Tom3
August 26, 2024, 8:07am
1
I managed to install the certificate but it expired after a few months, I think it was temporary. Now it won't let me renew or install a new one.
My domain is:soypotencial.net
I ran this command: sudo certbot certonly --nginx
It produced this output:soypotencial.net with error: Some challenges have failed.www.soypotencial.net http://www.soypotencial.net/.well-known/acme-challenge/m3CCJX_IxWzjLRs7IFae-GxQ7Tt9GMVi2RTbgIv42iA: 404
My web server is (include version): nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):Ubuntu 20.04.6 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.11.0
Thanks in advance
1 Like
danb35
August 26, 2024, 10:52am
2
Yes, that's normal--Let's Encrypt certs are valid for 90 days.
Have you made any changes to your web server configuration after you got that certificate?
5 Likes
rg305
August 26, 2024, 12:09pm
3
Hi @Tom3 , and welcome to the LE community forum
It's a bit strange how these two return different content:
curl -Ii soypotencial.net <<<<<<<<<<<<<<<<<<<<<<<<<<<<
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 26 Aug 2024 12:08:04 GMT
Content-Type: text/html
Content-Length: 162 <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Connection: keep-alive
Location: https://soypotencial.net/
curl -Ii www.soypotencial.net <<<<<<<<<<<<<<<<<<<<<<<<<<<<
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Aug 2024 12:08:06 GMT
Content-Type: text/html
Content-Length: 612 <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Last-Modified: Wed, 27 Mar 2024 10:41:56 GMT
Connection: keep-alive
ETag: "6603f7f4-264"
Accept-Ranges: bytes
3 Likes
Tom3
August 26, 2024, 4:13pm
5
Not before I tried to renew.
adding the same to sitesavailable/soypotencial.net
but its not working.Its like it hasnt permission to write in the challenge directory...
rg305
August 26, 2024, 7:46pm
6
We should have a look at:
nginx -T
3 Likes
Tom3
August 27, 2024, 7:40am
7
Thanks.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_nofile 10000;
events {
worker_connections 4000;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/bbb-html5-conn-limit.conf:
limit_conn_zone $uri zone=ws_zone:5m;
# configuration file /etc/nginx/conf.d/bbb-html5-loadbalancer.conf:
upstream poolhtml5servers {
zone poolhtml5servers 32k;
least_conn;
server 127.0.0.1:4100 fail_timeout=5s max_fails=3;
server 127.0.0.1:4101 fail_timeout=5s max_fails=3;
server 127.0.0.1:4102 fail_timeout=5s max_fails=3;
server 127.0.0.1:4103 fail_timeout=5s max_fails=3;
server 127.0.0.1:4104 fail_timeout=5s max_fails=3;
server 127.0.0.1:4105 fail_timeout=5s max_fails=3;
server 127.0.0.1:4106 fail_timeout=5s max_fails=3;
server 127.0.0.1:4107 fail_timeout=5s max_fails=3;
}
# configuration file /etc/nginx/sites-enabled/bigbluebutton:
server_tokens off;
server {
server_name soypotencial.net;
location ^~ / {
return 301 https://$server_name$request_uri; #redirect HTTP to HTTPS
}
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
root /var/www/bigbluebutton-default/assets;
}
location = /.well-known/acme-challenge/ {
return 404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/soypotencial.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/soypotencial.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
real_ip_recursive on;
