Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange reinstallation errors #3752

Closed
ohemorange opened this issue Nov 5, 2016 · 1 comment
Closed

Strange reinstallation errors #3752

ohemorange opened this issue Nov 5, 2016 · 1 comment
Assignees
@ohemorange
Labels
area: nginx bug
Milestone
0.10.0

Comments

@ohemorange
Copy link
Contributor

From jsha:

Attempting to renew cert from
/etc/letsencrypt/renewal/www.hoffman-andrews.com.conf produced an
unexpected error: Problem in
/etc/nginx/sites-enabled/jacob.hoffman-andrews.com: tried to insert
directive "['ssl_certificate',
'/var/lib/letsencrypt/snakeoil/0011_cert.pem']" but found conflicting
"['ssl_certificate',
'/etc/letsencrypt/live/hoffman-andrews.com/fullchain.pem']".. Skipping.
Attempting to renew cert from
/etc/letsencrypt/renewal/lastbart.at-0001.conf produced an unexpected
error: Account at
/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/06c4ea2fe30100e185fea43f26817312
does not exist. Skipping.
Attempting to renew cert from
/etc/letsencrypt/renewal/jacob.hoffman-andrews.com-0002.conf produced an
unexpected error: Problem in
/etc/nginx/sites-enabled/jacob.hoffman-andrews.com: tried to insert
directive "['ssl_certificate',
'/var/lib/letsencrypt/snakeoil/0012_cert.pem']" but found conflicting
"['ssl_certificate',
'/etc/letsencrypt/live/hoffman-andrews.com/fullchain.pem']".. Skipping.
Attempting to renew cert from
/etc/letsencrypt/renewal/jacob.hoffman-andrews.com.conf produced an
unexpected error: Account at
/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/06c4ea2fe30100e185fea43f26817312
does not exist. Skipping.
Attempting to renew cert from /etc/letsencrypt/renewal/lastbart.at.conf
produced an unexpected error: Account at
/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/06c4ea2fe30100e185fea43f26817312
does not exist. Skipping.
Attempting to renew cert from
/etc/letsencrypt/renewal/jacob.hoffman-andrews.com-0001.conf produced an
unexpected error: Account at
/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/06c4ea2fe30100e185fea43f26817312
does not exist. Skipping.

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/hoffman-andrews.com/fullchain.pem (skipped)
  /etc/letsencrypt/live/redirecthttp.crud.net/fullchain.pem (skipped)
  /etc/letsencrypt/live/crud.net/fullchain.pem (skipped)
  /etc/letsencrypt/live/lastbart.at-0002/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.hoffman-andrews.com/fullchain.pem (failure)
  /etc/letsencrypt/live/lastbart.at-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/jacob.hoffman-andrews.com-0002/fullchain.pem
(failure)
  /etc/letsencrypt/live/jacob.hoffman-andrews.com/fullchain.pem (failure)
  /etc/letsencrypt/live/lastbart.at/fullchain.pem (failure)
  /etc/letsencrypt/live/jacob.hoffman-andrews.com-0001/fullchain.pem
(failure)

server {
    listen 443;
    listen [::]:443;

    listen 80;
    listen [::]:80;

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
    ## listen for ipv6
    server_name jacob.hoffman-andrews.com;
    server_name www.hoffman-andrews.com;
    server_name hoffman-andrews.com;
    client_max_body_size 400M;
    ssl_stapling_verify on;
    ssl_stapling on;
    ssl_trusted_certificate
/etc/letsencrypt/live/hoffman-andrews.com/chain.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_certificate_key
/etc/letsencrypt/live/hoffman-andrews.com/privkey.pem;
    ssl_certificate /etc/letsencrypt/live/hoffman-andrews.com/fullchain.pem;
    #include conf.d/security-headers.conf;
    add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains";

    location /upload/server/php/files {
        location ~ \.php$ {
            return 403;
        }
    }

    location /upload {
        try_files $uri /upload/index.html;
    }

    location ~ /netcomix/[0-9]+/.* {
        default_type image/png;
    }
}
@ohemorange ohemorange added this to the 0.10.0 milestone Nov 5, 2016
@ohemorange
Copy link
Contributor Author

Ok cool! So what's happening here is that the config file says listen 443 instead of listen 443 ssl. But that's ok, this is totally valid for your nginx setup because there is another server block listening on 443 over ssl, which makes all server blocks listen on that port over ssl. Which is a behavior that we've recently realized exists. The fix for this should be in parsing vhosts, to post-process them to indicate sslishness based on this nginx behavior.

(For some background, the snakeoil inserting thing shouldn't be happening in the first place, because that happens in _make_server_ssl. Again, good that it's erroring out here.)

Also, we should maybe update the error message to be more helpful, like passing it up a few methods until we know which configuration method it came from rather than the low-level parser.

This was referenced Dec 5, 2016
Merged
Closed
@pde pde added the has pr label Dec 5, 2016
@pde pde closed this as completed in #3856 Dec 6, 2016
@pde pde removed the has pr label Dec 8, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ohemorange ohemorange

Labels
area: nginx bug
Projects
None yet
Milestone
0.10.0
Development

No branches or pull requests
2 participants
@pde @ohemorange