Installing Let's Encrypt changed root directory

Before anything, verify do you have above block enabled. You should have symlink from sites-available to sites-enabled for config file containing server block, to be in effect.

Following your previous question, problem could be in server block you added to nginx.conf. Also, Server Block you provided is not configured for SSL and Let’s Encrypt.

I assume that Nginx follows rules from nginx.conf, which should have higher priority than rules in sites-available. Open that file again and try to find server block for you site. That Server Block should be setup to listen on port 443. Once you find it, add/change root directive to it, like you have in above provide file. Restart nginx and try again.

@marketing8b7cf186d951e4e8d

You should have a server block that’s listening on port 443, which is the port that is used for SSL. If each server block is listening on port 80, then SSL will not work.

So the first thing to do would be to check /etc/nginx/sites-available to see if there are any other server blocks (configuration files) that contain a listen 443; directive.

The NGINX plugin for CertBot is still in alpha, so there’s a chance it may not work as expected, thus it’s often better to use certonly and manually make the chances to your configuration.

…

Ideally, all server blocks should be placed within the ./sites-available directory and symlinked to the ./sites-enabled directory instead of placing them directly in the nginx.conf file.

That being said, I’m not a big fan of symlinking files, so I change the include line in nginx.conf to use the ./sites-available directory instead of ./sites-enabled.

…

As far as configuration goes, the end result for a properly configured SSL-enabled server block will look something like this:

server {
    listen 80;
    listen [::]:80;
    server_name domain.com www.domain.com;

    return 301 https://$server_name$request_uri;
}

server
{
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.com www.domain.com;

    root /path/to/content;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 5m;

    location /
    {
        try_files $uri $uri/ =404;
    }
}

The above redirects all requests on port 80 to 443 (HTTP => HTTPS), defines a few security headers, and sets the path to your Let’s Encrypt (CertBot) certificate and private key.

In the above, you’d change instances of domain.com to your actual domain as well as:

root /path/to/content;

You’d replace /path/to/content with your actual storage path (where index.html, index.php, etc is).

…

This line:

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

… is commented out, thus inactive, as not all NGINX installations have this file generated by default. It takes a little bit of time to generate, though I recommend it as it’s part of a complete SSL setup.

To create the file, you can run:

mkdir -p /etc/nginx/ssl

then

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

It could take anywhere from 5-6 minutes up to 10-15 depends on CPU. While it’s generating, you’ll see a series of:

.......+....+...+........................+............+
```

That'll fill up the screen line over line. Once it's done, it'll return you to the prompt. You can then uncomment that line by removing the `#` and restart NGINX.