Trying to fix my certificate after changing domain names


#1

So I had my certificate working fine, but now I’m trying to change it to a subdomain. It already had an nginx config file and a working directory and a server that runs node. I didn’t need to generate a new config file for nginx but I think it did.

I ran the command: sudo certbot -d sub.domain.com --nginx --webroot-path “/home/site/htdocs”

And now instead of showing the site, it’s showing a different “welcome to nginx” page. I don’t know if I have the webroot correct, because I didn’t set it up the first time and it didn’t show it anywhere.

This is on Ubuntu 16.4, via digital ocean. Certbot is 0.28.0

Here is the output from the command:

Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sub.domain.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
nginx: [error] invalid PID number "" in "/run/nginx.pid"

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://sub.domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=sub.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sub.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub.domain.com/privkey.pem
   Your cert will expire on 2019-05-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

#2

Show
certbot certificates
So you can better understand what certs you have and which domains they cover.

Certbot will create an SSL version of an http vhost config and add the required code to enable SSL.
Check
ls -l /etc/nginx/sites-enabled/
to see which vhost config are in use.


#3

Before I reran the command I did not have that folder, and it was still working. I’d like to direct it to use the same path it used before. I still don’t understand where the Welcome to Nginx page is coming from.

I still have a copy of the old version, if I make a new copy, is there a way I can safely get a certificate for the new domain without changing the path?


#4

Which folder?
Please be clear and specific.

Did you have HTTPS before?

That makes two of us.
Is it on the http://site, the https://site, or both sites?

It is hard to say without some specifics.
You use “it” and “change” without clear definitions.


#5

I didn’t have the sites enabled folder, it used to look like this. The config was in the /etc/nginx/sites.

I did have https before, and it was working fine, I just needed to change the domain (to a subdomain).

Http://site redirects to Https://site (as I wanted and set it to). The IP address returns that too (though I’d rather it return nothing).

Hope that’s enough info. I had someone else set this up the first time, which is why I’m not really sure how to configure it.


#6

Start with the nginx.conf file.
/etc/nginx/nginx.conf

From there you can also look deeper at the entire nginx config.
With the output of:
nginx -T

To better understand what it is doing and where files are located.


#7

I still can’t find anywhere that references the actual path to my files. If I start over with my working configuration, is there a way for me to get a new cert for my my new subdomain without changing anything with nginx? I just want it to work the same as it did before.


#8

Hi @skeddles

we need informations. Please answer the following questions (standard template from #help ):


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#9

My domain is: lospec.com > beta.lospec.com

I ran this command: sudo certbot -d sub.domain.com --nginx --webroot-path “/home/site/htdocs”

It produced this output:

Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/beta.lospec.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
nginx: [error] invalid PID number "" in "/run/nginx.pid"

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://beta.lospec.com

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): ubuntu 16.4

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): idk

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is: 0.28.0

My actual web root is in /home/lospec/htdocs, which runs the file /home/lospec/htdocs/bin/www with node via pm2


#10

But where is the problem? Checking your domain via https://check-your-website.server-daten.de/?q=beta.lospec.com

beta.lospec.com has two ip addresses, one ipv4, one ipv6: Both use the correct certificate

CN=beta.lospec.com
	10.02.2019
	11.05.2019
expires in 84 days	beta.lospec.com - 1 entry

There is a www.beta.lospec.com as A-record defined, there the config is wrong. But if you don’t want to use that www - domain, this isn’t relevant, you can ignore it. Or remove the DNS A record.

This

Domainname Http-Status redirect Sec. G
http://beta.lospec.com/
45.55.159.39 301 https://beta.lospec.com/ 0.220 A
http://beta.lospec.com/
2604:a880:800:10::30f2:5001 301 https://beta.lospec.com/ 0.220 A
http://www.beta.lospec.com/
45.55.159.39 403 0.203 M
Forbidden
http://www.beta.lospec.com/
2607:f1c0:1000:30d2:f822:dabc:6f62:883e 403 0.296 M
Forbidden
https://beta.lospec.com/
45.55.159.39 200 2.424 B
https://beta.lospec.com/
2604:a880:800:10::30f2:5001 200 2.030 B

is ok (ignoring the www-results).

Check the certificate in 60 - 6 + some days, if the renew has worked.


#11

Yeah it has the right certificate now, but when I gave it the new certificate it stopped pointing to my actual web server so it doesn’t return my website


#12

Then this

may be a problem. Create an explicit vHost with that domain name, so that this domain doesn’t use the default vHost.

Copy the default vHost (in /sites-available), set the server_name to beta.lospec.com, activate that site.


#13

I copied the file default from sites available and made beta.lospec.com.conf and changed the domain in it, then made a link in site-enabled

Now I’m getting 502 Bad Gateway - nginx/1.10.3 (Ubuntu)


I also tried starting over, and doing certbot -d “beta.lospec.com” -certonly, then edited the config file to include the subdomain, and I seem to be having the same problem, 502 bad gateway.


#14

Then there are too much other definitions. Check the docu to create a minimal vHost file.


#15

But on my other attempt I just used the same file that was already confirmed to work:

upstream betatest.lospec {
server 127.0.0.1:3000;
}

server {
listen 80;
listen [::]:80;
server_name betatest.lospec.com;

return 301 https://$host$request_uri;
}

server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name betatest.lospec.com;

include /etc/nginx/config/sites/headers.conf;

include /etc/nginx/config/ssl/resolver.conf;

ssl on;
ssl_certificate /etc/letsencrypt/live/betatest.lospec.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/betatest.lospec.com/privkey.pem;

include /etc/nginx/config/ssl/ssl.conf;

location /
{
proxy_pass http://betatest.lospec;

include /etc/nginx/config/proxy/proxy.conf;

}

#include /etc/nginx/config/cache/static.conf;
}


#16

Ah, you have a proxy, good to know. A simple configuration doesn’t have a gateway error.

Is this port two times defined?


#17

I’m not sure where else it would be defined other than this file


#18

This was a failed attempt.
As shown, you wanted --webroot authentication but it still did nginx authentication.

I think you also need to include --webroot before --webroot-path
Like:

sudo certbot -d sub.domain.com --nginx --webroot -w '/home/site/htdocs'
OR (more specifically directed with)
sudo certbot -d sub.domain.com --installer nginx --webroot -w '/home/site/htdocs'

[-w replaces (and equals) --webroot-path]


#19

Tried running it and got this:

root@afterimagehostupdate-s-3vcpu-1gb-nyc3-01:~# sudo certbot -d betatest.lospec.com --installer nginx --webroot -w '/home/lospec/htdocs'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for betatest.lospec.com
Using the webroot path /home/lospec/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. betatest.lospec.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://betatest.lospec.com/.well-known/acme-challenge/G05zSRbAXPXUK_DF5wdD8IQ5pN5fm3sTHge8TbE5Pac: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: betatest.lospec.com
   Type:   unauthorized
   Detail: Invalid response from
   http://betatest.lospec.com/.well-known/acme-challenge/G05zSRbAXPXUK_DF5wdD8IQ5pN5fm3sTHge8TbE5Pac:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
root@afterimagehostupdate-s-3vcpu-1gb-nyc3-01:~#

#20

Then that must not be the right webroot.

Please show:
grep -Eri 'root|server_name|betatest|listen|virtualhost|location' /etc/nginx