Hi, @_az !
The ouput from letsencrypt.log
:
cat /var/log/letsencrypt/letsencrypt.log
2021-06-03 23:35:06,868:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-06-03 23:35:07,200:DEBUG:certbot._internal.main:certbot version: 1.16.0
2021-06-03 23:35:07,201:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1201/bin/certbot
2021-06-03 23:35:07,201:DEBUG:certbot._internal.main:Arguments: ['--nginx', '--preconfigured-renewal']
2021-06-03 23:35:07,201:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-06-03 23:35:07,217:DEBUG:certbot._internal.log:Root logging level set at 30
2021-06-03 23:35:07,218:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2021-06-03 23:35:07,472:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f90b5d26790>
Prep: True
2021-06-03 23:35:07,473:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f90b5d26790>
2021-06-03 23:35:07,473:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator None, Installer nginx
2021-06-03 23:35:10,666:DEBUG:certbot.display.util:Notifying user: Deploying certificate
2021-06-03 23:35:10,696:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,696:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for capulanasngila.com to /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,697:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:10,697:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:10,697:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,698:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:10,698:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:10,698:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,701:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# CAPULANASNGILA.COM
upstream php {
server unix:/var/run/php-fpm/capulanasngila.com.sock;
}
server {
server_name capulanasngila.com www.capulanasngila.com;
root /var/www/capulanasngila.com/shop/;
index index.html index.htm index.php;
access_log /var/log/nginx/capulanasngila.com/shop_access.log;
error_log /var/log/nginx/capulanasngila.com/shop_error.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$args =404;
}
location /backoffice/ {
index index.php;
# auth_basic "Capulanas Ngila Backoffice";
# auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ [^/]\.php(/|$) {
# Max Upload from Client only in Backoffice
client_max_body_size 10M;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass php;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTP_PROXY "";
}
location ~* \.(js|css|png|jpg|jpeg|git|ico)$ {
expires max;
log_not_found off;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/capulanasngila.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/capulanasngila.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/capulanasngila.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = www.capulanasngila.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = capulanasngila.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name capulanasngila.com www.capulanasngila.com;
return 404; # managed by Certbot
}
2021-06-03 23:35:10,725:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,725:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for 3037.capulanasngila.com to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,727:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:10,730:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# 3037.CAPULANASNGILA.COM
# PHP socket
upstream php8 {
# Here maybe load balance, group of servers
server unix:/var/run/php-fpm/3037.capulanasngila.com.sock;
}
# Access Log: General
map $content_type $access {
default 1;
application/pdf 0;
application/zip 0;
image/ 0;
video/ 0;
audio/ 0;
text/plain 0;
text/css 0;
text/javascript 0;
}
# Access Log: Only Bad Requests
map $status $loggable {
default 1;
~^[2,3] 0;
}
# Not Found Log
#map $content_type $log {
# default on;
#
# application/pdf off;
# application/zip off;
# image/ off;
# video/ off;
# audio/ off;
# text/plain off;
# text/css off;
# text/javascript off;
#}
#log_not_found $log;
# Retry-After Header Policy
map $status $retry_after {
default '';
429 '5';
}
# Expire Header Policy
map $content_type $expires {
default off;
application/pdf 30d;
application/zip 30d;
image/ 30d;
video/ 30d;
audio/ 30d;
text/plain 60d;
text/css 60d;
text/javascript 60d;
}
# Limit Requests
limit_req_zone $binary_remote_addr zone=req_public:30m rate=30r/s;
limit_req_zone $binary_remote_addr zone=req_private:10m rate=20r/s;
limit_req_log_level warn;
limit_req_status 429;
# Limit Connections
limit_conn_zone $binary_remote_addr zone=con_public:30m;
limit_conn_zone $binary_remote_addr zone=con_private:10m;
limit_conn_log_level warn;
limit_conn_status 429;
# Server
server {
server_name 3037.capulanasngila.com www.3037.capulanasngila.com;
root /var/www/3037.capulanasngila.com/upload/;
index index.htm index.html index.php;
# Log / Error Handling
access_log /var/log/nginx/3037.capulanasngila.com/shop_access.log main if=$access;
access_log /var/log/nginx/3037.capulanasngila.com/shop_access_bad.log main if=$loggable;
access_log /var/log/nginx/3037.capulanasngila.com/shop_httpoxy.log proxylog if=$http_proxy;
error_log /var/log/nginx/3037.capulanasngila.com/shop_error.log;
error_page 400 401 402 403 404 405 406 408 /404.html;
error_page 500 502 503 504 /50x.html;
# Policies
add_header Retry-After $retry_after always;
expires $expires;
client_max_body_size 5M;
# Locations
location / {
try_files $uri $uri/ /index.php?$args =404;
limit_req zone=req_public burst=20 delay=5;
limit_conn con_public 10;
# auth_basic "Capulanas Ngila Backoffice";
# auth_basic_user_file /etc/nginx/.htpasswd;
}
location /backoffice/ {
index index.php;
limit_req zone=req_private burst=10 delay=2;
limit_conn con_private 5;
# auth_basic "Capulanas Ngila Backoffice";
# auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Note: here 'if' is better than 'try_files'. See: NGINX bug #321
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass php8;
fastcgi_index index.php;
# Note: here '$request_filename' is better than '$document_root$fastcgi_script_name'. See: NGINX Pitfalls and Common Mistakes
