Question

Installing Let's Encrypt changed root directory

I installed Let’s Encrypt via these instructions, but it changed my root path from /var/www/html to /usr/share/nginx/html – is there any way to reverse this?

I modified my sites-available default server block to the following (and restarted it), but it didn’t help:

server {
	listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;
	
#	root /usr/share/nginx/html;
	root /var/www/html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	#server_name localhost;
	server_name MYDOMAINHERE;	

	location / {
		
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		# Uncomment to enable naxsi on this location
		# include /etc/nginx/naxsi.rules
	}

}

Any ideas?

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

marketing8b7cf186d951e4e8dJune 2, 2017
Accepted Answer

Definitely not best practice, but in an effort to get things working, I gave up on trying to change the root and just moved everything to the /usr/share/nginx/html path.

marketing8b7cf186d951e4e8dJune 1, 2017

I tried changing the include link in nginx.conf and removing the server block from the file, but I now run into duplication errors (like “[emerg] a duplicate default server for 0.0.0.0:00 in etc/nginx/sites-available/digitalocean:21”) when testing nginx. There’s three .conf files in sites-available: digitalocean, default.bak and default.

I then tried to go back to the sites-enabled include, but noticed that the only .conf file symlinked in sites-enabled is digitalocean. Should I be using that one as my default?

Here’s my nginx.conf includes:

	include /etc/nginx/conf.d/*.conf;
	#include /etc/nginx/sites-enabled/*;
	include /etc/nginx/sites-available/*;

Here’s my sites-available default:

server {
	listen 80; # default_server;
	listen [::]:80; # default_server ipv6only=on;
	server_name MYDOMAIN;	

	return 301 https://$server_name$request_uri; #1

}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name MYDOMAIN;

    root /var/www/html;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    ssl on;
	ssl_certificate /etc/letsencrypt/live/MYDOMAIN/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/MYDOMAIN/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;

    location /
    {
        try_files $uri $uri/ =404;
    }
}
Jonathan TittleJune 1, 2017

@marketing8b7cf186d951e4e8d

You should have a server block that’s listening on port 443, which is the port that is used for SSL. If each server block is listening on port 80, then SSL will not work.

So the first thing to do would be to check /etc/nginx/sites-available to see if there are any other server blocks (configuration files) that contain a listen 443; directive.

The NGINX plugin for CertBot is still in alpha, so there’s a chance it may not work as expected, thus it’s often better to use certonly and manually make the chances to your configuration.

Ideally, all server blocks should be placed within the ./sites-available directory and symlinked to the ./sites-enabled directory instead of placing them directly in the nginx.conf file.

That being said, I’m not a big fan of symlinking files, so I change the include line in nginx.conf to use the ./sites-available directory instead of ./sites-enabled.

As far as configuration goes, the end result for a properly configured SSL-enabled server block will look something like this:

server {
    listen 80;
    listen [::]:80;
    server_name domain.com www.domain.com;

    return 301 https://$server_name$request_uri;
}

server
{
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.com www.domain.com;

    root /path/to/content;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 5m;

    location /
    {
        try_files $uri $uri/ =404;
    }
}

The above redirects all requests on port 80 to 443 (HTTP => HTTPS), defines a few security headers, and sets the path to your Let’s Encrypt (CertBot) certificate and private key.

In the above, you’d change instances of domain.com to your actual domain as well as:

root /path/to/content;

You’d replace /path/to/content with your actual storage path (where index.html, index.php, etc is).

This line:

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

… is commented out, thus inactive, as not all NGINX installations have this file generated by default. It takes a little bit of time to generate, though I recommend it as it’s part of a complete SSL setup.

To create the file, you can run:

mkdir -p /etc/nginx/ssl

then

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

It could take anywhere from 5-6 minutes up to 10-15 depends on CPU. While it’s generating, you’ll see a series of:

.......+....+...+........................+............+
```

That'll fill up the screen line over line. Once it's done, it'll return you to the prompt. You can then uncomment that line by removing the `#` and restart NGINX.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Featured on Community
Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
DigitalOcean Products
CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.