"Could not automatically find a matching server block." on custom nginx configuration

[FedericoBiccheddu]

Using certbot for a custom reverse proxy configuration, I received the following error:

Could not automatically find a matching server block. Set the server_name directive to use the Nginx installer.

My operating system is (include version):

Debian GNU/Linux 9

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

wget https://dl.eff.org/certbot-auto \
    && chmod a+x certbot-auto \
    && mv ./certbot-auto /usr/local/sbin/ \

I ran this command and it produced this output:

certbot-auto run -n --nginx --expand --no-redirect -d sub.private.com -d www.private2.com -d www.private3.com

Certbot's behavior differed from what I expected because:

This is the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sub.private.com
tls-sni-01 challenge for www.private2.com
http-01 challenge for www.private3.com
Cleaning up challenges
2018/04/03 13:55:06 [notice] 47#47: signal process started
Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

Here is a Certbot log showing the issue (if available):

[…]
2018-04-03 13:55:06,340:INFO:certbot.auth_handler:tls-sni-01 challenge for sub.private.com
2018-04-03 13:55:06,340:INFO:certbot.auth_handler:tls-sni-01 challenge for www.private2.com
2018-04-03 13:55:06,341:INFO:certbot.auth_handler:http-01 challenge for www.private3.com
2018-04-03 13:55:06,368:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 124, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 968, in perform
    sni_response = sni_doer.perform()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/tls_sni_01.py", line 58, in perform
    vhosts = self.configurator.choose_vhosts(achall.domain, create_if_no_match=True)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 285, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 330, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(port)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 361, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server"
MisconfigurationError: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

2018-04-03 13:55:06,368:DEBUG:certbot.error_handler:Calling registered functions
2018-04-03 13:55:06,368:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-03 13:55:07,607:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1266, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1031, in run
    certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 113, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 297, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 294, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 330, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 72, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 124, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 968, in perform
    sni_response = sni_doer.perform()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/tls_sni_01.py", line 58, in perform
    vhosts = self.configurator.choose_vhosts(achall.domain, create_if_no_match=True)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 285, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 330, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(port)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 361, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server"
MisconfigurationError: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

server {
    listen 80;

    server_name _;

    return 301 https://$host$request_uri;
}

##
# Custom domains
##
server {
    server_name sub.private.com www.private2.com www.private3.com;

    listen 443 ssl;
    ssl_certificate     /etc/letsencrypt/live/letsencrypt.starteed.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/letsencrypt.starteed.com/privkey.pem; # managed by Certbot
}

server {
    […]
}

server {
    […]
}

[ohemorange]

Hi @FedericoBiccheddu, thanks for posting! This bug often happens when we have trouble parsing something in the Nginx config file. The following information will help me debug your issue. If you don't feel comfortable posting any of publicly, feel free to email it to me at erica@eff.org:

• certbot version, found with certbot-auto --version
• the results of tree /etc/nginx/
• the results of nginx -t
• the full contents of the log you posted a snippet of above
• the full contents of the nginx config file you posted a shortened version of above
• the contents of /etc/nginx/nginx.conf if that's a different file from the one you posted above, or the contents of the file mentioned in nginx -t if the root config file is located elsewhere from /etc/nginx/nginx.conf

[aredey]

If I may chime in, I have just came across the same problem as quoted in the title.

I ran DigitalOcean's guide successfully in the beginning of March.

When running Step 5 of the guide just now: certbot renew --dry-run I received the same error as the title of this thread:

Attempting to renew cert (mydomein.ext) from /etc/letsencrypt/renewal/mydomein.ext.conf produced an unexpected error: Could not automatically find a matching server block. Set the server_name directive to use the Nginx installer.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomein.ext/fullchain.pem (failure)

My certbot --version is certbot 0.21.1

My tree /etc/nginx/ is (domain' edited)
/etc/nginx/
├── conf.d
├── fastcgi.conf
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── nginx.conf
├── proxy_params
├── scgi_params
├── sites-available
│   ├── default
│   ├── default.bak
│   └── default.bak1
├── sites-enabled
│   ├── default -> /etc/nginx/sites-available/default
│   └── domain2.com
├── snippets
│   ├── fastcgi-php.conf
│   ├── self-signed.conf
│   ├── snakeoil.conf
│   └── ssl-params.conf
├── uwsgi_params
└── win-utf

nginx -t output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Am happy to share the rest of the configs/diagnostics in private if it helps.

I would be very grateful for any pointers to resolving this issue.

