Question

Unable to setup certbot properly with nginx + rails

Posted November 1, 2017 2.6k views
ApplicationsUbuntu 16.04

According to the article https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

I’m running command to test it:

    $ sudo certbot renew --dry-run

And get this:


      WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/my_website.com.conf produced an unexpected error: At least one of the (possibly) required ports is already taken.. Skipping.
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates below have not been saved.)

      All renewal attempts failed. The following certs could not be renewed:
        /etc/letsencrypt/live/my_website.com/fullchain.pem (failure)
      ** DRY RUN: simulating 'certbot renew' close to cert expiry
      **          (The test certificates above have not been saved.)

It’s because nginx is running. But: how is it supposted to work? Stopping nginx and my website twice a day to check and possibly renew a certificate won’t be a wise way to go

How to fix it?

I’m using nginx + rails.

In cron I have this job:

    $ sudo certbot renew
Add a comment
samoshi
By:
samoshi
Add a comment
2 comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
alastairc November 1, 2017

You shouldn’t need to restart nginx, a reload should be enough. Check --help to see if your certbot has support for --post-hook "service nginx reload"

I believe newer nginx version will reload certificates as part of their reload - and if they don’t --post-hook should only result in one nginx restart every 3 months.

Reply Report
  • samoshi November 1, 2017

    it’s not about reloading.
    it’s about the fact that certbot doesn’t work at all when nginx is running on 443 port.

    Reply Report
    • alastairc November 3, 2017

      I never tired to get the verification to work on https because it doesn’t make sense to me. I can see things really not working well when my certificate expires, and I need https running in order to get a new cert.

      I serve acme requests on plain-old-http, so I have an https-redirect server section like this in each of my LEed name-based vhosts:

         server {
        listen 80 ;
        #...
        location / {
            return 301 https://$host$request_uri;
        }
        location ^~ /.well-known/acme-challenge/ {
            alias /websites/websitenamehere/well-known/acme-challenge/;
            index  index.html index.htm;
            allow all;
            default_type "text/plain";
        }
        #...
   }

      and I tell le to dump it’s challenges there.

      Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help