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Robots
location /robots.txt {
allow all;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Favicon
location ~ ^/favicon.(\w*)$ {
# some browsers will search this file without see the html header.
alias image/catalog/logo/favicon.png;
expires max;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Hidden / Dot Files
location ~ /\. {
return 404;
}
# Other files (templates, ini, logs)
location ~* \.(tpl|ini|log)$ {
return 404;
}
# Other rules
location /backoffice/view/template {
return 404;
}
location /catalog/view/theme/default/template {
return 404;
}
# we don't want 404 served by php when we have
# images missing for example. Let php handle
# only 404 for missing products, categories, etc
# serve a pregenerated 404 html file instead
# also show a page for other common (or not so common) 40x errors
# location = /404.html {
# root /var/www/youreshop/app/www;
# }
# show a nice 500 or (50x) error page in
# case there is a problem with your eshop
# location = /50x.html {
# root /var/www/youreshop/app/www;
# }
# Better write a script that generates sitemap.xml, googlebase.xml
# and maybe an image sitemap using a cron job and do not let
# opencart handle these. If there are many many products in your eshop
# you will surely get lots of 500 errors. Serving pregenerated
# sitemap files is better
# location ~ ^/(?:sitemap.xml|sitemap\-images.xml|googlebase.xml) {
# root /var/www/youreshop/app/www/sitemaps/;
# expires 1d;
# add_header Pragma public;
# add_header Cache-Control "public, must-revalidate, proxy-revalidate";
# access_log off;
# }
listen [::]:443 ssl;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/capulanasngila.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/capulanasngila.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/capulanasngila.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = www.3037.capulanasngila.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = 3037.capulanasngila.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80; # managed by Certbot
listen [::]:80;
}
2021-06-03 23:35:10,752:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,752:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for www.3037.capulanasngila.com to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:10,753:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:10,755:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:10,772:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,773:DEBUG:certbot.display.util:Notifying user: Successfully deployed certificate for www.capulanasngila.com to /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:10,774:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:10,776:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:10,777:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:10,779:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:20,831:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,850:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,866:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,880:INFO:certbot._internal.client:Enhancement Strict-Transport-Security was already set.
2021-06-03 23:35:20,881:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:20,881:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:20,882:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,884:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:20,886:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:20,899:INFO:certbot_nginx._internal.configurator:Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,908:INFO:certbot_nginx._internal.configurator:No matching insecure server blocks listening on port 80 found.
2021-06-03 23:35:20,917:INFO:certbot_nginx._internal.configurator:No matching insecure server blocks listening on port 80 found.
2021-06-03 23:35:20,927:INFO:certbot_nginx._internal.configurator:Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:20,927:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:20,928:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:20,928:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,929:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:20,931:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/3037.capulanasngila.com.conf
2021-06-03 23:35:20,995:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-06-03 23:35:20,996:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-06-03 23:35:20,996:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/capulanasngila.com.conf
2021-06-03 23:35:20,997:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:20,999:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/3037.capulanasngila.com.conf:
# ... again the same file ...
2021-06-03 23:35:21,009:ERROR:certbot._internal.client:Unable to set enhancement ensure-http-header for capulanasngila.com
2021-06-03 23:35:21,011:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 768, in enhance
return self._enhance_func[enhancement](domain, options)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 810, in _set_http_header
constants.HEADER_ARGS[header_substring],
KeyError: 'Upgrade-Insecure-Requests'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 619, in apply_enhancement
self.installer.enhance(dom, enhancement, options)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 770, in enhance
raise errors.PluginError(
certbot.errors.PluginError: Unsupported enhancement: ensure-http-header
2021-06-03 23:35:21,011:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-06-03 23:35:21,180:DEBUG:certbot.display.util:Notifying user: Could not set up ensure-http-header enhancement
2021-06-03 23:35:21,181:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 768, in enhance
return self._enhance_func[enhancement](domain, options)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 810, in _set_http_header
constants.HEADER_ARGS[header_substring],
KeyError: 'Upgrade-Insecure-Requests'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/snap/certbot/1201/bin/certbot", line 8, in <module>
sys.exit(main())
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 1552, in main
return config.func(config, plugins)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 960, in install
_install_cert(config, le_client, domains)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 911, in _install_cert
le_client.enhance_config(domains, path_provider.chain_path)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 589, in enhance_config
self.apply_enhancement(domains, enhancement_name, option)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 619, in apply_enhancement
self.installer.enhance(dom, enhancement, options)
File "/var/lib/snapd/snap/certbot/1201/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 770, in enhance
raise errors.PluginError(
certbot.errors.PluginError: Unsupported enhancement: ensure-http-header
2021-06-03 23:35:21,181:ERROR:certbot._internal.log:Unsupported enhancement: ensure-http-header
I noticied that the log repeats the same files. Any idea why?
I noticed now that I've a cli.ini and a cli.ini.bkp. In the bkp has auto-hsts
; in the other only hsts
. Why?