Let's Encrypt certbot instructions causes an NGiNX error

[c0fe]

Details

Description

When using the instructions provided in nginxconfig.io the resulting website configuration causes NGiNX to error out.

Steps to reproduce

Setup a reverse proxy frontend website, set it to create a new certificate and run the instructions listed.

Screenshots

https://imgur.com/a/zQXXnWF

Expected behavior

Certbot should obtain the cert just fine

Error Message

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/nextcloud.domain.com.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

OS Version

Ubuntu 20.04 (all updates installed)

NGiNX Version

1.18 (NGiNX repo)

Website configuration

server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             nextcloud.domain.com;
    root                    /var/www/nextcloud.domain.com;

    # SSL
    #;#ssl_certificate         /etc/letsencrypt/live/nextcloud.domain.com/fullchain.pem;
    #;#ssl_certificate_key     /etc/letsencrypt/live/nextcloud.domain.com/privkey.pem;
    #;#ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.domain.com/chain.pem;

    # security
    include                 nginxconfig.io/security.conf;

    # logging
    access_log              /var/log/nginx/nextcloud.domain.com.access.log;
    error_log               /var/log/nginx/nextcloud.domain.com.error.log warn;

    # index.php fallback
    location ~ ^/api/ {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # reverse proxy
    location / {
        proxy_pass http://192.168.7.204;
        include    nginxconfig.io/proxy.conf;
    }

}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name nextcloud.domain.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://nextcloud.domain.com$request_uri;
    }
}

[benoit-ponsero]

Same error for me today.

Ubuntu 20.04 (all updates installed)

[MattIPv4]

👋 Hey folks, just taking a look at this, and I'm unable to reproduce the error it seems.

This is on Ubuntu 20.04.1 LTS, with NGINX nginx/1.18.0 (Ubuntu), with this minimal NGINX config.

sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' /etc/nginx/sites-available/test.v4.wtf.conf

sudo nginx -t && sudo systemctl reload nginx

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

cat /etc/nginx/sites-available/test.v4.wtf.conf

server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             test.v4.wtf;
    root                    /var/www/test.v4.wtf/public;

    # SSL
    #;#ssl_certificate         /etc/letsencrypt/live/test.v4.wtf/fullchain.pem;
    #;#ssl_certificate_key     /etc/letsencrypt/live/test.v4.wtf/privkey.pem;
    #;#ssl_trusted_certificate /etc/letsencrypt/live/test.v4.wtf/chain.pem;

    # security
    include                 nginxconfig.io/security.conf;

    # index.html fallback
    location / {
        try_files $uri $uri/ /index.html;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name test.v4.wtf;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://test.v4.wtf$request_uri;
    }
}

I also recreated the configuration shared in this issue, and saw no issues either:

sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' /etc/nginx/sites-available/test.v4.wtf.conf

sudo nginx -t && sudo systemctl reload nginx

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

cat /etc/nginx/sites-available/test.v4.wtf.conf

server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             test.v4.wtf;
    root                    /var/www/test.v4.wtf;

    # SSL
    #;#ssl_certificate         /etc/letsencrypt/live/test.v4.wtf/fullchain.pem;
    #;#ssl_certificate_key     /etc/letsencrypt/live/test.v4.wtf/privkey.pem;
    #;#ssl_trusted_certificate /etc/letsencrypt/live/test.v4.wtf/chain.pem;

    # security
    include                 nginxconfig.io/security.conf;

    # logging
    access_log              /var/log/nginx/test.v4.wtf.access.log;
    error_log               /var/log/nginx/test.v4.wtf.error.log warn;

    # index.php fallback
    location ~ ^/api/ {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # reverse proxy
    location / {
        proxy_pass http://127.0.0.1:3000;
        include    nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name test.v4.wtf;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://test.v4.wtf$request_uri;
    }
}

---

Do y'all have any extra info on at what stage things fail? From what you've provided, it looks like you're seeing the failure when reloading the config after the first sed command that comments out the cert directives, but I just want to confirm that is the case?

[c0fe]

@MattIPv4 I have used NGiNX from their Ubuntu Repo that you can see the instructions on how to install here:

https://www.nginx.com/resources/wiki/start/topics/tutorials/install/

I run into an issue after running the sed command to comment out the SSL cert location. Reason being is that the listen to port 443 is left but no SSL cert is specified.

[MattIPv4]

You should be able to bind to port 443 without an SSL cert. It'd only be an issue if listen is set to ssl without an ssl cert defined. The sed command should be commenting out the ssl part, e.g. listen 443;# ssl http2;.

