How to put SSL on a virtual server with Nginx?

E

Emil Rakhmatullin2022-04-07 17:30:52

linux

Emil Rakhmatullin, 2022-04-07 17:30:52

I set up a virtual server (site on Nuxt.js, running on http). Installed Certbot. I wanted to issue a Let's Encrypt certificate, but I get an error. What is she talking about?

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my-site.ru
http-01 challenge for www.my-site.ru
Waiting for verification...
Challenge failed for domain my-site.ru
Challenge failed for domain www.my-site.ru
http-01 challenge for my-site.ru
http-01 challenge for www.my-site.ru
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my-site.ru
   Type:   unauthorized
   Detail: Invalid response from
   https://my-site.ru:443/.well-known/acme-challenge/nYNW-Vx96_2CQMCL7Z5ArzYQNAdwsH-rnkoyaeSOLg
   [2a00:f940:2:1:1:1:0:176]: 404

   Domain: www.my-site.ru
   Type:   unauthorized
   Detail: Invalid response from
   https://www.my-site.ru:443/.well-known/acme-challenge/eCfPCR1MG25SxFuRTkba6hVn45LU_YePcLPhhbT6kA
   [2a00:f940:2:1:1:1:0:176]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

My nginx config ( GNU nano 4.8 /etc/nginx/sites-enabled/my-site.ru):

map $sent_http_content_type $expires {
    "text/html"                 epoch;
    "text/html; charset=utf-8"  epoch;
    default                     off;
}


  server {
    listen          80;                                 # the port nginx is listening on
    server_name     my-site.ru www.my-site.ru;    # setup your domain here

    gzip            on;
    gzip_types      text/plain application/xml text/css application/javascript;
    gzip_min_length 1000;

    location /.well-known {
        root /var/www/my-site.ru;
    }

    location / {
        expires $expires;

        proxy_redirect                      off;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_read_timeout                  1m;
        proxy_connect_timeout               1m;
        proxy_pass                          http://127.0.0.1:3000; # set the address of the Node.js instance here
    }
}

PS: my-site.ru stands because it hid the real address.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

T

TheAndrey7, 2022-04-07
@TheAndrey7

There should be two listen lines. With port 443, do the same after installing the certificate.

listen          80; # IPv4
listen          [::]:80; # IPv6

location /.well-known {
    root /var/www/my-site.ru;
}

This should lead to the /var/www/html folder (by default). See what you have specified in the certbot settings, the webroot-path parameter

A

Alexander Karabanov, 2022-04-07
@karabanov

Either set it up correctly on the IPv6 server or remove the AAAA record from the DNS

D

Drno, 2022-04-07
@Drno

Does DNS generally resolve this site name correctly? He also initially swore that the DNS record is not indicated on the IP ....

A

AlexVWill, 2022-04-07
@AlexVWill

Is my-site.ru generally visible from the outside?
As a temporary solution, try to issue a certificate not by automatic authorization, but through the standalone option, and making an ACME record in the domain name registrar's DNS.
Roughly something like this:

sudo certbot certonly --standalone -d mysite.ru  --force-renewal --preferred-chain "ISRG Root X1"