server {
# this double listening is intended. We terminate SSL on haproxy. HTTP2 is a
# binary protocol. haproxy has to decide which protocol is spoken. This is
# negotiated by ALPN.
#
# Depending on the ALPN value traffic is redirected to either port 82 (HTTP2,
# ALPN value h2) or 81 (HTTP 1.0 or HTTP 1.1, ALPN value http/1.1 or no value)
listen 127.0.0.1:82 http2 proxy_protocol;
listen [::1]:82 http2;
listen 127.0.0.1:81 proxy_protocol;
listen [::1]:81;
server_name soypotencial.net;
# nginx does not know its external port/protocol behind haproxy, so use relative redirects.
absolute_redirect off;
# HSTS (uncomment to enable)
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
access_log /var/log/nginx/bigbluebutton.access.log;
# This variable is used instead of $scheme by bigbluebutton nginx include
# files, so $scheme can be overridden in reverse-proxy configurations.
set $real_scheme "https";
# BigBlueButton landing page.
location / {
root /var/www/bigbluebutton-default/assets;
try_files $uri @bbb-fe;
}
# Include specific rules for record and playback
include /etc/bigbluebutton/nginx/*.nginx;
}
server {
if ($host = soypotencial.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name soypotencial.net;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# configuration file /etc/bigbluebutton/nginx/include_default.nginx:
# The purpose of this file is to be included in an nginx site configuration.
# you may copy this file to /etc/bigbluebutton/nginx/include_default.nginx and
# adapt it to your needs
#
# If you are running a cluster setup, you need to change bbb-html5.nginx
# copy it to /etc/bigbluebutting/nginx/bbb-html5.nginx and include all the
# components in /usr/share/bigbluebutton/nginx/ that you did not change.
include /usr/share/bigbluebutton/nginx/*.nginx;
# configuration file /usr/share/bigbluebutton/nginx/bbb-html5.nginx:
location @html5client {
# proxy_pass http://127.0.0.1:4100; # use for development
proxy_pass http://poolhtml5servers; # use for production
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location /html5client/locales {
alias /usr/share/meteor/bundle/programs/web.browser/app/locales;
}
location /html5client/compatibility {
gzip_static on;
alias /usr/share/meteor/bundle/programs/web.browser/app/compatibility;
}
location /html5client/resources {
alias /usr/share/meteor/bundle/programs/web.browser/app/resources;
}
location /html5client/svgs {
alias /usr/share/meteor/bundle/programs/web.browser/app/svgs;
}
location /html5client/fonts {
alias /usr/share/meteor/bundle/programs/web.browser/app/fonts;
}
location /html5client/files {
alias /usr/share/meteor/bundle/programs/web.browser/app/files;
}
location /html5client/wasm {
types {
application/wasm wasm;
}
gzip_static on;
alias /usr/share/meteor/bundle/programs/web.browser/app/wasm;
}
location /html5client {
gzip_static on;
alias /usr/share/meteor/bundle/programs/web.browser;
try_files $uri @html5client;
}
location /html5client/sockjs {
try_files $uri @html5client;
limit_conn ws_zone 3;
}
# configuration file /usr/share/bigbluebutton/nginx/greenlight-v3.nginx:
### Greenlight version 3:
location /cable {
proxy_pass http://127.0.0.1:5050;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
}
location @bbb-fe {
proxy_pass http://127.0.0.1:5050;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header Connection "";
}
location ~ '/api/v1/rooms/\w{3}-\w{3}-\w{3}-\w{3}.json$' {
proxy_pass http://127.0.0.1:5050;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header Connection "";
client_max_body_size 31m;
}
location ~ '/api/v1/users/\w{8}-\w{4}-\w{4}-\w{4}-\w{12}.json$' {
proxy_pass http://127.0.0.1:5050;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header Connection "";
client_max_body_size 4m;
}
location ~ /api/v1/admin/site_settings/BrandingImage.json$ {
proxy_pass http://127.0.0.1:5050;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header Connection "";
client_max_body_size 4m;
}
# configuration file /usr/share/bigbluebutton/nginx/learning-dashboard.nginx:
location /learning-analytics-dashboard/ {
alias /var/bigbluebutton/learning-dashboard/;
autoindex off;
}
# configuration file /usr/share/bigbluebutton/nginx/loadbalancer.nginx:
# If you run this BBB node behind a proxy loadbalancer set the hostname of
# the loadbalancer here. This will be used to add CORS headers so requesting
# slides and API calls won't fail
set $bbb_loadbalancer_node '';
# configuration file /usr/share/bigbluebutton/nginx/notes.nginx:
# https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
location /pad/p/ {
# Avoid setting the user name from the embedded URL
if ($arg_userName) {
return 401;
}
rewrite /pad/p/(.*) /p/$1 break;
rewrite ^/pad/p$ /pad/p/ permanent;
proxy_pass http://127.0.0.1:9001/p;
proxy_pass_header Server;
proxy_redirect /p /pad/p;
proxy_set_header Host $host;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used
proxy_http_version 1.1;
auth_request /bigbluebutton/connection/checkAuthorization;
auth_request_set $auth_status $upstream_status;
}
location /pad/auth_session {
rewrite /pad/auth_session(.*) /auth_session$1 break;
proxy_pass http://127.0.0.1:9001/;
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_buffering off;
