Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update official install guide for Certbot command #1432

Open
Fireshaded opened this issue Jan 25, 2022 · 2 comments
Open

Update official install guide for Certbot command #1432

Fireshaded opened this issue Jan 25, 2022 · 2 comments
Labels
bug

Comments

@Fireshaded
Copy link

Steps to reproduce the problem

Steps in the official install guide at https://docs.joinmastodon.org/admin/install/ needs to have the Certbot command updated.

Using the certbot --nginx -d example.com command fails since the nginx config points to a cert that has not been created yet.

  # Uncomment these lines once you acquire a certificate:
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Document should specify to stop Nginx first with systemctl stop nginx.

Then run certbot as: certbot certonly --standalone -d example.com

Nginx should be able to be restarted running it's test to make sure the config is valid with the systemctl start nginx command.

More info on discussion #17372

Expected behaviour

Certbot should be able to create certs for domain

Actual behaviour

Certbot causes Nginx config test to fail not allowing cert to be generated

Specifications

Happens with current version of install guide as of 25-01-2022.
@Fireshaded Fireshaded added the bug label Jan 25, 2022
@fish-404 fish-404 mentioned this issue Aug 6, 2022
Open
@rubahness
Copy link

rubahness commented Dec 12, 2022
edited

I ran into the same situation

root@mastodon:~# systemctl reload nginx
Job for nginx.service failed.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
root@mastodon:~# systemctl status nginx.service
Dec 12 07:10:06 mastodon.host.name systemd[1]: Reloading A high performance web server and a reverse proxy server>
Dec 12 07:10:06 mastodon.host.name nginx[197641]: nginx: [emerg] no "ssl_certificate" is defined for the "listen >
Dec 12 07:10:06 mastodon.host.name systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILU>
Dec 12 07:10:06 mastodon.host.name systemd[1]: Reload failed for A high performance web server and a reverse prox>

I resolved it by checking out the SSL server block example from the nginx default site cat /etc/nginx/sites-available/default

server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

Then, inspecting the contents of snakeoil.conf cat /etc/nginx/snippets/snakeoil.conf

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

I added these two lines into the part of the mastodon nginx config file where the current commented lines are, replaced the example.com with my domain, then executed the certbot command certbot --nginx -d example.com.

Now, inspecting /etc/nginx/sites-available/mastodon shows two lines basically the same as the commented ones, but not commented out, and with a comment at the end saying "# managed by Certbot". The snakeoil cert references are removed, and this can be double-checked with grep -ic 'snakeoil' /etc/nginx/sites-available/mastodon.

I am running masto behind a reverse proxy, and my sysadmin has suggested that using certbot --standalone would fail without additional intervention to determine the ports used by the standalone server. I didn't attempt that since the steps I outlined above seemed to work, so I can't verify if that is true, but I wanted to call it out as a potential concern for others.

Summary of all steps taken:

  1. cp /home/mastodon/live/dist/nginx.conf /etc/nginx/sites-available/mastodon
  2. ln -s /etc/nginx/sites-available/mastodon /etc/nginx/sites-enabled/mastodon
  3. nano /etc/nginx/sites-available/mastodon
    Replace example.com with my domain and insert ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
  4. systemctl reload nginx
  5. certbot --nginx -d example.com
  6. grep -ic 'snake' /etc/nginx/sites-available/mastodon

Caveats:

  • I don't know if the certbot nginx plugin behavior I observed can be relied on in perpetuity
  • There may be other factors due to my specific setup (minimized ubuntu 22.04, running behind reverse proxy/load balancer, etc)

@nghialele
Copy link

nghialele commented Jun 25, 2023
edited

I ran into the same situation

root@mastodon:# systemctl reload nginx
Job for nginx.service failed.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
root@mastodon:# systemctl status nginx.service
Dec 12 07:10:06 mastodon.host.name systemd[1]: Reloading A high performance web server and a reverse proxy server>
Dec 12 07:10:06 mastodon.host.name nginx[197641]: nginx: [emerg] no "ssl_certificate" is defined for the "listen >
Dec 12 07:10:06 mastodon.host.name systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILU>
Dec 12 07:10:06 mastodon.host.name systemd[1]: Reload failed for A high performance web server and a reverse prox>

I resolved it by checking out the SSL server block example from the nginx default site cat /etc/nginx/sites-available/default

I added these two lines into the part of the mastodon nginx config file where the current commented lines are, replaced the example.com with my domain, then executed the certbot command certbot --nginx -d example.com.

Now, inspecting /etc/nginx/sites-available/mastodon shows two lines basically the same as the commented ones, but not commented out, and with a comment at the end saying "# managed by Certbot". The snakeoil cert references are removed, and this can be double-checked with grep -ic 'snakeoil' /etc/nginx/sites-available/mastodon.

I am running masto behind a reverse proxy, and my sysadmin has suggested that using certbot --standalone would fail without additional intervention to determine the ports used by the standalone server. I didn't attempt that since the steps I outlined above seemed to work, so I can't verify if that is true, but I wanted to call it out as a potential concern for others.

Summary of all steps taken:

1. `cp /home/mastodon/live/dist/nginx.conf /etc/nginx/sites-available/mastodon`

2. ` ln -s /etc/nginx/sites-available/mastodon /etc/nginx/sites-enabled/mastodon`

3. `nano /etc/nginx/sites-available/mastodon`
   Replace example.com with my domain and insert ` ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;`

4. `systemctl reload nginx`

5. `certbot --nginx -d example.com`

6. `grep -ic 'snake' /etc/nginx/sites-available/mastodon`

Caveats:

* I don't know if the certbot nginx plugin behavior I observed can be relied on in perpetuity

* There may be other factors due to my specific setup (minimized ubuntu 22.04, running behind reverse proxy/load balancer, etc)

I ran into the same problem with nginx today. And this is the solution that I did exact the same, but I manage to installed it successfully before I saw this post.

Think this should be included in the docs.

Upvote here as a verification.

@renchap renchap transferred this issue from mastodon/mastodon Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rubahness @Fireshaded @nghialele