Help renewing LetsEncrypt certificate.

[JohnDigital]

If that is all there is, then you dont have anything listening on the default of port 80. What do you get when you go to https://www.website.com? Forgive me I do not speak nginx. So I barely know what I am looking at.

 

[rodofrn]

Dude, you DO NOT have to apologyze, i am EXTREMELY thankful for ANY help you might be able to provide..! THANKS AGAIN..!

When i go to https://www.website.com i get:

403 Forbidden
nginx/1.10.0

 

[rodofrn]

This is my entire nginx.conf file:

worker_processes 4;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
sendfile off;
keepalive_timeout 65;
gzip off;
ssl_certificate /usr/local/etc/letsencrypt.sh/certs/MYWEBSITE/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt.sh/certs/MYWEBSITE/privkey.pem;

server {
listen 443 ssl;
root /usr/local/www;
location = /robots.txt { allow all; access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location ^~ /owncloud {
client_max_body_size 131072M;
error_page 403 /owncloud/core/templates/403.php;
error_page 404 /owncloud/core/templates/404.php;
location /owncloud {
rewrite ^ /owncloud/index.php$uri;
}
location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|upda
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
}
location ~* \.(?:css|js)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /owncloud/index.php$uri$is_args$args;
}

}
}
}

 

[Jailer]

You need to add the location of the .well-known to your config.

Code:

location /.well-known {
		  root /usr/local/www;
  }

 

[JohnDigital]

It looks to me like you are only listening on https (port 443). I would bet that the certbot creating the .well-known directory and going out over the web to access it on port 80 and getting the same "forbidden" return that you are. I would say until you have this going I would switch to port 80. What is returned when you go to https://www.website.com/nginx? I would suspect from this config it should return some form of page. As I know we allowed that directory www privileges and there was an index.html file in there. What are the contents of /usr/local/www ? Is there an index.html file in there? Or just directories?

 

[JohnDigital]

Code:

Note:
To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.

 

[JohnDigital]

Thanks @Jailer

 

[rodofrn]

What is returned when you go to https://www.website.com/nginx? I would suspect from this config it should return some form of page. As I know we allowed that directory www privileges and there was an index.html file in there. What are the contents of /usr/local/www ? Is there an index.html file in there? Or just directories?

• When i went to https://www.website.com/nginx i got:

Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

• Contents of /usr/local/www: (Which is NOT where the nginx.conf file is:

Code:

root@ownCloud:/usr/local/www # ll
total 29
drwxr-xr-x   3 root  wheel   3 May 10  2016 .well-known/
lrwxr-xr-x   1 www   www	25 May 10  2016 nginx@ -> /usr/local/www/nginx-dist
dr-xr-xr-x   3 www   www	 6 Jan  6 19:30 nginx-dist/
drwxr-xr-x  16 www   www	31 Jan  6 17:08 owncloud/
lrwxr-xr-x   1 root  wheel  34 May 10  2016 robots.txt@ -> /usr/local/www/owncloud/robots.txt
root@ownCloud:/usr/local/www #

This is where the nginx.conf file (/usr/local/etc/nginx) is and this are the contents:

Code:

root@ownCloud:/usr/local/etc/nginx # ll
total 99
drwxr-xr-x  2 root  wheel	 2 Jan  7 12:23 .well-known/
-rw-r--r--  1 root  wheel  1007 May 10  2016 fastcgi_params
-rw-r--r--  1 root  wheel  1007 May 10  2016 fastcgi_params-dist
-rw-r--r--  1 root  wheel  2837 May 10  2016 koi-utf
-rw-r--r--  1 root  wheel  2223 May 10  2016 koi-win
-rw-r--r--  1 root  wheel  3957 May 10  2016 mime.types
-rw-r--r--  1 root  wheel  3957 May 10  2016 mime.types-dist
-rw-r--r--  1 root  wheel  2190 Jan  7 12:22 nginx.conf
-rw-r--r--  1 root  wheel  2871 May 10  2016 nginx.conf-dist
-rw-r--r--  1 root  wheel  1867 May 10  2016 nginx.conf.save
-rw-r--r--  1 root  wheel   636 May 10  2016 scgi_params
-rw-r--r--  1 root  wheel   636 May 10  2016 scgi_params-dist
-rw-r--r--  1 root  wheel   664 May 10  2016 uwsgi_params
-rw-r--r--  1 root  wheel   664 May 10  2016 uwsgi_params-dist
-rw-r--r--  1 root  wheel  3610 May 10  2016 win-utf
root@ownCloud:/usr/local/etc/nginx #

• You need to add the location of the .well-known to your config.
  

  Code:

  location /.well-known {
  		  root /usr/local/www;
    }

  
  
• I added that to the nginx.conf file and now it looks like this:

Code:

 server {
		listen 443 ssl;
		root /usr/local/www;
		location = /robots.txt { allow all; access_log off; log_not_found off; }
		location = /favicon.ico { access_log off; log_not_found off; }
		location /.well-known {
		  root /usr/local/www;
			}
		location ^~ /owncloud {
			client_max_body_size 131072M;
			error_page 403 /owncloud/core/templates/403.php;
			error_page 404 /owncloud/core/templates/404.php;
			location /owncloud {
				rewrite ^ /owncloud/index.php$uri;
			}
			location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
				deny all;
			}
			location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
				deny all;
			}
			location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|upda
				include fastcgi_params;
				fastcgi_split_path_info ^(.+\.php)(/.+)$;
				fastcgi_pass unix:/var/run/php-fpm.sock;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				fastcgi_param PATH_INFO $fastcgi_path_info;
				fastcgi_param front_controller_active true;

and that made no changes, still same error when i run certbot certonly

 

[JohnDigital]

nginx-dist is the webroot directory it would appear, it was most recently modified. See what happens when you use /usr/local/www/nginx-dist as the webroot directory from certbot

 

[JohnDigital]

Also if you go to just www.website.com/nginx does it give error or same default nginx page?

