samoshi
By:
samoshi

Unable to setup certbot properly with nginx + rails

November 1, 2017 1.1k views
Applications Ubuntu 16.04

According to the article https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

I'm running command to test it:

    $ sudo certbot renew --dry-run

And get this:


      WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/my_website.com.conf produced an unexpected error: At least one of the (possibly) required ports is already taken.. Skipping.
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates below have not been saved.)

      All renewal attempts failed. The following certs could not be renewed:
        /etc/letsencrypt/live/my_website.com/fullchain.pem (failure)
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates above have not been saved.)

It's because nginx is running. But: how is it supposted to work? Stopping nginx and my website twice a day to check and possibly renew a certificate won't be a wise way to go

How to fix it?

I'm using nginx + rails.

In cron I have this job:

    $ sudo certbot renew
2 comments
  • samoshi November 1, 2017

    when I stop nginx and run the same command, it works. But again, I don't want my website to be offline twice a day, even for a short period of time, due to certbot.

  • samoshi November 1, 2017

    correction: in cron I have this job:

        certbot renew --quite
Log In to Comment
1 Answer
alastairc November 1, 2017

You shouldn't need to restart nginx, a reload should be enough. Check --help to see if your certbot has support for --post-hook "service nginx reload"

I believe newer nginx version will reload certificates as part of their reload - and if they don't --post-hook should only result in one nginx restart every 3 months.

Reply
  • samoshi November 1, 2017

    it's not about reloading.
    it's about the fact that certbot doesn't work at all when nginx is running on 443 port.

    • alastairc November 3, 2017

      I never tired to get the verification to work on https because it doesn't make sense to me. I can see things really not working well when my certificate expires, and I need https running in order to get a new cert.

      I serve acme requests on plain-old-http, so I have an https-redirect server section like this in each of my LEed name-based vhosts:

         server {
        listen 80 ;
        #...
        location / {
            return 301 https://$host$request_uri;
        }
        location ^~ /.well-known/acme-challenge/ {
            alias /websites/websitenamehere/well-known/acme-challenge/;
            index  index.html index.htm;
            allow all;
            default_type "text/plain";
        }
        #...
   }

      and I tell le to dump it's challenges there.

      • samoshi November 3, 2017

        re-read my question.

        • alastairc November 3, 2017

          I won't.

          If you tell certbot to dump it's challenges on disk, in /websites it won't need to bind to the port because nginx will serve those files and answer the acme challenge.

Have another answer? Share your knowledge.

Related Questions