certbot instructions fail with ssl_certificate error on clean Ubuntu 20.04 LTS

[brookmiles]

I followed the installation instructions pretty much to the letter, and the only hitch was the step "Acquiring a SSL certificate" which failed with the following error (actual host name was used, not example.com):

certbot --nginx -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/mastodon:25
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/mastodon:25\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

[Update Nov. 17 2022]

I was originally able to pass this step by following these instructions:

posted by @hughrun in #826 (comment)

But there's an even easier way, which also ensures that renewal will work correctly. As has been pointed out, using --standalone at the beginning will cause renewal to fail later because nginx will be running.

We want nginx to be running, but without the mastodon config loaded.

The best time to do this is before you copy the nginx configuration template and restart nginx, but if you're reading this, maybe you've already done that. Remove the link /etc/nginx/sites-enabled/mastodon to disable the mastodon config, and reload nginx.

By running certbot in certonly mode, we can use the nginx mode, renewals will work, and certbot won't mangle your config file.

1. Run certbot certonly --nginx -d example.com
2. Copy (or re-enable) the configuration template for nginx per the instructions
3. Uncomment the ssl_certificate and ssl_certificate_key lines in /etc/nginx/sites-enabled/mastodon
4. run nginx -t to test the config, and systemctl reload nginx to reload it

[plgonzalezrx8]

Thanks for this. Had the same issue and this solved my problem. I appreciate it.

[arananet]

Many thanks, @brookmiles, this save my day. Your instructions should be on the mastodon instructions as an additional tip. Here https://docs.joinmastodon.org/admin/install/, section, Acquiring a SSL certificate.

[sborrill]

As mentioned by @soletan, using --standalone will set the renewal authenticator to standalone. This will fail every time (runs twice a day by default) as standalone mode requires nginx to not be running. Fix is to edit /etc/letsencrypt/renewal/example.com.conf. Alter:
authenticator = standalone
to:

authenticator = nginx
installer = nginx

You can test with: certbot --force-renew renew

[Tron918-AdityaP]

@ brookmiles thank you for your solution, so simple and quick! (for others just a note: remember when you uncomment change the exmaple.com - your domain!)

[Beheadedstraw]

Another option is to:
systemctl stop nginx
certbot certonly --standalone -d domain.com
systemctl start nginx

[brookmiles]

Another option is to: systemctl stop nginx certbot certonly --standalone -d domain.com systemctl start nginx

@Beheadedstraw As mentioned by others above, this will work manually, but will cause certbot to fail when it tries to automatically renew because nginx will be running.

[Beheadedstraw]

Another option is to: systemctl stop nginx certbot certonly --standalone -d domain.com systemctl start nginx

@Beheadedstraw As mentioned by others above, this will work manually, but will cause certbot to fail when it tries to automatically renew because nginx will be running.

Nevermind, didn't think about renewals, my bad on that one, one too many beers tonight XD

[stammy]

@sborrill Thanks! Setting installer and authenticator to nginx in the fix you mentioned worked great for me.

[brookmiles]

Fixed by #1036