Would you mind sharing the exact nginx configuration file in the state that is failing to valid when restarting nginx?

[c0fe]

do you mean the nginx.conf file or the website conf file?

[MattIPv4]

Whichever file nginx is saying the error is in, I assume the website config file.

[c0fe]

it is posted in my initial post

[MattIPv4]

I have copied that file exactly onto a test machine, and it passes the nginx test/reload:

cat sites-available/test.v4.wtf.conf

server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             nextcloud.domain.com;
    root                    /var/www/nextcloud.domain.com;

    # SSL
    #;#ssl_certificate         /etc/letsencrypt/live/nextcloud.domain.com/fullchain.pem;
    #;#ssl_certificate_key     /etc/letsencrypt/live/nextcloud.domain.com/privkey.pem;
    #;#ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.domain.com/chain.pem;

    # security
    include                 nginxconfig.io/security.conf;

    # logging
    access_log              /var/log/nginx/nextcloud.domain.com.access.log;
    error_log               /var/log/nginx/nextcloud.domain.com.error.log warn;

    # index.php fallback
    location ~ ^/api/ {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # reverse proxy
    location / {
        proxy_pass http://192.168.7.204;
        include    nginxconfig.io/proxy.conf;
    }

}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name nextcloud.domain.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://nextcloud.domain.com$request_uri;
    }
}

sudo nginx -t && sudo systemctl reload nginx

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[c0fe]

where did you get your NGiNX from? Ubuntu's repo or NGiNX's repo?

[MattIPv4]

I have tested this using the default nginx package from DigitalOcean's Ubuntu mirror, as well as from nginx.org/packages/mainline/ubuntu -- The DigitalOcean distributed version was nginx/1.18.0 (Ubuntu), the direct nginx version was nginx/1.19.6. In both cases, the file passed the nginx test & reload.

[c0fe]

very odd, i will try again tomorrow

[MattIPv4]

👋 Any updates here -- were you able to reproduce this when you tried again?

[c0fe]

@MattIPv4 sorry i have been out ill, once i will get better ill test

[mcscrad]

I am having the same issue. for some reason nginx doesnt like
listen 443;

it is like it assumes ssl for some weird reason

[MattIPv4]

@mcscrad Please can you share the exact nginx version being used, and the exact config being used that fails the nginx test -- listen 443; should be valid w/o an SSL cert, so something definitely feels amis here, I'm wondering if an nginx bug.

[mcscrad]

@mcscrad Please can you share the exact nginx version being used, and the exact config being used that fails the nginx test -- listen 443; should be valid w/o an SSL cert, so something definitely feels amis here, I'm wondering if an nginx bug.

could be. i had to change all listen 443; #;# ssl ... to listen 80;, restart nginx, get the certs, then change back to listen 443 ssl and then finally restart again.

[krugdenis]

I've same issue with nginx/1.19.6 on CentOS 7

[MattIPv4]

@krugdenis Could you share your configuration in the exact state where it fails nginx validation?

[krugdenis]

listen 443; #;# - brings nginx error

[MattIPv4]

👋 Hey folks, so I've created a PR to try and get around this issue with a couple of tweaks:

1. Introducing a space between the ; and # in the listen rules, just incase nginx is parsing that badly
2. Set ssl off; explicitly in all server blocks during the certbot setup -- this rule is deprecated but still supported

If someone who can reproduce the issue described here could test out the build preview in #240 and report back, that'd be ace!

[ghbob]

I'm having the same issue: nginx/1.23.2

It worked fine with a single domain setup.
Now I wanted to add a second domain, so I copied and adapted the domain.conf and wanted to run the LE steps again for it.

And now nginx complains:

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/domain.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

Funnily enough, if the new domain is evaluated second the failure does not occur!
e.g. /sites-enabled/a-domain.conf does have the listen 443 ssl;
and z-domain.conf is the one currently being set up => all good.

Could have something to do with this: https://github.com/nginx/nginx/blob/master/src/http/modules/ngx_http_ssl_module.c#L1312

if no certificates are defined in the default server, check all non-default server blocks

(no idea why though)

@MattIPv4 I'm not sure if this is something that could even be handled but I thought I'd share how I reproduced it.

[n8green]

Experiencing the same when adding multiple domains. Very strange - works fine with 2 domains but when I added a third, one of the first two suffers the aforementioned error.

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/domain.conf:41 nginx: configuration file /etc/nginx/nginx.conf test failed

Worked around the issue by manually updating the server block to use port 80 temporarily instead

[asgrdeu]

hi all,

this porblem actually with sorting .conf files
if you have b.conf with setup ssl and subdomain conf a.conf you can have this error