[illustris]

Version:
certbot 0.23.0

Tree:

/etc/nginx/
├── conf.d
├── fastcgi.conf
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── nginx.conf
├── proxy_params
├── scgi_params
├── sites-available
│   ├── default
│   └── default.save
├── sites-enabled
│   └── default -> /etc/nginx/sites-available/default
├── snippets
│   ├── fastcgi-php.conf
│   └── snakeoil.conf
├── uwsgi_params
└── win-utf

nginx -t:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I have the same problem trying to expand an existing list of domains.

(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxx.com
http-01 challenge for yyy.xxxx.com
tls-sni-01 challenge for aaa.xxxx.com
tls-sni-01 challenge for bbb.xxxx.com
tls-sni-01 challenge for ccc.xxxx.com
http-01 challenge for new.xxxx.com
Cleaning up challenges
Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

[illustris]

Traceback with the verbose flag:

Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 73, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 124, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 1032, in perform
    sni_response = sni_doer.perform()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/tls_sni_01.py", line 58, in perform
    vhosts = self.configurator.choose_vhosts(achall.domain, create_if_no_match=True)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 289, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 334, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(port)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 366, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server"
MisconfigurationError: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

Server block from nginx config:

server {
	listen 80;
	server_name new.xxxx.com;
    error_log /var/log/nginx/new_error.log;
    access_log /var/log/nginx/new_access.log;

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    location / {
		try_files $uri $uri/ =404;
    }
}

[ohemorange]

These issues are due to configurations we have trouble parsing, so seeing the entire relevant configuration files is necessary to debug. Please send relevant files to erica@eff.org mentioning this issue number in the subject line for further assistance.

[ohemorange]

One problem here (@aredey's issue) is when there are multiple default server blocks, we aren't sure which to pick, and subsequently fail. I'll fix that up. @FedericoBiccheddu and @illustris, if you send me the contents of all relevant nginx configuration files (including nginx.conf, and anything in sites-available or conf.d) I can check if this is also your issue.

[jaszhix]

certbot --version

certbot 0.22.2

tree /etc/nginx

/etc/nginx/
|-- conf.d
|   `-- default -> /etc/nginx/sites-available/default
|-- fastcgi.conf
|-- fastcgi_params
|-- koi-utf
|-- koi-win
|-- mime.types
|-- nginx.conf
|-- proxy_params
|-- scgi_params
|-- sites-available
|   `-- default
|-- sites-enabled
|   `-- default -> /etc/nginx/sites-available/default
|-- snippets
|   |-- fastcgi-php.conf
|   `-- snakeoil.conf
|-- uwsgi_params
`-- win-utf

4 directories, 15 files

nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I am able to share logs/configs privately. I dug into this and got it working by modifying configurator.py. I noticed vhost_list in _get_default_vhost in configurator.py contained my (only) vhost for this server, but it wasn't making its way into default_vhosts. I simply added return vhost_list[0] before the exception raise, and my certificate was able to renew. This was a bit of an emergency for me, and didn't see the PR at the time - might be able to test that in a bit on another server. Posting this incase it helps someone.

[ohemorange]

@jaszhix Sounds like you might have hit a different bug! Could you please email the contents of all relevant log files to erica@eff.org or post them on something like gist.github.com? This would be sites-available/default and nginx.conf

[jaszhix]

@ohemorange Sent an email, hope it helps.

[ohemorange]

@FedericoBiccheddu and @illustris, I'd like to close this issue -- can you confirm that (a) you don't have a server block with a (properly formatted) server_name directive for every domain you're requesting in the certificate, and (b) you do not have exactly 1 server block with a default_server or default directive (so, either 0 or 2 or more).

[FedericoBiccheddu]

@ohemorange yes, I confirm.

[illustris]

This is my entire config:

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d1.example.tech;

	location / {
		try_files $uri $uri/ =404;
	}

	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d2.example.tech;

	location / {

		try_files $uri $uri/ =404;
	}

	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name example.tech;

	location / {

		try_files $uri $uri/ =404;
	}

	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d3.example.tech;

	location / {

		try_files $uri $uri/ =404;
	}

	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d4.example.tech;

	location / {

		try_files $uri $uri/ =404;
	}

	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d5.example.tech;

	location / {
		try_files $uri $uri/ =404;
	}

	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d6.example.tech;

	location / {
		try_files $uri $uri/ =404;
	}
	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d7.example.tech;

	location / {

		try_files $uri $uri/ =404;
	}

	listen 80;
}

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name d8.example.tech;
	

	location / {

		try_files $uri $uri/ =404;
	}

	listen 80;
}

Out of these, all but d8.example.tech already have certificates generated for them. I downloaded the latest certbot-auto from dl.eff.org, and tried to expand my certs

