[SOLVED] Good nginx ssl instructions

dcolburn · 2023-01-02 00:49:05

Ooops, looks like namecheap rejected those changes.

I just tried this, instead:

A Record  *.realupnow.com  66.172.90.106  Automatic

ralph.ronnquist · 2023-01-02 01:08:32

You will need a certificate that includes both realupnow.com and www.realupnow.com so that's a new certificate; you don't want to keep the existing.

You still need to update your nginx configuration both so that it also services www.realupnow.com, and that it offers https access as well (to both domain names).

You may do the first by adding www.realupnow.com to the server_name directive (space separated).

The second, adding ssl, has a number of bits to it; perhaps the easiest is to search for that techrepublic howto ("setup ssl for nginx" might find it?) and pick knowledge from it.

dcolburn · 2023-01-02 01:13:59

Do I need to do this, first (adjusting to reflect nginx vs apache)?

certbot certificates
Find the path to the fullchain certificate you wish to reinstall
certbot revoke --cert-path /etc/letsencrypt/live/... path to the cert from above
certbot delete --cert-name yourdomain.com
rm -Rf /etc/apache2/sites-available/000-default-le-ssl.conf or whatever the name of the apache conf you had it configured on
rm -Rf 000-default-le-ssl.conf or whatever the name of the apache conf you had it configured on
sudo apache2ctl restart
certbot follow the guide to setup the new certificate

dcolburn · 2023-01-02 01:18:33

ralph.ronnquist wrote:

You still need to update your nginx configuration both so that it also services www.realupnow.com
You may do the first by adding www.realupnow.com to the server_name directive (space separated).

Do I recall, correctly, that requires altering the contents of these?

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

ralph.ronnquist · 2023-01-02 01:22:10

No. apparently certbot includes some bogus advice that might be useful for some apache2 setups but certainly not relevant for you. It's just that the certbot developers have had their "we must do it all" hats on and try to make the tool do much more than just preparing the certificate.

With "certonly --webroot" option you avoid that but obviously the program will still insist with bogus (though technically harmless) instructions.

ralph.ronnquist · 2023-01-02 01:30:05

To follow current sysadmin style, your nginx service configuration should be a main file /etc/nginx/sites-available/realupnow.conf and optionally a side file like /etc/nginx/snippets/ssl.conf, plus the link /etc/nginx/sites-enabled/realupnow.conf pointing to ../sites-available/realupnow.conf.

I don't see a direct need to change the main configuration in /etc/nginx/nginx.conf or /etc/nginx/nginx.conf.d/* but I might be wrong in that.

dcolburn · 2023-01-02 01:43:31

OK re. correct sysadmin style, thanks.

This is what I now have in /etc/nginx/sites-available/realupnow.com (which, maybe, needs to be renamed realupnow.conf?)

All the SSL Port 443 is commented out until I get the first part correct.

server {
	listen 80;
	root /var/www/realupnow.com;
	index index.php index.html index.htm;
	server_name realupnow.com www.realupnow.com;

	location / {
		try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	}
}

# server {
# 	listen 443 ssl realupnow.com;
# 	server_name realupnow.com www.realupnow.com;
#	root /var/www/realupnow.com;
#	index index.php index.html index.htm;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#
#	location ~ \.php$ {
#		include snippets/fastcgi-php.conf;
#		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#	}
# }

ralph.ronnquist · 2023-01-02 02:06:44

You seem to still want the local names in the DNS setup to include the base domain name, and you have now defined resolution for www.realupnow.com.realupnow.com

The record should only have www and not www.realupnow.com

The local name will get realupnow.com appended automagically.

dcolburn · 2023-01-02 02:27:26

Type 	     Host         Value        TTL

A Record 	@       66.172.90.106  Automatic

A Record 	*       66.172.90.106  Automatic

A Record 	www     66.172.90.106  Automatic

dcolburn · 2023-01-02 02:30:32

Per your sysadmin style format - should I rename /etc/nginx/sites-available/realupnow.com to ~/realupnow.conf?

ralph.ronnquist · 2023-01-02 02:42:07

It doesn't matter too much; some editors provide indentation and "block" support for files ending in .conf which could be an argument for renaming, but the name is not important; only that the link has to point to the actual file.

The pathnames used in sites-enabled/ have the additional significance that nginx will process them in alphabetical order, and if many, the first ono is taken as "the default service" if it needs that. Since you have only one there is no potential of confusion.

In short: it's up to you but make sure the link is valid.

dcolburn · 2023-01-02 02:52:53

Renamed, link recreated to sites-enabled (old one removed),

ls -l /etc/nginx/sites-enabled

shows all good,

nginx -t

says all good, nginx restarted without error.

www.realupnow.com now works.

https://realupnow.com does not.

https://www.realupnow.com does not.

Last edited by dcolburn (2023-01-02 02:56:37)

ralph.ronnquist · 2023-01-02 02:58:09

Great. The ssl configuration can be merged with the plain http configration into a single "server {...}" block. That would bring the advantage of certainly sharing the "location {..}" blocks which are where you declare service the points.

But if you, as is customary nowawdays, primarily want to only provide https service, and hev the http service merely redirect to corresponding https service, then you would certainly have separate "server {..}" blocks.

ralph.ronnquist · 2023-01-02 03:06:09

Next, according to the manual the listen directive should look like:

listen 443 ssl;

and if you want it to include a "default_server" (which you don't ) then that should be mentioned before the ssl tag rather than after it.

dcolburn · 2023-01-02 03:14:37

server {
    listen 80;
#    listen [::]:80;
    root /var/www/html;
    server_name  realupnow.com www.realupnow.com;

    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/realupnow.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/realupnow.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

dcolburn · 2023-01-02 03:18:16

Should I relocate /var/www/realupnow.com to /var/www/html/realupnow.com so it's in keeping with all of the instructions online?

