Let's Encrypt with nginx

[Evren]

Hi,

I wonder if there is anyone who able to properly set up Let's Encrypt feature with nginx?

I followed suggested steps but I couldn't make it happen.

- activate Let's Encrypt in the settings
- as admin, goto Configuration -> select your distro -> select Webserver -> select your software
- copy'n'paste the acme.conf part of the configration template
- restart/reload webserver

Then I run the cron

php /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug

 

[information] Updating Let's Encrypt certificates
[information] Let's Encrypt certificates have been updated
[notice] Checking system's last guid

 

But, when I try to enable Let's Encrypt for a domain, the system automatically uncheck this option after I save.

Any idea?

Thanks

[d00p]

Whats your setting for the acme.conf file? 

[Evren]

location /.well-known/acme-challenge {
	alias /var/www/froxlor/.well-known/acme-challenge;

	location ~ /.well-known/acme-challenge/(.*) {
		default_type text/plain;
	}
}

And  in the panel;

Path for Let's Encrypt challenges : /var/www/froxlor

 

[d00p]

Not the content, i meant the value of the setting, the path + filename. Settings -> SSL -> Path to the acme.conf snippet, should be /etc/nginx/acme.conf for nginx

[Evren]

Since most of documents suggest /etc/apache2/conf-enabled/acme.conf, I didn't change it from the panel. Instead of changing it, I've created that path and put the acme conf inside of /etc/apache2/conf-enabled/. 

For the nginx, the path name really matter?

[Evren]

I updated the path, unfortunately, I have still same problem.

[d00p]

Well If you use nginx, why would you set the path to apache2? Well whats in the Error Log? Anything?

[Evren]

Since your all documents using that apache2 folder, I followed your steps. Nevermind, as I said, I've changed the path as you suggested.

There is no error. How can I check logs for this unexpected operations?

[d00p]

Its just defaults values...that's why these are settings, so you can adjust them according to your needs.

You can test two things

1) create file called test in /var/www/froxlor/.well-known/acme-challenge and write "Hello" into it. Then try to open http://the-domain-that-should-get-the-certificate.tld/.well-known/acme-challenge/test in your browser - you should see "Hello" - if not, the alias is not set up correctly.

2) when you are sure the alias works, run the lets encrypt cronjob with --debug flag to see what's happening. When the output is just the three lines you posted earlier, then there is no domain with let's encrypt enabled to generate a certificate for...edit that domain, validate that is has at least on SSL-enabled IP address assigned and that let's encrypt is checked

[Evren]

http://maas.im/.well-known/acme-challenge/test seem okay.

I guess I missed the point to add SSL-Enabled IP address. 

I have only one IP address, so I've added the same IP address with SSL. However, I am not sure how should I fill the rest of inputs.

Path to the SSL Certificate:

Path to the SSL Keyfile:

Path to the SSL CA certificate:

Path to the SSL CertificateChainFile: 

 

Since I didn't fill them properly, when I run the cron I'm getting an error;

[error] maas.im :: certificate file "/etc/nginx/nginx.pem" does not exist! Cannot create ssl-directives

Can your help me about it?

 

#Edit: Now; I'm getting [error] 9323#0: *94691 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking when requested https://maas.im

[Evren]

In the /etc/nginx/sites-enabled/10_froxlor_ipandport_SERVERIP.443.conf

I've commented the line 

server {
        #listen    IP:443 default_server;

Has solved my problem. So, how can I set this line from the panel as comment out? I guess If I run the cron, the line will be activated again.

[d00p]

Edit IP/Port and uncheck "create listen".

[Evren]

Thanks man!

To be clear for further visitors, I've unchecked "Create vHost-Container:" under  Edit IP/Port for SSL IP 

[d00p]

No...uncheck "Listen Statement" only

[Evren]

There is no listen statement? 

 

Froxlor Version: 0.9.39.5

[d00p]

Ah nginx  Yeah, damn. It's not possible to have a server {} block without a listen. So, either deactivate the complete vhost-container or find an error message why this is working when you comment out the listen from the vhost - do you have any manually created vhosts - maybe another one with default_server? Or non-IP specifi (just the port), like in the /etc/nginx/sites-available/default file?

On a standard Debian i never had this issue, maybe just run a2dissite default?

[Evren]

Actually, I do not have any manually created vhosts. I guess the reason is "default_server" word in de default configuration which is generated by Froxlor for the IP. So, disabling vhosts-container has been solved this problem for me.  I do not have even a2dissite

 

[d00p]

Well, as long as it works now