How can I get a trusted certificate from certbot on Nginx?

0

Issue

I am trying to run Certbot on a Laravel Forge server. This is the error I keep receiving

nginx: [emerg] cannot load certificate
"/etc/nginx/ssl/mydomain.ca/1263486/server.crt":
PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM
routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) nginx:
configuration file /etc/nginx/nginx.conf test failed

from my understanding, this means the first line says BEGIN CERTIFICATE rather than TRUSTED CERTIFICATE, how can I get a trusted cert? Nginix config below.

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/before/*;

server {   
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .mydomain.ca;
    server_tokens off;
    root /home/forge/mydomain.ca/;

# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/mydomain.ca/1263486/server.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.ca/1263486/server.key;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers (MY CIPHER HERE)
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/nginx/dhparams.pem;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

index index.html index.htm index.php;

charset utf-8;

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/server/*;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

access_log off;
error_log  /var/log/nginx/mydomain.ca-error.log error;

error_page 404 /index.php;

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
}

location ~ /\.(?!well-known).* {
    deny all;
}
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/after/*;

Solution

You need to follow these steps:

  1. install certbot package
  2. add a server block for listening to port 80
server {
    listen 80;
    server_name mydomain.ca;

    location ^~ /.well-known/acme-challenge {
        root /home/forge/certbot;
        default_type "text/plain";
        try_files $uri =404;
     }
}
  1. modify certificates paths on your config
ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
  1. retrieve certificates by command
certbot certonly --cert-name mydomain.ca -d mydomain.ca -d *.mydomain.ca --webroot --webroot-path /home/forge/certbot
  1. reload nginx config by command
nginx -t && nginx -s reload
  1. add a cron task for renewing certs
0 0 */80 * * certbot renew

Answered By – Aleksey Vaganov

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More