prawen
commented
4 years ago Hello. Can anyone help please ? I'm struggling since a week to get this done.
Open prawen opened 4 years ago
prawen
commented
4 years ago Hello. Can anyone help please ? I'm struggling since a week to get this done.
ohemorange
commented
4 years ago Looks like Certbot is failing on the output of nginx --version. We check the version number to determine some of our behavior. There's a chance that Certbot won't work with Nginx compiled from source at all, but it might work fine and just be having a problem with the version number.
Some things I'd be interested to see:
nginx --version?prawen
commented
4 years ago Hello,
Thanks for your response.
nginx --version is blank. Because I have set the nginx server name and version number to blank before compiling nginx. Because I don't want any trace of nginx or its version number anywhere. It's part of a security assessment. So do you mean if certbot is unable to detect the server name and version, the plugin doesn't work ?
Below is the output.
nginx -V
nginx version:
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-openssl=../openssl-1.1.1g --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-openssl-opt=no-nextprotoneg --with-openssl-opt=no-weak-ssl-ciphers --with-openssl-opt=no-ssl3 --with-pcre=../pcre-8.44 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-debug --add-module=../headers-more-nginx-module-0.33
alexzorin
commented
4 years ago So do you mean if certbot is unable to detect the server name and version, the plugin doesn't work ?
Yes, I suppose the crash would originate here, where Certbot needs a positive indication that nginx's version is greater than 0.8.48 :
Perhaps you could patch nginx here, rather removing the version string entirely:
prawen
commented
4 years ago Hello,
Thanks for your response.
I have set the name and version as null in below files.
src/http/ngx_http_header_filter_module.c
src/core/nginx.h
src/http/v2/ngx_http_v2_filter_module.c
src/http/ngx_http_special_response.cNow I understand why it is crashing. Let me try out your suggestion.
jflopezfernandez
commented
4 years ago @ohemorange Would issuing a warning about potentially unsupported versions and simply attempting to carry out the process be a workable solution? After all, it's the same thing as what's currently done when OpenSSL replacements are detected, isn't it?
ohemorange
commented
4 years ago @jflopezfernandez that gets a little complicated, since we make some decisions about what syntax to use and security features to set based on Nginx version. So it would be a little trickier to implement, as we'd essentially have to lie to ourselves about the Nginx version to make those places do something reasonable, or otherwise modify those places. Not a bad suggestion though; are you interested in taking this on?
stale[bot]
commented
3 years ago We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.
argordmel
commented
1 year ago hello! any news? i've the same problem with nginx installed from source :(
amiantos
commented
8 months ago If you've modified your Nginx install to remove the server name and version, you need to edit the Nginx configurator script to hardcode the server name as Nginx and the version of Nginx you patched in get_version.
I can confirm after modifying this function that certbot works normally again. It's unfortunate that for PCI compliance we must patch Nginx in this way but, alas, security stuff.
Hello,
I came here after contacting community.letsencrypt.org certbot.log
My operating system is (include version):
Ubuntu Server 16.04
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
Installed by following instructions at https://certbot.eff.org/
I ran this command and it produced this output:
sudo certbot --nginx
Certbot's behavior differed from what I expected because:
configure arguments: --prefix= is not officially supported by certbot
Here is a Certbot log showing the issue (if available):
Saving debug log to /var/log/letsencrypt/letsencrypt.log NGINX derivative built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) built with OpenSSL 1.1.1g 21 Apr 2020 TLS SNI support enabled configure arguments: --prefix= is not officially supported by certbot An unexpected error occurred: ValueError: invalid literal for int() with base 10: ‘’ Please see the logfiles in /var/log/letsencrypt for more details.
Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:
server { root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name x.x.com; if ($request_method !~ ^(GET|PUT|POST|DELETE|OPTIONS)$ ) { return 444; } location / { //somethinghere }
}
More details: I'm a user of certbot for a couple of years. It worked for me all the time when I installed prebuilt nginx from apt repo. But this time I followed below steps and facing issues.