Or will that trigger a bunch of other necessary changes (more than just in /etc/nginx/sites-available/realupnow.com/conf)?

ralph.ronnquist · 2023-01-02 03:23:36

Yes, if it comforts you. I wouldn't .
And yes, you need to change the nginx configuration accordingly.

(I would rather keep in mind that I've choosen my own root and adapt instructions where needed)

dcolburn · 2023-01-02 03:26:40

ralph.ronnquist wrote:

Yes, if it comforts you. I wouldn't .
And yes, you need to change the nginx configuration accordingly.
(I would rather keep in mind that I've choosen my own root and adapt instructions where needed)

OK, I'm good with that.

Does the code block I sent look OK, otherwise?

I commented out the IPv6 line.

I can change root /var/www/html; to root /var/www/;

ralph.ronnquist · 2023-01-02 03:27:32

Next, the server block needs to include a couple of ssl directives, in particular ssl_certificate and ssl_certificate_key
with the full pathnames for the ssl certificate and key.

Your certificate and chain have been saved at:
/etc/letsencrypt/live/realupnow.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/realupnow.com/privkey.pem

Note now that nginx run as user www-data, and that it needs access to those files. If your setup includes group ssl-cert for /etc/letsencrypt/live and /etc/letsencrypt/archive then the easy step is to add nginx to that group:

# adduser nginx ssl-cert

and then you are almost there...

dcolburn · 2023-01-02 03:34:22

/etc/letsencrypt/live and /etc/letsencrypt/archive are root:root do I want root:ssl-cert or ??

# adduser nginx ssl-cert

reports "The user 'nginx' does not exist."

Last edited by dcolburn (2023-01-02 03:39:32)

ralph.ronnquist · 2023-01-02 03:41:13

Ah, my mistake. The user is www-data... so perhaps the full sequence should be:

# addgroup ssl-cert
# chgrp ssl-cert /etc/letsencrypt/{live,archive}
# adduser www-data ssl-cert

And then you may verify access by getting no complaints from:

# runuser -u www-data cat /etc/letsencrypt/live/realupnow.com/fullchain.pem > /dev/null

dcolburn · 2023-01-02 03:55:01

Permission denied - do I need to preface with sudo?

ralph.ronnquist · 2023-01-02 03:56:47

Right. The "#" prompt is normally the signal for commands that needs to be run as root.

dcolburn · 2023-01-02 03:58:57

ralph.ronnquist wrote:

Right. The "#" prompt is normally the signal for commands that needs to be run as root.

Oddly, I'm logged in as root and I used sudo and it still "Permission denied"

ralph.ronnquist · 2023-01-02 04:01:49

If you are logged in as root then you won't need sudo.
Something else is wrong.
Can you copy&paste actually command and error?

The officially official Devuan Forum!

#51 2023-01-02 00:49:05

Re: [SOLVED] Good nginx ssl instructions

#52 2023-01-02 01:08:32

Re: [SOLVED] Good nginx ssl instructions

#53 2023-01-02 01:13:59

Re: [SOLVED] Good nginx ssl instructions

#54 2023-01-02 01:18:33

Re: [SOLVED] Good nginx ssl instructions

#55 2023-01-02 01:22:10

Re: [SOLVED] Good nginx ssl instructions

#56 2023-01-02 01:30:05

Re: [SOLVED] Good nginx ssl instructions

#57 2023-01-02 01:43:31

Re: [SOLVED] Good nginx ssl instructions

#58 2023-01-02 02:06:44

Re: [SOLVED] Good nginx ssl instructions

#59 2023-01-02 02:27:26

Re: [SOLVED] Good nginx ssl instructions

#60 2023-01-02 02:30:32

Re: [SOLVED] Good nginx ssl instructions

#61 2023-01-02 02:42:07

Re: [SOLVED] Good nginx ssl instructions

#62 2023-01-02 02:52:53

Re: [SOLVED] Good nginx ssl instructions

#63 2023-01-02 02:58:09

Re: [SOLVED] Good nginx ssl instructions

#64 2023-01-02 03:06:09

Re: [SOLVED] Good nginx ssl instructions

#65 2023-01-02 03:14:37

Re: [SOLVED] Good nginx ssl instructions

#66 2023-01-02 03:18:16

Re: [SOLVED] Good nginx ssl instructions

#67 2023-01-02 03:23:36

Re: [SOLVED] Good nginx ssl instructions

#68 2023-01-02 03:26:40

Re: [SOLVED] Good nginx ssl instructions

#69 2023-01-02 03:27:32

Re: [SOLVED] Good nginx ssl instructions

#70 2023-01-02 03:34:22

Re: [SOLVED] Good nginx ssl instructions

#71 2023-01-02 03:41:13

Re: [SOLVED] Good nginx ssl instructions

#72 2023-01-02 03:55:01

Re: [SOLVED] Good nginx ssl instructions

#73 2023-01-02 03:56:47

Re: [SOLVED] Good nginx ssl instructions

#74 2023-01-02 03:58:57

Re: [SOLVED] Good nginx ssl instructions

#75 2023-01-02 04:01:49

Re: [SOLVED] Good nginx ssl instructions

Board footer