Using certbot behind nginx to get certificates

Yes its finally working! Thank you guys so much! I have been on this for days trying to figure it out ... i thought it had something to do with the granted permissions! Thank you thank you thank you!!

3 Likes

I do have another question though ... so i am getting errors in the console a 500 interal server error and i was checking it out and came across this ..... psychphransiscobounce@psychphransisco:~/stocks_with_joe_backend$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
psychphransiscobounce@psychphransisco:~/stocks_with_joe_backend$ sudo systemctl restart nginx
psychphransiscobounce@psychphransisco:~/stocks_with_joe_backend$ sudo tail -f /var/log/nginx/error.log
2024/06/27 15:47:01 [warn] 56010#56010: conflicting server name "psychphransisco.com" on 0.0.0.0:80, ignored
2024/06/27 15:47:01 [warn] 56010#56010: conflicting server name "www.psychphransisco.com" on 0.0.0.0:80, ignored
2024/06/27 15:47:01 [warn] 56010#56010: conflicting server name "api.psychphransisco.com" on 0.0.0.0:80, ignored
2024/06/27 17:01:31 [emerg] 56179#56179: "ssl_dhparam" directive is duplicate in /etc/nginx/sites-enabled/default:19
2024/06/27 17:01:31 [emerg] 56180#56180: "ssl_dhparam" directive is duplicate in /etc/nginx/sites-enabled/default:19
2024/06/27 17:01:31 [notice] 56181#56181: signal process started
2024/06/27 19:17:22 [notice] 56617#56617: signal process started
2024/06/27 19:17:23 [notice] 56620#56620: signal process started
^C

What is it you are concerned about there?

The dhparam warnings are from over 2H ago and conflicting name even longer ago. I assume those are fixed from our suggestions. Yes? No?

2 Likes

I just ran that now and say that ssl_dhparam was duplicated again so I didn't know if that was a problem

Later than at 17:01 timestamp?

If so, show output of this again with uppercase T

sudo nginx -T
2 Likes

psychphransiscobounce@psychphransisco:~/stocks_with_joe_backend$
sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_names_hash_bucket_size 128;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##
        include /etc/nginx/snippets/ssl-dhparams.conf;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
# 
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/snippets/ssl-dhparams.conf:
ssl_dhparam /etc/nginx/snippets/dhparam.pem;

# configuration file /etc/nginx/sites-enabled/default:
server {
  server_name api.psychphransisco.com;

  location / {
    proxy_pass http://localhost:3003;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/psychphransisco.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/psychphransisco.com/privkey.pem; # managed by Certbot
 # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
  server_name psychphransisco.com www.psychphransisco.com;

  root /home/psychphransiscobounce/stocks_with_joe_frontend;

  location / {
    try_files $uri $uri/ /index.html =404;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/psychphransisco.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/psychphransisco.com/privkey.pem; # managed by Certbot
  #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
  if ($host = www.psychphransisco.com) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  if ($host = psychphransisco.com) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  listen 80;

  server_name psychphransisco.com www.psychphransisco.com;
  return 404; # managed by Certbot
}

psychphransiscobounce@psychphransisco:~/stocks_with_joe_backend$

It looks all good! Thank you so much for all your help!!

1 Like

Does it?

Your last post shows that nginx loads two different files with ssl_dhparam:

File #1:

include /etc/nginx/snippets/ssl-dhparams.conf;

# configuration file /etc/nginx/snippets/ssl-dhparams.conf:
ssl_dhparam /etc/nginx/snippets/dhparam.pem;

File #2:

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
1 Like

Sort of. The first one is in the http level of the config so is the default.

The second is within the server block so overrides that. This one is provided by Certbot. Since each server block has this one the http level one is never used.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.