auth_request /bigbluebutton/connection/checkAuthorization;
auth_request_set $auth_status $upstream_status;
}
location /pad {
rewrite /pad/(.*) /$1 break;
rewrite ^/pad$ /pad/ permanent;
proxy_pass http://127.0.0.1:9001/;
proxy_pass_header Server;
proxy_redirect / /pad/;
proxy_set_header Host $host;
proxy_buffering off;
}
location /pad/socket.io/socket.io.js {
rewrite /pad/socket.io/socket.io.js /socket.io/socket.io.js break;
proxy_pass http://127.0.0.1:9001/;
proxy_set_header Host $host;
proxy_buffering off;
}
location /pad/socket.io {
rewrite /pad/socket.io/(.*) /socket.io/$1 break;
proxy_pass http://127.0.0.1:9001/;
proxy_redirect / /pad/;
proxy_set_header Host $host;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used
proxy_set_header Host $host; # pass the host header
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
auth_request /bigbluebutton/connection/checkAuthorization;
auth_request_set $auth_status $upstream_status;
}
location /static {
rewrite /static/(.*) /static/$1 break;
proxy_pass http://127.0.0.1:9001/;
proxy_set_header Host $host;
proxy_buffering off;
}
# configuration file /usr/share/bigbluebutton/nginx/playback-video.nginx:
# This file is part of BigBlueButton.
#
# Copyright © BigBlueButton Inc. and by respective authors.
#
# BigBlueButton is free software: you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by the
# Free Software Foundation, either version 3.0 of the License, or (at your
# option) any later version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with BigBlueButton. If not, see <https://www.gnu.org/licenses>.
location /playback/video/ {
alias /var/bigbluebutton/published/video/;
index index.html index.htm;
}
# configuration file /usr/share/bigbluebutton/nginx/playback.nginx:
location /playback/presentation/2.3 {
root /var/bigbluebutton;
try_files $uri /playback/presentation/2.3/index.html;
}
# configuration file /usr/share/bigbluebutton/nginx/presentation-slides.nginx:
#
# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
#
# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
#
# This program is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free Software
# Foundation; either version 3.0 of the License, or (at your option) any later
# version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along
# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
#
# Have nginx serve the presentation slides instead of tomcat as large files
# causes tomcat to OOM. (ralam sept 20, 2018)
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/svg\/(?<page_num>\d+)$ {
default_type image/svg+xml;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/svgs/slide$page_num.svg;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
}
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/pdf\/(?<job_id>[A-Za-z0-9]+)\/annotated_slides.pdf$ {
default_type application/pdf;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/pdfs/$job_id/annotated_slides.pdf;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
}
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/thumbnail\/(?<page_num>\d+)$ {
default_type image/png;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/thumbnails/thumb-$page_num.png;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
}
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/textfiles\/(?<page_num>\d+)$ {
default_type text/plain;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/textfiles/slide-$page_num.txt;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
}
# configuration file /usr/share/bigbluebutton/nginx/presentation.nginx:
#
# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
#
# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
#
# This program is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free Software
# Foundation; either version 3.0 of the License, or (at your option) any later
# version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along
# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
#
location /playback/presentation/playback.html {
return 301 /playback/presentation/0.81/playback.html?$query_string;
# If you have recordings from 0.9.0 beta versions and are sure
# that you will never want to play recordings made with
# BigBlueButton 0.81, comment the line above and uncomment the
# following line:
#return 301 /playback/presentation/0.9.0/playback.html?$query_string;
}
location /playback/presentation/2.0/playback.html {
return 301 /playback/presentation/2.3/$arg_meetingId?$query_string;
}
location /playback/presentation {
root /var/bigbluebutton;
index index.html index.htm;
}
location /presentation {
root /var/bigbluebutton/published;
index index.html index.htm;
}
# configuration file /usr/share/bigbluebutton/nginx/sip.nginx:
location /ws {
proxy_pass http://82.165.2.171:5066;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 120s;
proxy_send_timeout 120s;
client_body_timeout 120s;
send_timeout 120s;
auth_request /bigbluebutton/connection/checkAuthorization;
auth_request_set $auth_status $upstream_status;
}
# configuration file /usr/share/bigbluebutton/nginx/web.nginx:
# Handle request to bbb-web running within a SpringBoot Tomcat embedded servlet container. This is for BBB-API and Presentation.
