Why is my website saying https but not secure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
cloud.randomsource.club/nextcloud

I ran this command:
sudo certbot certonly --manual --preferred-challenges dns

It produced this output:
_acme-challenge.cloud.randomsource.club
_acme-challenge.randomsource.club

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
debian - dietpi 8.5.1

My hosting provider, if applicable, is:
home - cox isp
no port 80 so i created my dns txt

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.28.0

After getting the cert with the above command, how did you install it into nginx?

1 Like

I put the ssl directory in /etc/nginx/sites-available/default

Sorry I'm new to hosting this website

#D I E T - P I
# /etc/nginx/sites-available/default
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}
server {

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        
        ssl_certificate /etc/nginx/certificate/nginx-certificate.crt;
        ssl_certificate_key /etc/nginx/certificate/nginx.key;

        root /var/www;

        index index.php index.html index.htm index.nginx-debian.html;

        server_name cloud.randomsource.club;

        include /etc/nginx/sites-dietpi/*.conf;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php(?:$|/) {
                include snippets/fastcgi-php.conf;
                fastcgi_pass php;
        }

}

I followed this: How can I secure connection to nextcloud? - #4 by Joulinar - Community Tutorials - DietPi Community Forum
but my port 80 is blocked so I decided to do dns challenge

I put the certificate in my domain name

Assuming this is the correct configuration file:

That's not using the Certbot files. Did you install the certificate anywhere else? Did you install the cert to begin with?

The guide you've mentioned is quite brief and lacking details at important steps. Did you use the dietpi-letsencrypt script? I'm assuming you didn't, as you needed to run Certbot manually with the manual plugin.

Also, on another note (and not really related to your current issue, but might be worthwile): I see your DNS provider is Njalla. There is a third party DNS plugin for Njalla available (certbot-dns-njalla · PyPI). Depending on how you installed Certbot (or how your DietPi installed it), you might be able to automate the DNS challenge using that plugin.

1 Like

So, I just put in the command sudo certbot certonly --manual --preferred-challenges dns, typed my domain again, and it is located at /etc/letsencrypt/renewal/randomsource.club.conf and /etc/letsencrypt/renewal/cloud.randomsource.club.conf

So you only issued the certificate without installing it?

DietPi probably would have handled that for you, but as you had to run Certbot manually, you need to also manually install the certificate into your nginx configuration.

Note that the .conf files are not the certificates, but just renewal configuration files. The files you want to use in nginx are fullchain.pem and privkey.pem in the /etc/letsencrypt/live/ directory.

1 Like

Ok, I followed this guide to get the certificates installed: Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX - NGINX

And it looks like it is encrypted with command sudo certbot --nginx -d randomsource.club -d cloud.randomsource.club, because it deployed the certificate to /etc/nginx/conf.d/cloud.randomsource.club.conf for me.

Although I have to fix the 404 error

Thank you for helping

1 Like

Could you show the contents of the renewal configuration files? The command you've just used might have messed up the manual authenticator selection.

1 Like

/etc/letsencrypt/renewal/cloud.randomsource.club.conf

# renew_before_expiry = 30 days
version = 1.28.0
archive_dir = /etc/letsencrypt/archive/cloud.randomsource.club
cert = /etc/letsencrypt/live/cloud.randomsource.club/cert.pem
privkey = /etc/letsencrypt/live/cloud.randomsource.club/privkey.pem
chain = /etc/letsencrypt/live/cloud.randomsource.club/chain.pem
fullchain = /etc/letsencrypt/live/cloud.randomsource.club/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 27b7430*************************
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
installer = nginx

/etc/letsencrypt/renewal/randomsource.club.conf

# renew_before_expiry = 30 days
version = 1.28.0
archive_dir = /etc/letsencrypt/archive/randomsource.club
cert = /etc/letsencrypt/live/randomsource.club/cert.pem
privkey = /etc/letsencrypt/live/randomsource.club/privkey.pem
chain = /etc/letsencrypt/live/randomsource.club/chain.pem
fullchain = /etc/letsencrypt/live/randomsource.club/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 27*********************
pref_challs = dns-01,
authenticator = manual
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

Hm, so cloud.randomsource.club.conf indeed is completely switched to the nginx plugin. That won't work if your port 80 is blocked.

When the time comes to renew, you should run the initial command again, but with -a manual -i nginx. Or switch to the certbot-dns-njalla plugin and use -a dns-njalla -i nginx.

2 Likes