Unsupported enhancement: ensure-http-header

Hello!
How can I activate the ensure_http_header enhancement?

I gess this come from HSTS.

My domain is: capulanasngila.com

I ran this command: cerbot install --nginx

It produced this output:

Successfully deployed certificate for www.capulanasngila.com to ....
Unable to set enhancement ensure-http-header for capulanasngila.com
Could not set up ensure-http-header enhancement
Unsupported enhancement: ensure-http-header

My web server is (include version): nginx v1.20.1

The operating system my web server runs on is (include version): centos7

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot v1.16.0

PS: I've a letsencrypt/cli.ini file if you needed it.

Hi @tjapro,

This should "just work" for nginx. I think the error message may be misleading/wrong.

Would you please be able to post the full /var/log/letsencrypt/letsencrypt.log log file, resulting from this failed certbot install --nginx command?

Hi, @_az !

The ouput from letsencrypt.log:

cat /var/log/letsencrypt/letsencrypt.log
2021-06-03 23:35:06,868:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-06-03 23:35:07,200:DEBUG:certbot._internal.main:certbot version: 1.16.0
2021-06-03 23:35:07,201:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1201/bin/certbot
2021-06-03 23:35:07,201:DEBUG:certbot._internal.main:Arguments: ['--nginx', '--preconfigured-renewal']
2021-06-03 23:35:07,201:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-06-03 23:35:07,217:DEBUG:certbot._internal.log:Root logging level set at 30
2021-06-03 23:35:07,218:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2021-06-03 23:35:07,472:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f90b5d26790>
Prep: True
2021-06-03 23:35:07,473:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f90b5d26790>
2021-06-03 23:35:07,473:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator None, Installer nginx
2021-06-03 23:35:10,666:DEBUG:certbot.display.util:Notifying user: Deploying certificate
2021-06-03 23:35:10,696:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,696:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for capulanasngila.com to /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,697:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:10,697:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:10,697:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,698:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:10,698:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:10,698:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,701:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# CAPULANASNGILA.COM

upstream php {
   server unix:/var/run/php-fpm/capulanasngila.com.sock;
}

server {
   server_name capulanasngila.com www.capulanasngila.com;
   root /var/www/capulanasngila.com/shop/;

   index index.html index.htm index.php;

   access_log /var/log/nginx/capulanasngila.com/shop_access.log;
   error_log /var/log/nginx/capulanasngila.com/shop_error.log;

   error_page 404 /404.html;
   error_page 500 502 503 504 /50x.html;

   location = /favicon.ico {
      log_not_found off;
      access_log off;
   }

   location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
   }

   location / {
      try_files $uri $uri/ /index.php?$args =404;
   }

   location /backoffice/ {
      index index.php;

#      auth_basic "Capulanas Ngila Backoffice";
#      auth_basic_user_file /etc/nginx/.htpasswd;
   }

   location ~ [^/]\.php(/|$) {
      # Max Upload from Client only in Backoffice
      client_max_body_size 10M;

      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
      if (!-f $document_root$fastcgi_script_name) {
         return 404;
      }

      include fastcgi_params;
      fastcgi_intercept_errors on;
      fastcgi_pass php;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param HTTP_PROXY "";
   }

   location ~* \.(js|css|png|jpg|jpeg|git|ico)$ {
      expires max;
      log_not_found off;
   }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/capulanasngila.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/capulanasngila.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
 
   ssl_trusted_certificate /etc/letsencrypt/live/capulanasngila.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}

server {
    if ($host = www.capulanasngila.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = capulanasngila.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


   listen 80;
   server_name capulanasngila.com www.capulanasngila.com;
    return 404; # managed by Certbot

}

2021-06-03 23:35:10,725:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,725:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for 3037.capulanasngila.com to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,727:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:

# ... again the same file ...


2021-06-03 23:35:10,730:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# 3037.CAPULANASNGILA.COM

# PHP socket
upstream php8 {
# Here maybe load balance, group of servers
   server unix:/var/run/php-fpm/3037.capulanasngila.com.sock;
}

# Access Log: General
map $content_type $access {
  default         1;
  application/pdf 0;
  application/zip 0;
  image/          0;
  video/          0;
  audio/          0;
  text/plain      0;
  text/css        0;
  text/javascript 0;
}

# Access Log: Only Bad Requests
map $status $loggable {
  default 1;
  ~^[2,3] 0;
}

# Not Found Log
#map $content_type $log {
#  default         on;
#
#  application/pdf off;
#  application/zip off;
#  image/          off;
#  video/          off;
#  audio/          off;
#  text/plain      off;
#  text/css        off;
#  text/javascript off;
#}
#log_not_found $log;

