So I had my certificate working fine, but now I’m trying to change it to a subdomain. It already had an nginx config file and a working directory and a server that runs node. I didn’t need to generate a new config file for nginx but I think it did.
I ran the command: sudo certbot -d sub.domain.com --nginx --webroot-path “/home/site/htdocs”
And now instead of showing the site, it’s showing a different “welcome to nginx” page. I don’t know if I have the webroot correct, because I didn’t set it up the first time and it didn’t show it anywhere.
This is on Ubuntu 16.4, via digital ocean. Certbot is 0.28.0
Here is the output from the command:
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sub.domain.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://sub.domain.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=sub.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sub.domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sub.domain.com/privkey.pem
Your cert will expire on 2019-05-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Show certbot certificates
So you can better understand what certs you have and which domains they cover.
Certbot will create an SSL version of an http vhost config and add the required code to enable SSL.
Check ls -l /etc/nginx/sites-enabled/
to see which vhost config are in use.
Before I reran the command I did not have that folder, and it was still working. I’d like to direct it to use the same path it used before. I still don’t understand where the Welcome to Nginx page is coming from.
I still have a copy of the old version, if I make a new copy, is there a way I can safely get a certificate for the new domain without changing the path?
I still can’t find anywhere that references the actual path to my files. If I start over with my working configuration, is there a way for me to get a new cert for my my new subdomain without changing anything with nginx? I just want it to work the same as it did before.
we need informations. Please answer the following questions (standard template from #help ):
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
beta.lospec.com has two ip addresses, one ipv4, one ipv6: Both use the correct certificate
CN=beta.lospec.com
10.02.2019
11.05.2019
expires in 84 days beta.lospec.com - 1 entry
There is a www.beta.lospec.com as A-record defined, there the config is wrong. But if you don't want to use that www - domain, this isn't relevant, you can ignore it. Or remove the DNS A record.
Yeah it has the right certificate now, but when I gave it the new certificate it stopped pointing to my actual web server so it doesn’t return my website
I copied the file default from sites available and made beta.lospec.com.conf and changed the domain in it, then made a link in site-enabled
Now I’m getting 502 Bad Gateway - nginx/1.10.3 (Ubuntu)
I also tried starting over, and doing certbot -d “beta.lospec.com” -certonly, then edited the config file to include the subdomain, and I seem to be having the same problem, 502 bad gateway.
root@afterimagehostupdate-s-3vcpu-1gb-nyc3-01:~# sudo certbot -d betatest.lospec.com --installer nginx --webroot -w '/home/lospec/htdocs'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for betatest.lospec.com
Using the webroot path /home/lospec/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. betatest.lospec.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://betatest.lospec.com/.well-known/acme-challenge/G05zSRbAXPXUK_DF5wdD8IQ5pN5fm3sTHge8TbE5Pac: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: betatest.lospec.com
Type: unauthorized
Detail: Invalid response from
http://betatest.lospec.com/.well-known/acme-challenge/G05zSRbAXPXUK_DF5wdD8IQ5pN5fm3sTHge8TbE5Pac:
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
bgcolor=\"white\">\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
root@afterimagehostupdate-s-3vcpu-1gb-nyc3-01:~#