-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certbot with nginx fails if directives are already defined #5199
Comments
@ohemorange, can you take a look at this? |
Thanks for getting in touch! This is a design decision that we've made to most gracefully handle interacting with the configuration options people have already set; we don't know if we can safely overwrite your existing directive, but we need the directive to be set to 128. If you would like to use Certbot's Nginx installer, you can change your directive to say 128 as well, then Certbot will work as expected. Otherwise, you'll want to use a different authenticator and installer. |
The problem isn't that cerbot is setting the directive to something other than what I have used, it's that certbot is duplicating an existing directive. Even with As a simple test, if I forget certbot for a moment and add the following two lines to
Then I check the configuration syntax:
So nginx will fail a configuration check if the same directive is defined twice regardless of the value of that directive. This means that if you need to set |
That's true, because of the way we currently handling needing to push updates regarding server directives for certificates that have already been installed. We're currently working to update our update mechanism, which should remove the current restriction, making the set of configs we can handle automatically more expansive. For now, if you're ok with having Certbot set |
I can't remove that line from my configuration though because nginx won't start without it being increased from the default, which is why I added it in the first place (before I started using certbot). If I'm understanding this correctly, the situation is that the nginx plugin won't work if the following are true:
Unfortunately that is true for my setup. |
I think there has been some misunderstanding here. When performing domain validation challenges required by the server, Certbot's Nginx plugin may need to set Because of only checking the main nginx.conf file, the value you set in In an earlier post, you said:
If you've moved this directive to your main Nginx config file and I hope this helps! I'm reopening this issue as I think there was a misunderstanding about the part of the plugin causing the problem here, but if I'm mistaken, please tell me I'm wrong and close the issue again. |
The bug is that the plugin logic is simply doing a search on the Whilst moving everything to |
I agree that is the bug. Unfortunately, setting this value in your main nginx configuration file or not setting it all are the two workarounds until this is fixed. |
This happened to us while moving from apt-installed certbot to certbot-auto.
From this file:
And now it appends it inside virtualhost file after the line:
But during the upgrade certbot-auto didn't update contents of this file: I guess certbot-auto doesn't overwrite old files in /etc/, but is there a way to force update of configs or fix missing? I.e. I rename old config file, run update and certbot-auto grabs up-to-date version of config file? |
I don't know if this bug is still being worked on or is still relevant, but for the benefit of anyone who runs into it my workaround is: Generate initial certificate using: Create a cronjob with the following content to automatically renew certificates and then reload the web server so that it picks up the new certs:
The other change you need to make is for your HTTP
I found that without the above, the renewal would fail because I would be auto-redirecting from HTTP to HTTPS and that seemed to break LetsEncrypt (not sure why). I've been running the above for several months now, including through multiple renewal cycles, without any problems. |
I have the same, or similar issue. If it's a different issue I can re-post.
This is caused because I have, in my default config, used a listen option ( nginx does not allow two The only way I could get it to work was by removing this server optimisation. |
@artfulrobot, this is a different issue which was fixed in #6223, so look for it in upcoming versions of certbot. |
To help us better see what issues are still affecting our users, this issue has been automatically marked as stale. If you still have this issue with an up-to-date version of Certbot and are interested in seeing it resolved, please add a comment letting us know. If there is no further activity, this issue will be automatically closed. |
Fixing this should be easier once the Nginx parser rewrite is done. |
I have got the same problem with a "server_names_hash_bucket_size 64" directive in one of my nginx configuration file and my letsencrypt certificates were due to renewal. |
In my case I solved this issue by moving the "server_names_hash_bucket_size 64" directive from my nginx configuration file in /etc/nginx/sites-available to /etc/nginx/nginx.conf file. |
Today, by mere chance, I came across this issue (I would call it a bug, in spite of the developers above not really considering it a bug), as 'mysteriously' a certificate was due to renewal and, well, didn't renew — while it had done so consistently for many, many months. IMFNSHO, there is a design concept failure here: while understandably A much better alternative, assuming that you don't want to have
This should return 1 if the command fails; or return 0 and be empty if that configuration directive is not present (thus making it safe for In any case, a much better alternative would be just testing out if setting Anyway, thanks to @pwaring for raising this issue; I would be utterly confused about how to 'fix' things if nobody had ever reported it before... |
Thanks @GwynethLlewelyn . As mentioned above, this is indeed a bug which we intend to address following the rewrite of the Nginx parser. Until then, setting the value in Moving forward, please be sure that your comments on this project adhere to the EFF Public Projects Code of Conduct. |
I'm going through some of my outstanding issues and noticed that this one has been open for 3+ years now without a resolution (which isn't a criticism, it's an open source project at the end of the day and I certainly don't have the time or skills to fix it). Is it worth closing this issue to keep the number of open issues manageable? |
Speaking strictly for myself, since the workaround is so simple, I guess that this issue could be closed... |
Closing this issue as it hasn't received any updates. |
Ha... I'm sorry... But I met the issue today, and found it is really historical.