location /bigbluebutton {
proxy_http_version 1.1;
location /bigbluebutton {
proxy_pass http://127.0.0.1:8090;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Workaround IE refusal to set cookies in iframe
add_header P3P 'CP="No P3P policy available"';
}
location ~ "^\/bigbluebutton\/presentation\/(?<prestoken>[a-zA-Z0-9_-]+)/upload$" {
proxy_pass http://127.0.0.1:8090;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Workaround IE refusal to set cookies in iframe
add_header P3P 'CP="No P3P policy available"';
# high limit for presentation as bbb-web will reject upload if larger than configured
client_max_body_size 1000m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
include fastcgi_params;
proxy_request_buffering off;
# Send a sub-request to allow bbb-web to refuse before loading
# If file is larger than configured bbb-web will return with code 403 and Header: x-file-too-large = 1
auth_request /bigbluebutton/presentation/checkPresentation;
error_page 403 = @error403;
auth_request_set $file_too_large_header $upstream_http_x_file_too_large;
}
location /bigbluebutton/presentation/download {
return 404;
}
location ~ "^/bigbluebutton/presentation/download\/[0-9a-f]+-[0-9]+/[0-9a-f]+-[0-9]+$" {
if ($arg_presFilename !~ "^[0-9a-f]+-[0-9]+\.[0-9a-zA-Z]+$") {
return 404;
}
proxy_pass http://127.0.0.1:8090$uri$is_args$args;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Workaround IE refusal to set cookies in iframe
add_header P3P 'CP="No P3P policy available"';
}
location = /bigbluebutton/presentation/checkPresentation {
proxy_pass http://127.0.0.1:8090;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Presentation-Token $prestoken;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Content-Length "";
proxy_set_header X-Original-Content-Length $http_content_length;
proxy_set_header X-Original-Method $request_method;
# high limit for presentation as bbb-web will reject upload if larger than configured
client_max_body_size 1000m;
client_body_buffer_size 128k;
proxy_pass_request_body off;
proxy_request_buffering off;
}
# To check connection authentication, include:
# auth_request /bigbluebutton/connection/checkAuthorization;
# auth_request_set $auth_status $upstream_status;
#
# and make sure to add sessionToken param in the request URI
location = /bigbluebutton/connection/checkAuthorization {
internal;
proxy_pass http://127.0.0.1:8090;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location = /bigbluebutton/connection/legacyCheckAuthorization {
internal;
proxy_pass http://127.0.0.1:8090;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location = /bigbluebutton/connection/validatePad {
internal;
proxy_pass http://127.0.0.1:8090;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location ~ "^/bigbluebutton\/textTrack\/(?<textTrackToken>[a-zA-Z0-9]+)\/(?<recordId>[a-zA-Z0-9_-]+)\/(?<textTrack>.+)$" {
# Workaround IE refusal to set cookies in iframe
add_header P3P 'CP="No P3P policy available"';