# Retry-After Header Policy
map $status $retry_after {
    default '';
    429     '5';
}

# Expire Header Policy
map $content_type $expires {
  default         off;
  application/pdf 30d;
  application/zip 30d;
  image/          30d;
  video/          30d;
  audio/          30d;
  text/plain      60d;
  text/css        60d;
  text/javascript 60d;
}

# Limit Requests
limit_req_zone $binary_remote_addr zone=req_public:30m rate=30r/s;
limit_req_zone $binary_remote_addr zone=req_private:10m rate=20r/s;
limit_req_log_level warn;
limit_req_status 429;

# Limit Connections
limit_conn_zone $binary_remote_addr zone=con_public:30m;
limit_conn_zone $binary_remote_addr zone=con_private:10m;
limit_conn_log_level warn;
limit_conn_status 429;


# Server
server {
  server_name 3037.capulanasngila.com www.3037.capulanasngila.com;
  root /var/www/3037.capulanasngila.com/upload/;

  index index.htm index.html index.php;

  # Log / Error Handling
  access_log /var/log/nginx/3037.capulanasngila.com/shop_access.log main if=$access;
  access_log /var/log/nginx/3037.capulanasngila.com/shop_access_bad.log main if=$loggable;
  access_log /var/log/nginx/3037.capulanasngila.com/shop_httpoxy.log proxylog if=$http_proxy;
  error_log /var/log/nginx/3037.capulanasngila.com/shop_error.log;

  error_page 400 401 402 403 404 405 406 408 /404.html;
  error_page 500 502 503 504 /50x.html;

  # Policies
  add_header Retry-After $retry_after always;
  expires $expires;
  client_max_body_size 5M;

  # Locations
  location / {
    try_files $uri $uri/ /index.php?$args =404;

    limit_req zone=req_public burst=20 delay=5;
    limit_conn con_public 10;

  #      auth_basic "Capulanas Ngila Backoffice";
  #      auth_basic_user_file /etc/nginx/.htpasswd;
  }

  location /backoffice/ {
    index index.php;

    limit_req zone=req_private burst=10 delay=2;
    limit_conn con_private 5;

  #      auth_basic "Capulanas Ngila Backoffice";
  #      auth_basic_user_file /etc/nginx/.htpasswd;
  }

  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;

    # Note: here 'if' is better than 'try_files'. See: NGINX bug #321
    if (!-f $document_root$fastcgi_script_name) {
         return 404;
      }

      include fastcgi_params;
      fastcgi_intercept_errors on;
      fastcgi_pass php8;
      fastcgi_index index.php;
      # Note: here '$request_filename' is better than '$document_root$fastcgi_script_name'. See: NGINX Pitfalls and Common Mistakes
      fastcgi_param SCRIPT_FILENAME $request_filename;
  }

  # Robots
  location /robots.txt {
    allow all;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
  }

  # Favicon
  location ~ ^/favicon.(\w*)$ {
    # some browsers will search this file without see the html header.
    alias image/catalog/logo/favicon.png;
    expires max;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
  }

  # Hidden / Dot Files
  location ~ /\. {
    return 404;
  }

  # Other files (templates, ini, logs)
  location ~* \.(tpl|ini|log)$ {
    return 404;
  }

  # Other rules
  location /backoffice/view/template {
    return 404;
  }

  location /catalog/view/theme/default/template {
    return 404;
  }


   # we don't want 404 served by php when we have
   # images missing for example. Let php handle
   # only 404 for missing products, categories, etc
   # serve a pregenerated 404 html file instead
   # also show a page for other common (or not so common) 40x errors 
#   location = /404.html {
#      root /var/www/youreshop/app/www;
#   }
   
   # show a nice 500 or (50x) error page in
   # case there is a problem with your eshop
#   location = /50x.html {
#      root /var/www/youreshop/app/www;
#   }

     # Better write a script that generates sitemap.xml, googlebase.xml
     # and maybe an image sitemap using a cron job and do not let
     # opencart handle these. If there are many many products in your eshop
     # you will surely get lots of 500 errors. Serving pregenerated
     # sitemap files is better
#     location ~ ^/(?:sitemap.xml|sitemap\-images.xml|googlebase.xml) {
#            root /var/www/youreshop/app/www/sitemaps/;
#            expires 1d;
#            add_header Pragma public;
#            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
#            access_log off;
#     }

  listen [::]:443 ssl;

  listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/capulanasngila.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/capulanasngila.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

  add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot

  ssl_trusted_certificate /etc/letsencrypt/live/capulanasngila.com/chain.pem; # managed by Certbot
  ssl_stapling on; # managed by Certbot
  ssl_stapling_verify on; # managed by Certbot
}


server {
    if ($host = www.3037.capulanasngila.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = 3037.capulanasngila.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80; # managed by Certbot
    listen [::]:80;
}