 

[rodofrn]

Also if you go to just www.website.com/nginx does it give error or same default nginx page?

It gives me an error...
This site can’t be reached
freenasowncloud.info took too long to respond.

• Search Google for freenas owncloud info nginx

ERR_CONNECTION_TIMED_OUT

lemme try the other thing...

 

[JohnDigital]

I think the issue still lies in that your server is only listening on port 443 and not listening on 80. Hence when you go to https://website.com/nginx you get a return. When you go to just www.website.com/nginx you get an error.

Set the nginx.conf (temporarily) to listen on port 80, restart nginx and try to do this certbot process again using /usr/local/www/nginx-dist as the webroot directory.

Also once you have configured server to listen on port 80, you should get a return going to www.website.com/nginx

I feel the issue still is that certbot is getting the same 403 error that you are, so is not completing.

 

[rodofrn]

OK, progress???

after doing the changes and following this

Set the nginx.conf (temporarily) to listen on port 80, restart nginx and try to do this certbot process again using /usr/local/www/nginx-dist as the webroot directory.

I get this:

Code:

Failed authorization procedure. freenasowncloud.info (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://freenasowncloud.info/.well-known/acme-challenge/anoJwPjl9quUXNs7nBqa3oeq_sURaQ-dufqnhi17rlk: "<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 B"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: freenasowncloud.info
   Type:   unauthorized
   Detail: Invalid response from
   http://freenasowncloud.info/.well-known/acme-challenge/anoJwPjl9quUXNs7nBqa3oeq_sURaQ-dufqnhi17rlk:
   "<html>
   <head><title>400 The plain HTTP request was sent to HTTPS
   port</title></head>
   <body bgcolor="white">
   <center><h1>400 B"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
root@ownCloud:/usr/local/etc/nginx #

also, when i got to www.website.com/nginx

i get this:

Code:

400 Bad Request
The plain HTTP request was sent to HTTPS portnginx/1.10.0

 

[JohnDigital]

Ok. Now it would seem you have some sort of auto forward to https configured. In Apache this is done with a virtualhost file. Im certain that nginx has something similar. What you want, for now, is for you to get a website on www.website.com/nginx. Or better yet www.website.com. Im not sure how to tell you to do this. Maybe rename your current config to config.bak and start over with a vanilla config like they have here. Change root directory over to root /usr/local/www/nginx. Im sorry that im not more experienced in nginx. I think this will never work until you get a website on www.website.com. Once you get a website returning on port 80, you can restore your current config with the correct paths to the ssl certs. Maybe someone more knowledgeable in nginx can shed some light.

 

[Jailer]

It looks to me like you are only listening on https (port 443). I would bet that the certbot creating the .well-known directory and going out over the web to access it on port 80 and getting the same "forbidden" return that you are.

This is correct. You have to be listening and responding on port 80 for the renewal process to work. Did you not test the renewal process when you set everything up? certbot renew --dry-run

Ok. Now it would seem you have some sort of auto forward to https configured.

I'm betting that it's a browser cache issue on this one. If you don't clear your browser cache after making a change you're going to still be connecting via https.

To get around this whole issue you need to add a server block listening on port 80 and add 2 location blocks. First for your .well-known directory for your renewal response and a second for a redirect to 443 for your site. That way you can leave your config intact and all requests to your site will redirect to https and your renewal requests will still go out and be answered via http.

This is a sample of my nginx configuration to give you an idea of what I'm talking about. I just set this up today and a dry run test works and the site is still served via https. This server block section would be placed above your current server block that is listening on port 443. I just purchased a domain for my site last night so disregard the multiple server name entries.

Code:

server {
			listen	80;
			server_name boredguy.chickenkiller.com www.boredguy.chickenkiller.com boredguy.showersnet.com www.boredguy.showersnet.com;
			
			location /.well-known {
					root /usr/local/www/nginx;
			}
			
			location / {
			return		 301 https://boredguy.showersnet.com$request_uri;
			}

 

[rodofrn]

NICE..!!!!!!!!!!! I AM SO HAPPYY..!!! THANKS guys..!

@Jailer
after adding that section, changing the websites, and some more edits, i got the certbot certonly CONGRATULATIONS screen..! :)

@John Digital
THANKS MAN..! i really appreaciate all the help you provided, between you and jailer did it..! I LOVE YOU BOTH.!

now, one last question, how can i make it so that once a month the certificate is renewed? Thanks..

 

[JohnDigital]

Per the documentation HERE Id go about setting up a monthly cronjob to run this command
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

 

[JohnDigital]

Also HERE is a relative post on what you want to do.

 

[Jailer]

now, one last question, how can i make it so that once a month the certificate is renewed?

Set up a cron task to run when you see fit. Certbot recommends twice a day so that's how I set mine up. You set it up in the FreeNAS gui under "tasks". On the command line enter the following with your jail name listed and it will run automatically.

jexec yourjailnamewithnospaces csh certbot renew --quiet

Sorry it took me so long to respond, I was busy getting all this figured out today. :)

 

[rodofrn]

@Jailer
OK, this is how i did it, is it correct? If I understand it right, it should run the command at 9:00am and 8:00pm....