Certbot setup failed
I have ~5 servers running on my 1 linode, all behind nginx and uwsgi (they all use Python - a variety of frameworks).
I want to integrate one of them with GoogleAssistant, so I'm finally forced to embrace SSL. So I decided to set that up for this 1 site, plus my wikilog.
I tried following the process at https://www.linode.com/docs/quick-answers/websites/secure-http-traffic-certbot/
But it seems like nothing happened (in that my nginx.conf file is unchanged, and hitting either site with https gives a "server didn't respond" outcome). I suspect my nginx might have a sufficiently weird config that Certbot choked. (I do have the letsencrypt directory.)
Detailed notes are at: http://webseitz.fluxent.com/wiki/MakingGoogleAssistantCoachBot
6 Replies
bbigger
Linode Staff
From what you've provided, there are several possible issues at root here. After reviewing your notes, it sounds like Certbot was able to issue the certificates, but failed at updating your NGINX configuration to create a functioning HTTPS server as you suspect. There are several potential causes for this — examining /var/log/letsencrypt/letsencrypt.log may help with troubleshooting on that front.
Otherwise, you should still be able to manually configure an HTTPS server with NGINX. Toward that end, part 3 of our NGINX guide, as well as examining this NGINX blog post on the changes Certbot would have made will give you an idea on how you'd configure your own webserver and set up automatic renewal. Finally, it probably goes without saying, but Certbot's own User Guide has additional useful information.
Hope this helps!
I read through the log and a few posts, made some changes to the appropriate nginx.conf. But am playing whack-a-mole with errors.
Pls see new Jun08 notes at http://webseitz.fluxent.com/wiki/MakingGoogleAssistantCoachBot
FWIW certbot is capable of doing two different (although related) things:
- Obtain / refresh a certificate
- Install it into your web server config
There is a lot of variability in how people write web server configs, so it just might be better to only let certbot do the first part and do the second part yourself.
Certbot will store the latest (current) certs in this directory:
/etc/letsencrypt/live/DOMAIN
under predefined names like chain.pem and privkey.pem.
It's really easy to edit your nginx config to make use of these files:
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
And now there is only one thing left to do - restarting the web server after each reissue of the cert(s).
For this you can drop a shell script into
/etc/letsencrypt/renewal-hooks/deploy
with commands to restart your server. Remember that current cert and key always have the same names, so it's not necessary to edit nginx config, only a restart is required:
#!/bin/sh
systemctl restart nginx postfix dovecot
Or if you wanted to get fancy:
#!/bin/sh
(
echo "Certbot renewal\n\n$RENEWED_LINEAGE\n\n$RENEWED_DOMAINS\n\n"
systemctl restart nginx postfix dovecot
systemctl status nginx postfix dovecot
) | mail -s "Certbot renewal" foo@bar.com
Are there any parts of /var/log/letsencrypt/letsencrypt.log that I should not share here, for security reasons?
Since I don't have a /live/ subdirectory of /etc/letsencrypt, I guess Certbot failed before getting that far….
First line in the log: 2019-05-22 08:51:57,057:DEBUG:certbot.main:certbot version: 0.31.0
First place there's a traceback:
2019-05-22 08:52:28,993:DEBUG:certbot.util:Not suggesting name "localhost"
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/util.py", line 310, in get_filtered_names
filtered_names.add(enforce_le_validity(name))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 531, in enforce_le_validity
"{0} needs at least two labels".format(domain))
certbot.errors.ConfigurationError: localhost needs at least two labels
2019-05-22 08:53:45,372:INFO:certbot.main:Obtaining a new certificate
2019-05-22 08:53:45,528:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2019-05-22 08:53:45,537:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
A certificate for localhost server name just doesn't make sense (but I'm not sure if this is a critical error or just informational).
Personally at this point I'd blow away /etc/letsencrypt, reinstall certbot, and start over using certbot only to obtain the cert(s):
https://certbot.eff.org/docs/using.html#webroot
You're looking at something similar to this:
certbot certonly --webroot -w /var/www/example -d www.example.com -d example.com -d mail.example.com
which assumes that example.com is served out of /var/www/example, and if certbot puts some files there - they'll be picked up by nginx for serving (this is for validation of domain ownership).
Depending on your nginx config, you may also need an explicit location ^~ /.well-known/acme-challenge/ with a root to match your certbot command line and vice versa (the -w directory option).