2021-06-03 23:35:10,752:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,752:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for www.3037.capulanasngila.com to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,753:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:

# ... again the same file ...


2021-06-03 23:35:10,755:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:10,772:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,773:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for www.capulanasngila.com to /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,774:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:10,776:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:10,777:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:10,779:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:20,831:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,850:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,866:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,880:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,881:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:20,881:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,884:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:20,886:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:20,899:INFO:certbot_nginx._internal.configurator:Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,908:INFO:certbot_nginx._internal.configurator:No matching insecure server blocks listening on port 80 found.
2021-06-03 23:35:20,917:INFO:certbot_nginx._internal.configurator:No matching insecure server blocks listening on port 80 found.
2021-06-03 23:35:20,927:INFO:certbot_nginx._internal.configurator:Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:20,928:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:20,928:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,929:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:20,931:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:20,996:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:20,996:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,997:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:20,999:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:

# ... again the same file ...

2021-06-03 23:35:21,009:ERROR:certbot._internal.client:Unable to set enhancement ensure-http-header for capulanasngila.com
2021-06-03 23:35:21,011:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 768, in enhance
    return self._enhance_func[enhancement](domain, options)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 810, in _set_http_header
    constants.HEADER_ARGS[header_substring],
KeyError: 'Upgrade-Insecure-Requests'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 619, in apply_enhancement
    self.installer.enhance(dom, enhancement, options)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 770, in enhance
    raise errors.PluginError(
certbot.errors.PluginError: Unsupported enhancement: ensure-http-header

2021-06-03 23:35:21,011:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-06-03 23:35:21,180:DEBUG:certbot.display.util:Notifying user: Could not set up ensure-http-header enhancement
2021-06-03 23:35:21,181:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 768, in enhance
    return self._enhance_func[enhancement](domain, options)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 810, in _set_http_header
    constants.HEADER_ARGS[header_substring],
KeyError: 'Upgrade-Insecure-Requests'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/1201/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 1552, in main
    return config.func(config, plugins)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 960, in install
    _install_cert(config, le_client, domains)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 911, in _install_cert
    le_client.enhance_config(domains, path_provider.chain_path)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 589, in enhance_config
    self.apply_enhancement(domains, enhancement_name, option)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 619, in apply_enhancement
    self.installer.enhance(dom, enhancement, options)
  File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 770, in enhance
    raise errors.PluginError(
certbot.errors.PluginError: Unsupported enhancement: ensure-http-header
2021-06-03 23:35:21,181:ERROR:certbot._internal.log:Unsupported enhancement: ensure-http-header

I noticied that the log repeats the same files. Any idea why?

I noticed now that I've a cli.ini and a cli.ini.bkp. In the bkp has auto-hsts; in the other only hsts. Why?

Sorry but the log is very long ....

Ah. Do you happen to have this in your cli.ini?

uir = True

At the moment the nginx plugin doesn't support that enhancement.

I'm not sure why your cli.ini is the way it is - it's entirely user-defined. However, I can tell you that AutoHSTS is only supported in Apache and not nginx, which might explain why you have it that way.

In any case, that error message is really confusing, I've filed a bug to get it fixed.

2 Likes

uir = True

Yes, I have.

So, for nginx is only the HSTS option.

But to add UIR to nginx it is only needed this line:

add_header Content-Security-Policy upgrade-insecure-requests;

Why certbot can't do it?

The reason it wasn't added appears to be related to complexity when dealing with combined vs separated HTTP/HTTPS virtualhosts.

The reasoning might be somewhat outdated because Certbot now does --redirect by default, which always creates separate nginx HTTP and HTTPS virtual hosts. At the time of that comment (2 years earlier), it did not.

1 Like

Maybe it is the correct time to do it ....

Perhaps! Knowing that users want it is something that helps determine priority; nobody has asked until now. So thanks for bringing it up.

2 Likes

I opened a Feature Request at Certbot: Feature Request: security headers in nginx · Issue #8902 · certbot/certbot · GitHub
Thanks for your help !!!