Hi i need some help in renewing our ssl certificate.
It says “Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.”
i have followed the steps in here.(Digital Ocean automatic HTTPS configuration | Passbolt documentation.)
but still failed why? we also open the port 80 and 443 in the digital ocean firewall.
i also check the configuration /etc/nginx/sites-enabled/nginx-passbolt.conf
what causes this issue?
Hey @nelsondev12 welcome to the forum!
Since you mention renewal, how come you are running the dpkg-reconfigure command? Did the automatic renewal not work correctly?
Typically with the Let’s Encrypt route you just set it once and then it’ll handle the renewals for you
Yes the auto renew is not working. and we cannot access the admin since it says " Your connection is not private".
It seems letsencrypt servers are not able to reach your server because of a timeout. Did you enabled firewall and opened port 80 ? It is mandatory for Let’s Encrypt to be able to auto-renew the certificate.
@AnatomicJC do you mean the ufw? when i check the ufw status it is inactive.
I think about firewall in Digital Ocean.
Something like that: Cloud Firewalls :: DigitalOcean Documentation
i now have new error after updating the firewall in the digital ocean
here is the firewall settings
Firewall settings are ok now. Maybe could you restrict ssh access on port 22/TCP to your IP address if you have a static IP address. It will reduce attacks on this port.
Let’s encrypt servers are now able to reach your server but they don’t find the file generated by certbot in https://your.domain/.well-known/acme-challenge/blablabla
You now have an issue with your nginx server settings. You should have cerbot and certbot-nginx packages installed.
It appears your nginx is not well configured to serve /.well-known/acme-challenge path.
Yes we will restrict access only to our IP address.
Not sure what should i change in my nginx configuration. but here is my nginx-passbolt.conf in /etc/nginx/sites-enabled/
#
# Passbolt.conf - Nginx configuration file to run the Passbolt software.
#
server {
# Managed by Passbolt
server_name adminpassbolt.example.com;
client_body_buffer_size 100K;
client_header_buffer_size 1K;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
root /usr/share/php/passbolt/webroot;
index index.php;
error_log /var/log/nginx/passbolt-error.log info;
access_log /var/log/nginx/passbolt-access.log;
# Managed by Passbolt
include /etc/passbolt/nginx-ssl.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M";
}
#listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/adminpassbolt.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/adminpassbolt.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = adminpassbolt.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 443 ssl http2;
listen [::]:80;
server_name adminpassbolt.example.com;
return 404; # managed by Certbot
}
Not sure why it cannot find. i reviewed the /etc/nginx/sites-enabled/nginx-passbolt.conf
it already includes the necessary configuration.