Installing Let's Encrypt changed root directory

June 1, 2017 307 views
Let's Encrypt Nginx Ubuntu

I installed Let's Encrypt via these instructions, but it changed my root path from /var/www/html to /usr/share/nginx/html -- is there any way to reverse this?

I modified my sites-available default server block to the following (and restarted it), but it didn't help:

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

#   root /usr/share/nginx/html;
    root /var/www/html;
    index index.html index.htm;

    # Make site accessible from http://localhost/
    #server_name localhost;
    server_name MYDOMAINHERE;   

    location / {

        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }

}

Any ideas?

4 Answers

Definitely not best practice, but in an effort to get things working, I gave up on trying to change the root and just moved everything to the /usr/share/nginx/html path.

Before anything, verify do you have above block enabled. You should have symlink from sites-available to sites-enabled for config file containing server block, to be in effect.

Following your previous question, problem could be in server block you added to nginx.conf.
Also, Server Block you provided is not configured for SSL and Let's Encrypt.

I assume that Nginx follows rules from nginx.conf, which should have higher priority than rules in sites-available. Open that file again and try to find server block for you site. That Server Block should be setup to listen on port 443. Once you find it, add/change root directive to it, like you have in above provide file.
Restart nginx and try again.

@marketing8b7cf186d951e4e8d

You should have a server block that's listening on port 443, which is the port that is used for SSL. If each server block is listening on port 80, then SSL will not work.

So the first thing to do would be to check /etc/nginx/sites-available to see if there are any other server blocks (configuration files) that contain a listen 443; directive.

The NGINX plugin for CertBot is still in alpha, so there's a chance it may not work as expected, thus it's often better to use certonly and manually make the chances to your configuration.

...

Ideally, all server blocks should be placed within the ./sites-available directory and symlinked to the ./sites-enabled directory instead of placing them directly in the nginx.conf file.

That being said, I'm not a big fan of symlinking files, so I change the include line in nginx.conf to use the ./sites-available directory instead of ./sites-enabled.

...

As far as configuration goes, the end result for a properly configured SSL-enabled server block will look something like this:

server {
    listen 80;
    listen [::]:80;
    server_name domain.com www.domain.com;

    return 301 https://$server_name$request_uri;
}

server
{
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.com www.domain.com;

    root /path/to/content;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 5m;

    location /
    {
        try_files $uri $uri/ =404;
    }
}

The above redirects all requests on port 80 to 443 (HTTP => HTTPS), defines a few security headers, and sets the path to your Let's Encrypt (CertBot) certificate and private key.

In the above, you'd change instances of domain.com to your actual domain as well as:

root /path/to/content;

You'd replace /path/to/content with your actual storage path (where index.html, index.php, etc is).

...

This line:

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

... is commented out, thus inactive, as not all NGINX installations have this file generated by default. It takes a little bit of time to generate, though I recommend it as it's part of a complete SSL setup.

To create the file, you can run:

mkdir -p /etc/nginx/ssl

then

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

It could take anywhere from 5-6 minutes up to 10-15 depends on CPU. While it's generating, you'll see a series of:

.......+....+...+........................+............+

That'll fill up the screen line over line. Once it's done, it'll return you to the prompt. You can then uncomment that line by removing the # and restart NGINX.

I tried changing the include link in nginx.conf and removing the server block from the file, but I now run into duplication errors (like "[emerg] a duplicate default server for 0.0.0.0:00 in etc/nginx/sites-available/digitalocean:21") when testing nginx. There's three .conf files in sites-available: digitalocean, default.bak and default.

I then tried to go back to the sites-enabled include, but noticed that the only .conf file symlinked in sites-enabled is digitalocean. Should I be using that one as my default?

Here's my nginx.conf includes:

    include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites-enabled/*;
    include /etc/nginx/sites-available/*;

Here's my sites-available default:

server {
    listen 80; # default_server;
    listen [::]:80; # default_server ipv6only=on;
    server_name MYDOMAIN;   

    return 301 https://$server_name$request_uri; #1

}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name MYDOMAIN;

    root /var/www/html;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    ssl on;
    ssl_certificate /etc/letsencrypt/live/MYDOMAIN/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/MYDOMAIN/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;

    location /
    {
        try_files $uri $uri/ =404;
    }
}
Have another answer? Share your knowledge.