./certbot-auto --nginx -d example.tech -d d1.example.tech -d d2.example.tech -d d3.example.tech -d d4.example.tech -d d5.example.tech -d d6.example.tech -d d7.example.tech -d d8.example.tech
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/d2.example.tech-0001.conf)

It contains these names: example.tech, d1.example.tech,
d2.example.tech, d3.example.tech, d4.example.tech,
d5.example.tech, d6.example.tech, d7.example.tech

You requested these names for the new certificate: example.tech,
d7.example.tech, d2.example.tech, d1.example.tech,
d6.example.tech, d5.example.tech, d4.example.tech,
d3.example.tech, d8.example.tech.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for example.tech
tls-sni-01 challenge for d7.example.tech
tls-sni-01 challenge for d2.example.tech
tls-sni-01 challenge for d1.example.tech
tls-sni-01 challenge for d6.example.tech
tls-sni-01 challenge for d5.example.tech
tls-sni-01 challenge for d4.example.tech
tls-sni-01 challenge for d3.example.tech
http-01 challenge for d8.example.tech
Cleaning up challenges
Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

Contents of error log:

2018-05-22 02:47:01,047:INFO:certbot.auth_handler:tls-sni-01 challenge for d3.example.tech
2018-05-22 02:47:01,047:INFO:certbot.auth_handler:http-01 challenge for d8.example.tech
2018-05-22 02:47:01,069:DEBUG:certbot.crypto_util:Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0015_key.pem
2018-05-22 02:47:01,108:DEBUG:certbot.crypto_util:Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0016_key.pem
2018-05-22 02:47:01,157:DEBUG:certbot.crypto_util:Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0017_key.pem
2018-05-22 02:47:01,193:DEBUG:certbot.crypto_util:Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0018_key.pem
2018-05-22 02:47:01,285:DEBUG:certbot.crypto_util:Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0019_key.pem
2018-05-22 02:47:01,331:DEBUG:certbot.crypto_util:Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0020_key.pem
2018-05-22 02:47:01,372:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 73, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 124, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 1032, in perform
    sni_response = sni_doer.perform()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/tls_sni_01.py", line 58, in perform
    vhosts = self.configurator.choose_vhosts(achall.domain, create_if_no_match=True)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 289, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 334, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(port)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 366, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server"
MisconfigurationError: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

2018-05-22 02:47:01,373:DEBUG:certbot.error_handler:Calling registered functions
2018-05-22 02:47:01,373:INFO:certbot.auth_handler:Cleaning up challenges
2018-05-22 02:47:02,576:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1315, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1080, in run
    certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 113, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 297, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 294, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 330, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 73, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 124, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 1032, in perform
    sni_response = sni_doer.perform()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/tls_sni_01.py", line 58, in perform
    vhosts = self.configurator.choose_vhosts(achall.domain, create_if_no_match=True)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 289, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name)]
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 334, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(port)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 366, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server"
MisconfigurationError: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.

I've sent the complete unedited logs to erica@eff.org

[illustris]

Adding a default server

server {
   listen 80 default_server;
   server_name _;
   root /var/www/html;
	index index.html index.htm index.nginx-debian.html;
	location / {
		try_files $uri $uri/ =404;
	}
}

fixes the crash. But even without it, my NGINX config is valid.

Edit: Found the problem... One of the domains I was renewing did not have a corresponding server block. It would be helpful if certbot could tell you what domain doesn't have a server block.

[nzjrs]

Can confirm the conclusion of @illustris #5817 (comment)

I created a certificate foo.example.com for several domains -d bar.example.com,bob.example.com. The nginx config only has 'sever_name foo.example.com listed and the cert-bot crashes as there is no server name corresponding to bar.example.com

[ohemorange]

That's a great idea, @illustris, thanks! PR here: #6034.

[bmw]

Fixed in #6034.

[dvodvo]

While this issue is closed, I hit upon this problem just now. I resolved it by replacing commas in between server names within the server_name directive with spaces. nginx -t runs smoothly with the commas but quite clearly certbot does not.

Note: I was wondering why the auto-renewal had not kicked in...

[ohemorange]

Your Nginx is running without errors, but it is not running smoothly. server_name domain1,domain2 is interpreted by Nginx as a single domain name "domain1,domain2", and instead of hitting that server block, it's falling back to either your default_server block or the first server block in your configuration if you don't have a default_server block specified.

