JohnXLivingston
commented
4 years ago Have you check if ssl_certificate and ssl_certificate_key are not in double? Sometimes letsencrypt add these lines on the bottom of the file.
Closed pprw closed 4 years ago
JohnXLivingston
commented
4 years ago Have you check if ssl_certificate and ssl_certificate_key are not in double? Sometimes letsencrypt add these lines on the bottom of the file.
pprw
commented
4 years ago I just checked and I have only one ssl_certificate and one ssl_certificate_key.
I tried certbot renewal and it fails with a port 80 error. Could it be the issue?
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/subdomain.domain.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for subdomain.domain.fr
Cleaning up challenges
Attempting to renew cert (subdomain.domain.fr) from /etc/letsencrypt/renewal/subdomain.domain.fr.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/subdomain.domain.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/subdomain.domain.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl start nginx
1 renew failure(s), 0 parse failure(s)
Oh. You have to replace subdomain.domain.fr by your domain name !
pprw
commented
4 years ago Oh. You have to replace subdomain.domain.fr by your domain name !
Of course. I just replaced my domain name by 'subdomain.domain.fr' in my github posts for privacy reasons.
Could you reopen?
pprw
commented
4 years ago I just checked and I have only one ssl_certificate and one ssl_certificate_key.
I tried certbot renewal and it fails with a port 80 error. Could it be the issue?
Certbot renewal fails only when the two ssl lines ssl_certificate and one ssl_certificate_key are uncommented. Otherwise, with comments, it works.
pprw
commented
4 years ago Also my issue is perhaps related to the fact I plan to use nginx and apache at the same time (following https://hostadvice.com/how-to/how-to-configure-nginx-and-apache-together-in-ubuntu/).
For now, I just stop apache when configuring nginx and peertube. Since apache is stopped, I don't think it could interfere but maybe I am wrong?
JohnXLivingston
commented
4 years ago It is not the good way to use apache and nginx at the same time. Your link is only for http, not https. By following it, you will have nginx on standard http port (80), and nginx on 8080. But for https, the default port is 443. So, you have to choose a non-standard port for your apache https. It will work, but is not the best solution for public website. It is better to always use standards ports for public websites.
Other solutions are a little more difficult. And it depend of your setup. Here are 2 solutions:
I use the second solution on my setup: nginx serves peertube, and some other stuff. And proxies my apache (wordpress, nextcloud, ...) I have no time to develop for now.
pprw
commented
4 years ago Thanks for the answer. I did some testing during the day and I think this is indeed the reason of my issue.
I am tied with apache because I have other websites which use it (http only) on the same server.
So I am quite interested by your solution. I am looking into it. If you have the time in the near future, I could use some tips or good links. If not, thanks anyway.
Cheers!
JohnXLivingston
commented
4 years ago What services have you behind your apache? It could be possible to have nginx behind apache, but last time I checked, it seemed harder to setup.
pprw
commented
4 years ago What services have you behing your apache?
Several websites using a CMS (Omeka S), a few static ones in html, phpmyadmin, phpliteadmin, a tomcat. I guess tomcat could be a reason to stick with apache.
It could be possible to have nginx behind apache, but last time I checked, it seemed harder to setup. ok. I have read nginx is better for static website and apache for dynamic ones (not sure of the latter).
I suppose if I use apache through nginx, I have the disadvantages of both worlds?
JohnXLivingston
commented
4 years ago I just found this: https://gist.github.com/rigelk/07a0b8963fa4fc1ad756374c28479bc7 At your own risks, it is not officially supported.
rigelk
commented
4 years ago @JohnXLivingston it has not been updated with new additions to the reverse-proxy since. Don't use it unless you know how to port what is missing.
JohnXLivingston
commented
4 years ago Maybe you can take the official nginx config, but put all the config in the http part (listening on an available port, for example 8080). And configure apache to handle http (80) and https (443) and proxify the trafic to the local http nginx port. This way, you can use a little modified version of the official peertube config.
pprw
commented
4 years ago Thanks I will do something like that I think. All my apache websites are http not https. So maybe the easiest solution is to redirect 443 traffic from apache to nginx (for peertube) and leave port 80 traffic to apache like it is now.
JohnXLivingston
commented
4 years ago You can configure apache to not listen on port 443 at all. But you will have to find a trick for certbot.
PS: you should use https for others services... Especially if you have critical services like phpmyadmin! Otherwise, your passwords can leak, or you can be the target of man in the middle attacks.
pprw
commented
4 years ago Thanks everyone. I successfully set up nginx as http server for peertube and reverse proxy for apache to support my other websites.
I share some good links for the reader interested:
(In French) https://blog.madrzejewski.com/offloader-ssl-nginx-reverse-proxy-apache/ https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-18-04-server
JohnXLivingston
commented
4 years ago Great! Good job!
What happened? Nginx does not restart after generating the certificate with Let's Encrypt.
$ sudo systemctl status nginx.servicesays:What I did
The certificat was generated without error by:
(after stopping nginx and _commenting ssl_certificate and ssl_certificatekey lines in /etc/nginx/sites- available/peertube)
I had a "congrat" message form letsencrypt:
And I have files in /etc/letsencrypt/live/subdomain.domain.fr/
I can stop/start/reload nginx after that.
But if I uncomment ssl_certificate and ssl_certificate_key lines in /etc/nginx/sites-available/peertube, nginx does not want to reload/start.
Steps to reproduce:
Follow these steps of production guide
At the last step, I have the error pasted below.