What comes first - Certbot or nginx?

Question

I am trying to set up nginx to act as a reverse proxy on a small personal server; however, I am encountering some circular logic when I ask certbot to generate SSL certificates. From what I can tell, certbot is supposed to modify the nginx.conf file to use certbot's SSL certs, but certbot will not run if nginx.conf is not properly set up to use SLL certs. Here is my nginx.conf:

# /etc/nginx/nginx.conf

# Define the default server block to redirect all other traffic to a static HTML >
http{
        server {
            listen 80 default_server;
            server_name _;

            # Redirect all other traffic to the static HTML page
            location / {
                root /var/www/html;
                index index.html;
            }
        }

        # Server block for sub1.myDomain.org HTTP traffic
        server {
            listen 80;
            server_name sub1.myDomain.org;

            location / {
                proxy_pass http://localhost:60000;
            }
        }

        # Server block for sub1.myDomain.org HTTPS traffic
        server {
                listen 443 ssl;
                server_name sub1.myDomain.org;

                ssl_certificate /etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem
                ssl_certificate_key /etc/letsencrypt/live/sub1.myDomain.org/privatekey.pem
                location / {
                        proxy_pass https://localhost:60001;
                }
           }

        # Server block for sub2.myDomain.org HTTP traffic
        server {
            listen 80;
            server_name sub2.myDomain.org;

            location / {
                proxy_pass http://localhost:60600;
            }
        }

        # Server block for sub2.myDomain.org HTTPS traffic
        server {
                listen 443 ssl;
                server_name sub2.myDomain.org;

                ssl_certificate /etc/letsencrypt/live/sub2.myDomain.org/fullchain.pem
                ssl_certificate_key /etc/letsencrypt/live/sub2.myDomain.org/privatekey.pem
                location / {
                        proxy_pass https://localhost:60601;
                }
          }
}

When I run sudo certbot --nginx -d sub1.myDomain.org or sudo certbot certonly --nginx I get the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

What am I missing? Thanks so much in advance for the help. The contents ofletsencrypt.log:

2023-08-06 11:02:40,026:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:certbot version: 2.6.0
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3024/bin/certbot
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:Arguments: ['--nginx', '-d', 'sub1.myDomain.org', '--preconfigured-renewal']
2023-08-06 11:02:40,414:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEn>
2023-08-06 11:02:40,431:DEBUG:certbot._internal.log:Root logging level set at 30
2023-08-06 11:02:40,433:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2023-08-06 11:02:40,449:ERROR:certbot.util:Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed

2023-08-06 11:02:40,450:DEBUG:certbot._internal.plugins.disco:Misconfigured PluginEntryPoint#nginx: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed
Traceback (most recent call last):
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1003, in config_test
    util.run_script([self.conf('ctl'), "-c", self.nginx_conf, "-t"])
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/util.py", line 125, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 111, in prepare
    self._initialized.prepare()
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 199, in prepare
    self.config_test()
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1005, in config_test
    raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed

2023-08-06 11:02:40,452:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f8058ca2e50>
Prep: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub1.myDomain.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such fi>
nginx: configuration file /etc/nginx/nginx.conf test failed

Is there anything in letsencrypt.log? nginx is just complaining that fullchain.pem doesn't exist, so certbot might have failed to generate it for some reason. Maybe try sudo certbot certonly --nginx? — Cpt.Whale, Commented Aug 4, 2023 at 14:31
I added the contents of letsencrypt.log to the main post. It still looks like certbot is attempting to compile (if that's the right word) nginx.conf before certbot creates the files necessary to compile nginx.conf — henley, Commented Aug 6, 2023 at 11:10
You could retrieve a certificate without NGINX running using Certbot’s standalone feature. You could simply not have HTTPS set up (ACME HTTP challenge doesn’t need it). You could start with a self-signed certificate. // I suggest first verifying your setup using the Let’s Encrypt Staging environment, so as not to trip rate limits. — Daniel B, Commented Aug 6, 2023 at 13:23

henley · Accepted Answer · 2023-08-06 13:32:08Z

1

Once I commented out the existing https servers in nginx.conf, certbot was able to run and write its own https blocks.

answered Aug 6, 2023 at 13:32

henley

215 bronze badges

Add a comment |

Stack Exchange Network

What comes first - Certbot or nginx?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
ssl
nginx
reverse-proxy
letsencrypt
certbot
.

Hot Network Questions

What comes first - Certbot or nginx?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged sslnginxreverse-proxyletsencryptcertbot.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
ssl
nginx
reverse-proxy
letsencrypt
certbot
.