samoshi
By:
samoshi

Unable to setup certbot properly with nginx + rails

November 1, 2017 137 views
Applications Ubuntu 16.04

According to the article https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

I'm running command to test it:

    $ sudo certbot renew --dry-run  

And get this:


      WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/my_website.com.conf produced an unexpected error: At least one of the (possibly) required ports is already taken.. Skipping.
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates below have not been saved.)

      All renewal attempts failed. The following certs could not be renewed:
        /etc/letsencrypt/live/my_website.com/fullchain.pem (failure)
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates above have not been saved.)


It's because nginx is running. But: how is it supposted to work? Stopping nginx and my website twice a day to check and possibly renew a certificate won't be a wise way to go

How to fix it?

I'm using nginx + rails.

In cron I have this job:

    $ sudo certbot renew 

2 comments
  • when I stop nginx and run the same command, it works. But again, I don't want my website to be offline twice a day, even for a short period of time, due to certbot.

  • correction: in cron I have this job:

        certbot renew --quite
    
1 Answer

You shouldn't need to restart nginx, a reload should be enough. Check --help to see if your certbot has support for --post-hook "service nginx reload"

I believe newer nginx version will reload certificates as part of their reload - and if they don't --post-hook should only result in one nginx restart every 3 months.

  • it's not about reloading.
    it's about the fact that certbot doesn't work at all when nginx is running on 443 port.

    • I never tired to get the verification to work on https because it doesn't make sense to me. I can see things really not working well when my certificate expires, and I need https running in order to get a new cert.

      I serve acme requests on plain-old-http, so I have an https-redirect server section like this in each of my LEed name-based vhosts:

         server {
              listen 80 ;
              #...
              location / {
                  return 301 https://$host$request_uri;
              }
              location ^~ /.well-known/acme-challenge/ {
                  alias /websites/websitenamehere/well-known/acme-challenge/;
                  index  index.html index.htm;
                  allow all;
                  default_type "text/plain";
              }
              #...
         }
      

      and I tell le to dump it's challenges there.

      • re-read my question.

        • I won't.

          If you tell certbot to dump it's challenges on disk, in /websites it won't need to bind to the port because nginx will serve those files and answer the acme challenge.

Have another answer? Share your knowledge.