Another issue I just encountered seems to be that certbot domains and
nginx server names conflict and can't be the same if you just declare
them as strings.
Specifically the config becomes this:
user nginx nginx;
pid /var/run/nginx/pid;
error_log /var/log/nginx/error.log error;
events { }
http {
client_body_temp_path /var/run/nginx/client_body_temp;
proxy_temp_path /var/run/nginx/proxy_temp;
fastcgi_temp_path /var/run/nginx/fastcgi_temp;
uwsgi_temp_path /var/run/nginx/uwsgi_temp;
scgi_temp_path /var/run/nginx/scgi_temp;
access_log /var/log/nginx/access.log;
include
/gnu/store/fz71kvlyhzg6rq0whxr11xbxzfb18igi-nginx-1.23.3/share/nginx/conf/mime.types;
server {
listen 80;
listen 443 ssl;
server_name www.joinjabber.org joinxmpp.org www.joinxmpp.org ;
ssl_certificate /etc/letsencrypt/live/joinjabber.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/joinjabber.org/privkey.pem;
root /srv/http;
index index.html ;
server_tokens off;
location /support {
return 302 "https://chat.joinjabber.org/#/guest?join=support";;
}
return 301 https://joinjabber.org$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name joinjabber.org www.joinjabber.org joinxmpp.org
www.joinxmpp.org ;
root /srv/http;
index index.html ;
server_tokens off;
location /.well-known {
root /var/www;
}
location / {
return 301 https://$host$request_uri;
}
}
}
With certbot adding the second server block. I am going to open a bug
report for all of this. so we can track it.
MSavoritias
On 5/3/24 18:43, Jack Hill wrote:
On Fri, 3 May 2024, MSavoritias wrote:
Hey,
I spent the better part of the day today trying to debug an error
that was happening while deploying a server with two server names in
the nginx field.
My config was:
(service certbot-service-type
(certbot-configuration
(certificates
(list
(certificate-configuration
;; The first domain provided will be the subject CN of the
certificate, and all domains will be Subject Alternative Names on the
certificate.
(domains '("joinxmpp.org" "www.joinxmpp.org")))))))
(service nginx-service-type
(nginx-configuration
(server-blocks
(list (nginx-server-configuration
(server-name '("joinxmpp.org www.joinxmpp.org"))
(ssl-certificate "/etc/certs/joinxmpp.org/fullchain.pem")
(ssl-certificate-key
"/etc/certs/joinxmpp.org/privkey.pem")
(locations
(list
(nginx-location-configuration
(uri "/support")
(body '("return 302
\"https://chat.joinjabber.org/#/guest?join=support\";";)))))))))))
turns out that this cant be deployed at once on the server. although
it is correct. The reason is that certbot/letsencrypt will complain
with the message:
Hint: The Certificate Authority failed to download the temporary
challenge files created by Certbot. Ensure that the listed domains
serve their content from the provided --webroot-path/-w and that
files created there can be downloaded from the internet.
Mind you this error appeared on only one of the domains not both.
This was solved by running the system once with certbot. Then
rebooting with the nginx service. That idea appear to me after i
found a mailing list thread from 5 years ago saying that there is a
dependency cycle between nginx and certbot and they cant run at the
same time the first time.
The reason I am sending an email is because I am not sure if this is
something that could be fixed somehow, or if this is unavoidable and
i should just send a patch revising the docs slightly to suggest that
if an nginx service is used with multiple domains in the server name,
you should start the system once with certbot and then reboot with
nginx.
Hi,
Indeed, this has been an annoyance. However, if I understand your
problem correctly, I'm happy to report that it has now been fixed [0]!
The start-self-signed? filed in certificate-configuration [1] should
allow nginx to start before certbot has had a chance to get a proper
cert signed by providing a structurally valid one for nginx to use.
From the documentation:
start-self-signed? (default: #t)
Whether to generate an initial self-signed certificate during system
activation. This option is particularly useful to allow nginx to start
before certbot has run, because certbot relies on nginx running to
perform
HTTP challenges.
However, that says that the default is #t, but it still doesn't work
for you. I wonder what I'm missing.
Best,
Jack
[0] https://issues.guix.gnu.org/46961#1
[1]
https://guix.gnu.org/en/manual/devel/en/html_node/Certificate-Services.html
