Build instructions seem out of order in https://docs.joinmastodon.org/admin/install/

[jarofgreen]

Expected behaviour

Install should work by following steps in https://docs.joinmastodon.org/admin/install/

Actual behaviour

Node and Yarn

The instructions say to add Node.js and Yarn ubuntu package sources - obviously cos you want the latest versions. That's fine but :

A)

After adding the Node.js package, nothing actually installs it. Don't you want a "apt-get install -y nodejs" here?

B)

After adding the Yarn package again nothing actually installs it. Worse, in the "apt install -y " step yarn is included, so you end up with the old version of yarn.

I got the error: "yarn: error: no such option: --pure-lockfile"

To solve this I had to

apt-get remove yarn
apt-get update
apt-get install yarn

Certbot

The instructions say: "Then edit /etc/nginx/sites-available/mastodon to replace example.com with your own domain name, .... Reload nginx for the changes to take effect:"

Reloading fails with "no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/mastodon:25" which is fair enough.

The certbot command then fails because of this.

To fix, I backed up /etc/nginx/sites-available/mastodon, edited it to remove the whole SSL block, ran certbot fine, then restored the backup and commented in the 2 lines pointing to the cert.

(After this, I had an odd issue where the usual nginx restart command wouldn't work because ports were already in use. I had to manually kill nginx processes and then start them.)

Steps to reproduce the problem

Just trying to install Mastadon on my own server, using https://docs.joinmastodon.org/admin/install/

Specifications

Ubuntu 20 LTS

v3.3.0

[florosgpl]

I came here to report the same issue about yarn. (running on debian 10)
you should add the yarn repo link before installing yarn, or else apt will substitute yarn with the cmdtest package.
so, run this

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list

before

apt update
apt -y \
  long \
  package \
  list

this might be the one reason why my instance failed to load yesterday on one of my VMs. I am building it again and will report back if there's a problem.
I think that one of the envars is removing /sbin from the root's $PATH, but again debian had this issue sometimes on the root user.

[xeruf]

Yeah, just encountered the certbot issue as well:

Commented out:

❯ certbot --nginx -d <domain>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/mastodon:25
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/mastodon:25\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

Uncommented:

❯ certbot --nginx -d <domain>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/<domain>/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/<domain>/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/<domain>/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/<domain>/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

[xeruf]

Better workaround than above: First obtain the certificate, then enable the site.

[xeruf]

Nevermind - that modifies the "default" site

[hughrun]

The simplest way to fix the nginx problem is to run certbot in certonly --standalone mode before enabling nginx. We already know where the certificates will be saved and what they will be called (as long as 'example.com' is changed to the real URL in the certificate path first). This means the certificates are in place as soon as you start nginx. The only issue is to ensure nginx isn't already running when you run certbot, otherwise there will be a conflict on port 80.

[5HT2]

Bumping, the latter issue seems to be a pretty big oversight and shouldn't be too hard to fix in the instructions. I'd open a pull myself but I'm not sure which solution is preferable.

Personally I fixed it by deleting everything after line 25 in the config, running certbot, then re-adding the deleted server {} block and reloading nginx

[tyteen4a03]

I just ran into this issue. This really needs to be fixed ASAP.

[haakony]

still a issue

[phurwicz]

This issues still exists. I needed to comment out the whole HTTPS block before running certbot --nginx -d example.com.

[Realitaetsverlust]

Thanks @L1ving for the workaround, that worked flawlessly. But I also feel that this should really be fixed as it makes the installation unnecessarily complicated.

[senisioi]

Yep, still an issue, the docs should have:

# edit /etc/nginx/sites-available/mastodon to replace example.com with your own domain name
# uncomment ssl_certificate and ssl_certificate_key
sudo service nginx stop
certbot certonly --standalone -d your_domain_name
sudo service nginx start

[vekee]

@xeruf
I don't know how to fix this issue.

But I edit the ssl_certificate and ssl_certificate_key to a temp one, then run the certbot --nginx -d example.com, I got a successfully deployed certificate.

Step 1

# edit /etc/nginx/sites-available/mastodon
# edit ssl_certificate and ssl_certificate_key to a exist one
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

Step 2

# run the  deploy certificate comand
certbot --nginx -d example.com

Step 3

# edit /etc/nginx/sites-available/mastodon
# edit ssl_certificate and ssl_certificate_key to your deployed certificate
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Step 4

# reload nginx for the changes
systemctl reload nginx

[simonft]

FYI, if you've used the certonly --standalone I think you'll need to update the renewal cron to make sure it's stopping/restarting the nginx server, otherwise renewals will fail since the standalone server won't be able to listen on port 80.

[burntout]

Hi,

I have just installed mastodon in the last couple of days. For the most part everything was fine. And I think the docs are super.

I had 3 issues ...

1. the version of ruby in the docs was wrong.. (but I see this is fixed in the last day or so, so no worries!)
2. the nginx wont start because of certbot which won't work because of nginx is still a thing.. though I think this above is a great solution
3. Elasticsearch integration doesn't work as described, because ES now has https + basic auth as a default

Otherwise... thanks for the code!

[tomtom94]

root@mastodon:~# certbot certonly --standalone -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "example.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

[trwnh]

@tomtom94 Change example.com to the actual domain name you are using

[tomtom94]

@trwnh I am using VirtualBox and I just wanna resolve example.com in my local /etc/hosts just for fun

[ineffyble]

@tomtom94 LetsEncrypt won't work then, you need a publicly resolvable domain name to get a LetsEncrypt certificate

[KTachibanaM]

The nginx problem exists for Proxying object storage through nginx as well.

I followed #857 (comment) for workaround but later I also had to modify the renewal confiuguration in /etc/letsencrypt/renewal to use

[renewalparams]
...
authenticator = nginx
installer = nginx
...

in order to make automatic renewal work.