So, after reading above posts, I realized certbot will add this directive also. |
This issue is still relevant, especially if you're doing Certbot on ElasticBeanstalk without a load balancer to handle TLS/SSL. The EB way to nginx configuration does not really cope well with modifying So there is no other option than putting it into That produces the dilemma seen above, where certbot fails, because the config is invalid (double directive), I solved this issue by running the deploy script twice, once without |
Thanks, @alexd2580 - I have run into this exact problem on ElasticBeanstalk and am unable to use the workaround mentioned above since |
It works after I remove the server_names_hash_bucket_size directive from /etc/nginx/conf.d/*.conf and then add it to the main /etc/nginx/nginx.conf. |
Would scanning /etc/nginx/nginx.conf for include statements be considered if submitted as a PR? |
Still a problem for me. I just intalled Certbot on Ubuntu 22.04 using nginx and I get the errors when getting the cert for the first time: certbot --nginxSaving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? 1: myurl.ddns.net Select the appropriate numbers separated by commas and/or spaces, or leave input nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok Any advice is appreciated Thanks |
I have a similar problem: nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok Which names would you like to activate HTTPS for? 1: myurl.ddns.net Select the appropriate numbers separated by commas and/or spaces, or leave input Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok Any advice much appreciated. |
Hi again, |
My operating system is (include version):
Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-96-generic x86_64)
nginx version: nginx/1.10.3 (Ubuntu)
certbot version: 0.17.0
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
Package manager (apt) using the certbot PPA (
ppa:certbot/certbot
). The package I installed was:python-certbot-nginx
.I ran this command and it produced this output:
Certbot's behavior differed from what I expected because:
I expected the certificate to be created. I've run the same command (
certbot certonly --nginx -d [domain]
) on another machine without any problems.The issue seems to be that certbot adds a
server_names_hash_bucket_size 128;
entry to thenginx.conf
file that it tries to generate (I'm assuming it shuts down nginx, starts a new instance, gets the certificates and then restarts the system nginx?). However, I've already definedserver_names_hash_bucket_size 64;
in/etc/nginx/conf.d/01-server-names.conf
. As a result, nginx fails to restart because there are two definitions of the same directive.If I run
nginx -t
on my configuration without certbot then it returns:So I think the problem is with certbot, rather than my configuration. All my sites load correctly as well when I'm not using certbot.
Here is a Certbot log showing the issue (if available):
Logs are stored in
/var/log/letsencrypt
by default. Feel free to redact domains, e-mail and IP addresses as you see fit.Contents of
/var/log/letsencrypt/letsencrypt.log
:Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:
I'm not sure if this is relevant as the failure is before nginx gets to the server block, but here it is (I've commented out the HTTPS block as I'm generating the certificate first, then enabling HTTPS, rather than letting certbot update the configuration files for me. This is intentional as I don't want certbot to overwrite files which are in my configuration management system).
The text was updated successfully, but these errors were encountered: