Jump to content
Froxlor Forum
  • 0

Let's Encrypt with nginx


Evren

Question

Hi,

I wonder if there is anyone who able to properly set up Let's Encrypt feature with nginx?

I followed suggested steps but I couldn't make it happen.

- activate Let's Encrypt in the settings
- as admin, goto Configuration -> select your distro -> select Webserver -> select your software
- copy'n'paste the acme.conf part of the configration template
- restart/reload webserver

Then I run the cron

php /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug

 

[information] Updating Let's Encrypt certificates
[information] Let's Encrypt certificates have been updated
[notice] Checking system's last guid

 

But, when I try to enable Let's Encrypt for a domain, the system automatically uncheck this option after I save.

Any idea?

Thanks

Link to comment
Share on other sites

17 answers to this question

Recommended Posts

location /.well-known/acme-challenge {
	alias /var/www/froxlor/.well-known/acme-challenge;

	location ~ /.well-known/acme-challenge/(.*) {
		default_type text/plain;
	}
}

And  in the panel;

Path for Let's Encrypt challenges : /var/www/froxlor

 

Link to comment
Share on other sites

Since most of documents suggest /etc/apache2/conf-enabled/acme.conf, I didn't change it from the panel. Instead of changing it, I've created that path and put the acme conf inside of /etc/apache2/conf-enabled/. 

For the nginx, the path name really matter?

Link to comment
Share on other sites

Its just defaults values...that's why these are settings, so you can adjust them according to your needs.

You can test two things

1) create file called test in /var/www/froxlor/.well-known/acme-challenge and write "Hello" into it. Then try to open http://the-domain-that-should-get-the-certificate.tld/.well-known/acme-challenge/test in your browser - you should see "Hello" - if not, the alias is not set up correctly.

2) when you are sure the alias works, run the lets encrypt cronjob with --debug flag to see what's happening. When the output is just the three lines you posted earlier, then there is no domain with let's encrypt enabled to generate a certificate for...edit that domain, validate that is has at least on SSL-enabled IP address assigned and that let's encrypt is checked

Link to comment
Share on other sites

http://maas.im/.well-known/acme-challenge/test seem okay.

I guess I missed the point to add SSL-Enabled IP address. 

I have only one IP address, so I've added the same IP address with SSL. However, I am not sure how should I fill the rest of inputs.

Path to the SSL Certificate:

Path to the SSL Keyfile:

Path to the SSL CA certificate:

Path to the SSL CertificateChainFile: 

 

Since I didn't fill them properly, when I run the cron I'm getting an error;

[error] maas.im :: certificate file "/etc/nginx/nginx.pem" does not exist! Cannot create ssl-directives

Can your help me about it?

 

#Edit: Now; I'm getting [error] 9323#0: *94691 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking when requested https://maas.im

Link to comment
Share on other sites

In the /etc/nginx/sites-enabled/10_froxlor_ipandport_SERVERIP.443.conf

I've commented the line 

server {
        #listen    IP:443 default_server;

Has solved my problem. So, how can I set this line from the panel as comment out? I guess If I run the cron, the line will be activated again.

Link to comment
Share on other sites

Ah nginx :P Yeah, damn. It's not possible to have a server {} block without a listen. So, either deactivate the complete vhost-container or find an error message why this is working when you comment out the listen from the vhost - do you have any manually created vhosts - maybe another one with default_server? Or non-IP specifi (just the port), like in the /etc/nginx/sites-available/default file?

On a standard Debian i never had this issue, maybe just run a2dissite default?

Link to comment
Share on other sites

Actually, I do not have any manually created vhosts. I guess the reason is "default_server" word in de default configuration which is generated by Froxlor for the IP. So, disabling vhosts-container has been solved this problem for me.  I do not have even a2dissite :)

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...