A little bit of background; I am a noob hosting a personal mail server, a nextcloud server and nginx on the same VPS. My nextcloud and mail server are working fine, but since I added the webserver, things have gotten borked.
My www.redacted.xyz returns a 404 and redacted.xyz returns a 403… I can not for the life of me figure out why, though I have been having weird port things with Certbot which I describe below that seems to be a contributing factor.
nginx -t -c /etc/nginx/nginx.conf:
root@vultr: nginx -t -c /etc/nginx/nginx.conf
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx/sites-enabled/redacted
server {
listen 8080 ;
listen [::]:8080 ;
server_name redacted.xyz www.redacted.xyz ;
root /var/www/redacted ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
listen [::]:8443 ssl ipv6only=on; # managed by Certbot
listen 8443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/redacted.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/redacted.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Note that I am using 8080 and 8443 instead of 80 and 443 since they seemed to cause issues with Certbot as appended below. using these ports seemed to resolve that issue, but seemingly contribute to this new one.
When i change 8443 to 443 in the sites-enabled file, the www. version of the site suddenly works. Changing from 8080 to 80 still results in a 403 on the non-www. and of course there is no visible change on the client side since I have the site set to redirect to https.
what the heck is going on?
Certbot –nginx
root@vultr: certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: redacted.xyz
2: mail.redacted.xyz
3: www.mail.redacted.xyz
4: www.redacted.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/redacted.xyz.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/redacted
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/redacted
nginx: [warn] conflicting server name "redacted.xyz" on [::]:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "redacted.xyz" on [::]:80, ignored
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/redacted
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/mail
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/mail
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/redacted
nginx: [warn] conflicting server name "redacted.xyz" on [::]:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "redacted.xyz" on [::]:80, ignored
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://redacted.xyz,
https://mail.redacted.xyz, https://www.mail.redacted.xyz, and
https://www.redacted.xyz
2
Answers
Well I figured this one out… turns out I had forgotten to set up a cloud. subdomain to use for my Nextcloud server, so it was using
redacted.Xyz
instead.Changed the server name in the server block for Nextcloud to be
cloud.redacted.Xyz
and removedredacted.Xyz
. That cleared up the main issue and it led me to fix the certbot issues!(Now I’m having trouble getting that subdomain to work but that’s for another post lol)
I wonder if it’s an issue with how you’re using certbot. You need one cert that covers both domain names–from the output shared it looks like you are trying to generate two certs, one for each variant of the FQDN. The issue with the ports is likely because certbot wants to use at least port 80 (not sure about 443) to verify the domain and add the cert.