[dvodvo]

I confirm I do not have a default server block. but 'ah, yes...' the application behind is listening to the referrer. Thus, nginx is poitning to one of the domains, routing to the proper application and then the app is serving up the material properly, therefore masking this issue.

[joshchernoff]

Adding a default_server was what fixed this for me.

[eitzenbe]

Hitting the same issue: Unable to renew cert

nginx site config:

server {
        server_name eci.endthecageage.eu;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/eci.endthecageage.eu/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/eci.endthecageage.eu/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certboti
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        # modern configuration. tweak to your needs.
        add_header Strict-Transport-Security max-age=15768000;
        ssl_stapling on;
        ssl_stapling_verify on;

        # proxy configuration
        location / {
                proxy_http_version 1.1;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass http://127.0.0.1:3000;
        }

        # CSS, images and Javascript
        location ~* \.(?:css|js|png)$ {
                expires 30d;
                access_log off;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
                # ADAPT to your local installation
                root /srv/openeci/src/public;
                rewrite (.*)$ /$1 break;
        }
}
server {
    if ($host = eci.endthecageage.eu) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 default_server;
    listen [::]:80 default_server;
    return 404; # managed by Certbot
}

console says:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/eci.endthecageage.eu.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for eci.endthecageage.eu
Cleaning up challenges
Attempting to renew cert (eci.endthecageage.eu) from /etc/letsencrypt/renewal/eci.endthecageage.eu.conf produced an unexpected error: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/eci.endthecageage.eu/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/eci.endthecageage.eu/fullchain.pem (failure)
-------------------------------------------------------------------------------

and log is:

2018-11-18 13:09:45,312:DEBUG:certbot.error_handler:Calling registered functions
2018-11-18 13:09:45,313:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-18 13:09:45,526:DEBUG:certbot_nginx.parser:Could not parse file: /etc/nginx/sites-enabled/default due to Expected {Group:({[<SPC><TAB><CR><LF>] "#" rest of line}) | Group:(Forward: ...) | Group:({[<SPC><TAB><CR><LF>] {Combine:({{quoted string, starting with " ending with " | quoted string, starting with ' ending with '} ")" [Re:('(\\$\\{)|[^{;\\s]')]...}) | Combine:({Re:('[^{};\\s\'\\"]') [Re:('(\\$\\{)|[^{;\\s]')]...}) | quoted string, starting with " ending with " | quoted string, starting with ' ending with '} [{<SPC><TAB><CR><LF> {Combine:({{quoted string, starting with " ending with " | quoted string, starting with ' ending with '} ")" [Re:('(\\$\\{)|[^{;\\s]')]...}) | Combine:({Re:('[^{};\\s\'\\"]') [Re:('(\\$\\{)|[^{;\\s]')]...}) | quoted string, starting with " ending with " | quoted string, starting with ' ending with '}}]... [<SPC><TAB><CR><LF>] Suppress:(";")})} (at char 788), (line:20, col:9)
2018-11-18 13:09:46,563:WARNING:certbot.renewal:Attempting to renew cert (eci.endthecageage.eu) from /etc/letsencrypt/renewal/eci.endthecageage.eu.conf produced an unexpected error: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx installer.. Skipping.
2018-11-18 13:09:46,570:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 422, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1102, in renew_cert
    _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 113, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 297, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 294, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 330, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 73, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 124, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1032, in perform
    sni_response = sni_doer.perform()
  File "/usr/lib/python3/dist-packages/certbot_nginx/tls_sni_01.py", line 58, in perform
    vhosts = self.configurator.choose_vhosts(achall.domain, create_if_no_match=True)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 289, in choose_vhosts
    vhosts = [self._vhost_from_duplicated_default(target_name)]
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 334, in _vhost_from_duplicated_default
    default_vhost = self._get_default_vhost(port)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 366, in _get_default_vhost
    raise errors.MisconfigurationError("Could not automatically find a matching server"
certbot.errors.MisconfigurationError: Could not automatically find a matching server block. Set the `server_name` directive to ushe Nginx installer.

