Updating cert with new domains: Could not automatically find a matching server block


#1

I setup a virtual host and assigned it an SSL using:
certbot -n --nginx --redirect --post-hook "systemctl reload nginx" -d marketing.dev.youandmedigital.net

Certbot edited my nginx virtualhost file for marketing.dev.youandmedigital.net, which looks like this (and all was working fine at this point);

server {
    server_name marketing.dev.youandmedigital.net
    include /etc/nginx/conf.d/marketing.d/main.conf;
    include /etc/nginx/default_error_messages.conf;

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/marketing.dev.youandmedigital.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/marketing.dev.youandmedigital.netprivkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = marketing.dev.youandmedigital.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name marketing.dev.youandmedigital.net;
    return 404; # managed by Certbot
}

I needed to add another domain name and ssl to marketing.dev.youandmedigital.net, so I used the --expand command to update my original certificate (full command can be seen below).

The new certificate was issued without any problems, however it didn’t update my NGINX virtualhost file for marketing.dev.youandmedigital.net. I had to add the new domain to “server_name” manually in my config file. I guess I was expecting certbot to update my nginx virtualhost file like this, but it didn’t…

server {
    server_name marketing.dev.youandmedigital.net youandme.digital;
    include /etc/nginx/conf.d/marketing.d/main.conf;
    include /etc/nginx/default_error_messages.conf;

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/marketing.dev.youandmedigital.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/marketing.dev.youandmedigital.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = marketing.dev.youandmedigital.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = youandme.digital) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name marketing.dev.youandmedigital.net youandme.digital;
    return 404; # managed by Certbot

}

Am I going about this the right way? If I update my cert to add more domains, shouldn’t the certbot nginx plugin update my config files too? Or do I have todo this manually?

My domain is:

https://dev.youandmedigital.net

I ran this command:

certbot -n --nginx --redirect --expand --post-hook "systemctl reload nginx" -d marketing.dev.youandmedigital.net -d youandme.digital -d www.youandme.digital

It produced this output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@yam-avalon-ams3-01:~# certbot -n --nginx --redirect --expand --post-hook "systemctl reload nginx" -d marketing.dev.youandmedigital.net -d youandme.digital -d www.youandme.digital
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert not yet due for renewal
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/conf.d/marketing.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/marketing.conf
Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

My web server is (include version):

nginx version: nginx/1.10.3 (Ubuntu)
certbot 0.22.2

The operating system my web server runs on is (include version):

Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No


#2

It seems correct that the certificate gets issued to names that are already in a server block.
And that it may create a matching HTTPS block (when one doesn’t exist) for an existing HTTP block.
But if the certificate installation program was to add new name(s) to a block, how would it know to which, or if it should create a while new block?

In other words, expanding a cert does not equal expanding a block.
You can have one cert that covers many, or even all, your blocks - one big cert.


#3

Thanks for your response @rg305.

I’ve stopped running the certbot NGINX plugin for now in favour of issuing certificates manually. I have managed to automate what I expected to happen in my original post.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.