling {
    server localhost:8072 weight=1 fail_timeout=3000s;
}

server {
    server_name celmade-cosmetics.com;

    # Specifies the maximum accepted body size of a client request,
    # as indicated by the request header Content-Length.
    client_max_body_size        200m;

    # add ssl specific settings
    keepalive_timeout           60;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers               16 64k;
    proxy_buffer_size           128k;


    location / {
        proxy_pass              http://odoo;

        # Force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # Set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Set timeouts
        proxy_connect_timeout   3600;
        proxy_send_timeout      3600;
        proxy_read_timeout      3600;
        send_timeout            3600;

        # By default, do not forward anything
        proxy_redirect          off;
    }

    location /longpolling/ {
        proxy_pass              http://polling;
        # Force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # Set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Set timeouts
        proxy_connect_timeout   3600;
        proxy_send_timeout      3600;
        proxy_read_timeout      3600;
        send_timeout            3600;

        # By default, do not forward anything
        proxy_redirect          off;
    }

    # Cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the Odoo web interface a bit.
    location ~* /[0-9a-zA-Z_]*/static/ {
        proxy_cache_valid       200 60m;
        proxy_buffering         on;
        expires                 864000;
        proxy_pass              http://odoo;
    }

    access_log /var/log/nginx/odoo-ssl.access.log;
    error_log  /var/log/nginx/odoo-ssl.error.log;
}

While the nginx documentation mentions the listen directive is actually optional and defaults to *:80, maybe Certbot requires a listen directive in the server block? :thinking:

2 Likes

Agree with Osiris you probably need to add a listen 80; to that server block. And, one for IPv6 if you support that.

But, don't you also want the www.celmade-cosmetics.com domain in your certificate? I see a couple weeks ago you got a cert with the root and www names so wonder why you omit www now.

If you change your server_name to below I think certbot will ask you if you want to expand the cert (reply yes).

listen 80;
listen [::]:80;     # if you support IPv6 use this too

server_name celmade-cosmetics.com www.celmade-cosmetics.com;
3 Likes

As an aside, listen 80 might behave differently in different nginx versions. Newer ones listen on both IPv4 and IPv6, if you specify a wildcard IPv6. Older ones might need two listen directives. It's a bit confusing.

It looks like I was wrong.

listen [::]:80 listens on both,

listen 80 I'm not sure anymore.

3 Likes

I tried installing the certificate an I'm still getting the issue:

root@srv413305:/etc/nginx/sites-available# certbot --nginx -d celmade-cosmetics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for celmade-cosmetics.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/celmade-cosmetics.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/celmade-cosmetics.com/privkey.pem
This certificate expires on 2023-12-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Could not install certificate

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name celmade-cosmetics.com

Could not automatically find a matching server block for celmade-cosmetics.com. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Even after updating the nginx file (tried both with and without listen [::]:80):


upstream odoo {
    server localhost:8069 weight=1 fail_timeout=3000s;
}

upstream polling {
    server localhost:8072 weight=1 fail_timeout=3000s;
}


server {
    listen 80;
#    listen [::]:80;     # if you support IPv6 use this too

    server_name celmade-cosmetics.com www.celmade-cosmetics.com;
    # Specifies the maximum accepted body size of a client request,
    # as indicated by the request header Content-Length.
    client_max_body_size        200m;

    # add ssl specific settings
    keepalive_timeout           60;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers               16 64k;
    proxy_buffer_size           128k;


    location / {
        proxy_pass              http://odoo;

        # Force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # Set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Set timeouts
        proxy_connect_timeout   3600;
        proxy_send_timeout      3600;
        proxy_read_timeout      3600;
        send_timeout            3600;

        # By default, do not forward anything
        proxy_redirect          off;
    }

    location /longpolling/ {
        proxy_pass              http://polling;
        # Force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # Set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Set timeouts
        proxy_connect_timeout   3600;
        proxy_send_timeout      3600;
        proxy_read_timeout      3600;
        send_timeout            3600;

        # By default, do not forward anything
        proxy_redirect          off;
    }

    # Cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the Odoo web interface a bit.
    location ~* /[0-9a-zA-Z_]*/static/ {
        proxy_cache_valid       200 60m;
        proxy_buffering         on;
        expires                 864000;
        proxy_pass              http://odoo;
    }

    access_log /var/log/nginx/odoo-ssl.access.log;
    error_log  /var/log/nginx/odoo-ssl.error.log;
}

Do you have a server_name directive anywhere?

You should add one inside the appropriate server block.

Yes, you have one. Discard this message. Whitespace.

3 Likes

@BojanOD Can you please share the entire log file at /var/log/letsencrypt/letsencrypt.log?

3 Likes

@Osiris sure thing.

Letsencrypt log file: letsencrypt.log - Google Drive

DNS records: DNS RECORDS.png - Google Drive

In the future, please don't delete perfectly fine certificates if there's no issue with the certificate itself. An installing issue is not a certificate issue, so deleting and issuing a new cert is not helpful and can lead to hitting rate limits.

With regard to the nginx certificate installation issue: I'd have to dig deeper.

1 Like

Something looks wrong with the nginx config.

Can you upload the config.txt file resulting from this

sudo nginx -T >config.txt

a capital T is essential to output the full active config

Also, I forgot to mention you should add the www domain to your certbot command to:

certbot --nginx -d celmade-cosmetics.com -d www.celmade-cosmetics.com
3 Likes

@Osiris sure thing, I didn't know this thank you for telling me this.

@MikeMcQ Here are the results: config.txt - Google Drive , I also added the www domain with the command you recommended to me Expand.png - Google Drive

1 Like

Your active nginx config does not have that server block. Are you sure that server block conf file is in the sites-enabled folder with a .conf extension?

It needs to be so your main nginx conf include statement sees it

    include /etc/nginx/sites-enabled/*.conf;
4 Likes

@MikeMcQ yes I have the config file inside the /etc/nginx/sites-enabled but not with the .conf extension. I will add it right now, my conf file name is celmade-cosmetics.com should I change it now to celmade-cosmetics.com.conf?

Yes :slight_smile:

4 Likes

@MikeMcQ thank you so much for the assistance.

The renaming of the file celmade-cosmetics.com to celmade-cosmetics.com.conf fixed the issue.

3 Likes

LOL 

@Osiris @9peppe Thank you so much as well, couldn't tag more than two persons because of the fact I'm a new member.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.