2018-11-18 13:09:46,571:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-11-18 13:09:46,571:ERROR:certbot.renewal:  /etc/letsencrypt/live/eci.endthecageage.eu/fullchain.pem (failure)
2018-11-18 13:09:46,572:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.23.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1266, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1179, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

UPDATE: ADDING more debug output from the parser:

2018-11-18 13:21:32,899:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-18 13:21:33,010:DEBUG:certbot_nginx.parser:Could not parse file: /etc/nginx/sites-enabled/default due to Expected {Group:({[<SPC><TAB><CR><LF>] "#" rest of line}) | Group:(Forward: ...) | Group:({[<SPC><TAB><CR><LF>] {Combine:({{quoted string, starting with " ending with " | quoted string, starting with ' ending with '} ")" [Re:('(\\$\\{)|[^{;\\s]')]...}) | Combine:({Re:('[^{};\\s\'\\"]') [Re:('(\\$\\{)|[^{;\\s]')]...}) | quoted string, starting with " ending with " | quoted string, starting with ' ending with '} [{<SPC><TAB><CR><LF> {Combine:({{quoted string, starting with " ending with " | quoted string, starting with ' ending with '} ")" [Re:('(\\$\\{)|[^{;\\s]')]...}) | Combine:({Re:('[^{};\\s\'\\"]') [Re:('(\\$\\{)|[^{;\\s]')]...}) | quoted string, starting with " ending with " | quoted string, starting with ' ending with '}}]... [<SPC><TAB><CR><LF>] Suppress:(";")})} (at char 784), (line:20, col:9)

Any help GREATLY appreciated as time is ticking ;)

[eitzenbe]

For the plagued ones: I have found a workaround that might be helpful for most until the parser has learned to deal with all our customized config files....

BACKUP your site config files
create empty default site config for all the domains you need renewal for

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    server_name www.example.com;
}

service nginx reload # yeah this disable all SSL sites but just for half a minute
cerbot renew

RESTORE your BACKUP files

service nginx reload # this brings back up SSL sites with new certs

It makes the SSL sites OFFLINE for max. 1 minute, which is at least for me acceptable every three months ;)

now copy back your defaul file

[santekotturi]

i just ran into this issue but for me it occurred because I had not symlinked the new site I'm working on from sites-available to sites-enabled...

from : https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04

i went too quickly and forgot this step:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

[EDIT] - only mentioning this because this is the first hit when googling "Could not automatically find a matching server block for..." just in case this helps anyone new who lands here. ✌🏼

[BFMarks]

Same painful issue.

certbot 0.28.0

.
├── Example.io
├── conf.d
├── fastcgi.conf
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── modules-available
├── modules-enabled
│   ├── 50-mod-http-geoip.conf -> /usr/share/nginx/modules-available/mod-http-geoip.conf
│   ├── 50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
│   ├── 50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
│   ├── 50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
│   └── 50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf
├── nginx.conf
├── proxy_params
├── scgi_params
├── sites-available
│   └── ExampleServer
├── sites-enabled
│   └── Example -> /etc/nginx/sites-available/ExampleServer
├── snippets
│   ├── fastcgi-php.conf
│   └── snakeoil.conf
├── uwsgi_params
└── win-utf

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[drakmail]

One more case – if you have domain with capital letters (like domAin.com) – certbot will fail with error the error. Doesn't know is it really issue, but maybe it will help someone :-)

[bartmika]

@illustris THANK YOU!

[DSpeichert]

Another edge case is multiple server blocks with default_server on different ports:

server {
    listen       3380 default_server;
    server_name  _;
}

server {
    listen       80 default_server;
    server_name  _;
}

Certbot doesn't know how to handle this and in this case should "prefer" the one on port 80 to modify to be 80/443.

[ohemorange]

@DSpeichert it does

certbot/certbot-nginx/certbot_nginx/configurator.py

Line 421 in f555e4b

if len(port_matching_vhosts) == 1:

[guanicoe]

ok I don't know if it's relevant to the question asked initially, but i had the same error (see just below). and this github was the only relevant result from google

error message:
Could not automatically find a matching server block for DOMAIN.COM. Set the `server_name` directive to use the Nginx installer.

My mistake was that the domain declared in the command were to not exactly equal to server_name in the nginx config. example

#/etc/nginx/sites-available/myproject
server {
    listen 80;
    server_name domain.com, www.domain.com;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/sammy/myproject;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/sammy/myproject/myproject.sock;
    }
}

command:

$ sudo certbot --nginx -d domain.com

TL;DR : This through an error. to fix it, I either had to remove the www.domain.com from the nginx config file or add it in the cerbot command.

Hope this helps

[Razique]

I had the same issue... in my case, the following directive would prevent certbot from detecting the "vhost":

  location / {
    try_files $uri $uri/ /index.php?q=$uri&$args;
  }

After commenting that line, I was able to run the program successfully.