# Allow 30M uploaded presentation document.
client_max_body_size 30m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
include fastcgi_params;
proxy_request_buffering off;
# Send a sub-request to allow bbb-web to refuse before loading
auth_request /bigbluebutton/textTrack/validateAuthToken;
default_type text/plain;
alias /var/bigbluebutton/captions/$recordId/$textTrack;
}
location = /bigbluebutton/textTrack/validateAuthToken {
internal;
proxy_pass http://127.0.0.1:8090;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-textTrack-token $textTrackToken;
proxy_set_header X-textTrack-recordId $recordId;
proxy_set_header X-textTrack-track $textTrack;
proxy_set_header X-Original-URI $request_uri;
}
}
location @error403 {
if ($file_too_large_header = '1') {
return 413;
}
return 403;
}
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /usr/share/bigbluebutton/nginx/webrtc-sfu.nginx:
location /bbb-webrtc-sfu {
auth_request /bigbluebutton/connection/checkAuthorization;
auth_request_set $auth_status $upstream_status;
# Extra variables are annotated by bbb-web as custom headers
auth_request_set $user_id $sent_http_user_id;
auth_request_set $meeting_id $sent_http_meeting_id;
auth_request_set $voice_bridge $sent_http_voice_bridge;
auth_request_set $user_name $sent_http_user_name;
proxy_pass http://127.0.0.1:3008;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# Following custom headers are used by bbb-webrtc-sfu
proxy_set_header User-Id $user_id;
proxy_set_header Meeting-Id $meeting_id;
proxy_set_header Voice-Bridge $voice_bridge;
proxy_set_header User-Name $user_name;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
client_body_timeout 60s;
send_timeout 60s;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.soypotencial.net; # managed by Certbot antes www.soypotencial
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/soypotencial.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/soypotencial.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.soypotencial.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.soypotencial.net;
return 404; # managed by Certbot
}
1 Like
The nginx config you show is not the one being used. I just sent a request for the "home" page for that www subdomain and I got a "Welcome to nginx!" default page.
Based on the above config I should have been redirected to HTTPS
Try restarting your nginx. Or, even better is to reboot your server. If you ran a certbot command with --nginx when nginx was not actually running it can cause two nginx systems to be active. Maybe that is what is happening here.
This 'curl' command should have shown a redirect based on your config. Not "200 OK"
curl -i http://www.soypotencial.net
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 Aug 2024 14:47:50 GMT
...
<!DOCTYPE html>
<html><head>
<title>Welcome to nginx!</title>
4 Likes
Tom3
August 27, 2024, 5:27pm
9
I've rebooted server and is showing a different error when I try to renew:
sudo certbot certonly --nginx -d soypotencial.net -d www.soypotencial.net --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for soypotencial.net and www.soypotencial.net
Encountered exception during recovery: certbot.errors.MisconfigurationError: nginx restart failed:
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] still could not bind()
nginx restart failed:
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] still could not bind()
1 Like
Hmm. What does this show?
sudo ss -pant | grep -i listen | grep -Ei ':80|:443'
3 Likes
Tom3
August 27, 2024, 6:00pm
11
I think I've solved with your help, I've disabled (deleted) default nginx config. Then restart service, but it didnt work, so rebooted and:
sudo certbot certonly --nginx -d soypotencial.net -d www.soypotencial.net --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log Simulating renewal of an existing certificate for soypotencial.net and www.soypotencial.net The dry run was successful.
sudo certbot certonly --nginx -d soypotencial.net -d www.soypotencial.net soypotencial.net and www.soypotencial.net
Successfully received certificate.
If you like Certbot, please consider supporting our work by:
Somehow the nginx configurations were colliding with the default one.
Thank you all very much for your time and dedication:@danb35 @rg305 @Osiris @MikeMcQ
2 Likes
system
September 26, 2024, 6:00pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
