Let's Encrypt installation multitenat

Status
Not open for further replies.

ronthompson

New Member
Dec 5, 2021
8
2
3
59
Thanks very much for pitching in. My only concern that the nano /etc/dehydrated/domains.txt is correct right now...so should i remove them and then do as you say or simply leave it and go ahead.

The web interface is still down at this point, notwithstanding the ssl.

Thx
If you DNS is responding to all your subdomains in your domain.txt file then run it. If your DNS is not responding to any one of them then it will fail. Fix DNS and or remove the failed subdomain.
 

ronthompson

New Member
Dec 5, 2021
8
2
3
59
If you DNS is responding to all your subdomains in your domain.txt file then run it. If your DNS is not responding to any one of them then it will fail. Fix DNS and or remove the failed subdomain.
BTW, make sure you have already setup the subdomains in FusionPBX. Advanced - Domains - Add. Cert has to match the domain name and subdomains. I create a host pbx like host.pbx.com then each tenant, i.e. big.pbx.com little.pbx.com brown.pbx.com fox.pbx.com. Each time I add a new domain I edit the domain.txt file and run the certs again.
 

ronthompson

New Member
Dec 5, 2021
8
2
3
59
If you DNS is responding to all your subdomains in your domain.txt file then run it. If your DNS is not responding to any one of them then it will fail. Fix DNS and or remove the failed subdomain.
If they are correct leave them. But you will need port 443 to point to your FusionPBX before you run it, I don't thin you need 80.
What is wrong with your web interface?
 

viiiwonder

Member
Sep 24, 2022
49
2
8
41
If you DNS is responding to all your subdomains in your domain.txt file then run it. If your DNS is not responding to any one of them then it will fail. Fix DNS and or remove the failed subdomain.
His problem isn't DNS... his problem is that the letsencrypt.sh script is not very good at dealing with changes to the original first domain in your list. He moved from a wildcard cert (which can't be automatically renewed without several more hoops... not stating it's impossible) to several discrete domains. That resulted in a new path for the cert location which is still in the nginx.conf, but no longer exists. The letsencrypt.sh script doesn't handle updating that path if it changes...
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
i appreciate all your help but i am at a dead end. The nginx.conf file has not been change except for two lines which i will paste below. No matter what i do, i always get this error, which was the original wildcard certificate that worked for three months. As far as i can tell,

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

I changed the references in to the correct file structure and rebooted the server, same. I searched for any references in nginx to this path, and cannot find any.

I tried letsencryt.sh again, and i got this error, even i cannot find any references to it in any file, nginx.conf or otherwise in nginx folder.

nginx: [emerg] cannot load certificate "/etc/dehydrated/certs/kooltel.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/dehydrated/certs/kooltel.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

*****************nginx.conf******************************************************************************

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
server {
listen 98.158.137.114
server_name 98.158.137.114

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

***********************************/etc/nginx/sites-enabled/fusionpbx************************


server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

client_max_body_size 80M;
client_body_buffer_size 128k;

location / {
root /var/www/fusionpbx;
index index.php;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}

# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
fastcgi_read_timeout 15m;
}

# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}

server {
listen 80;
server_name fusionpbx;

#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}

#rewrite rule - send to https with an exception for provisioning
if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
rewrite ^(.*) https://$host$1 permanent;
break;
}

#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}

#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;

#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

#Snom
rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

client_max_body_size 80M;
client_body_buffer_size 128k;

location / {
root /var/www/fusionpbx;
index index.php;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}

# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
fastcgi_read_timeout 15m;
}

# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}

server {
listen 443 ssl;
#listen 443 ssl http2;
server_name fusionpbx;

#ssl_certificate /etc/dehydrated/certs/fusionpbx.mydomain.com/fullchain-1666191791.pem;
#ssl_certificate_key /etc/dehydrated/certs/fusionpbx.mydomain.com/privkey-1666191791.pem;
ssl_protocols TLSv1.2 TLSv1.3;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 2h;
ssl_session_tickets off;

#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}

#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}

#message media
rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;

#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;

#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

client_max_body_size 80M;
client_body_buffer_size 128k;

location / {
root /var/www/fusionpbx;
index index.php;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}

# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
fastcgi_read_timeout 15m;
}

# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
include /etc/nginx/includes/fusionpbx-domains;
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
Shoot, i thought i replied...but i guess i didnt post it.

I am stuck. i keep getting references to files that done exist from nginix when i try to run the certs again, and i cannot figure out why.

Here is what happened after i ran the commands again. I emptied the domains.txt file and i search with nginx for any references to the errors below and couldnt find any.

i have included nginx.conf and sites-enabled/fusionpbx below.

I am really stuck here.

Please advise.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

root@fusionpbx:~# cd /usr/src/fusionpbx-install.sh/debian/resources/
root@fusionpbx:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.74.0-1.3+deb11u2).
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Domain Name: server4.mydomain.com
Email Address: andrew.wells@mydomain.com
Cloning into 'dehydrated'...
remote: Enumerating objects: 2341, done.
remote: Counting objects: 100% (194/194), done.
remote: Compressing objects: 100% (88/88), done.
remote: Total 2341 (delta 118), reused 174 (delta 106), pack-reused 2147
Receiving objects: 100% (2341/2341), 902.18 KiB | 4.16 MiB/s, done.
Resolving deltas: 100% (1471/1471), done.
# INFO: Using main config file /etc/dehydrated/config
+ Account already registered!
# INFO: Using main config file /etc/dehydrated/config
Processing server4.mydomain.com
+ Creating new directory /etc/dehydrated/certs/server4.mydomain.com ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for server4.mydomain.com
+ Found valid authorization for server4.mydomain.com
+ 0 pending challenge(s)
+ Requesting certificate...
+ Using preferred chain with CN = ISRG Root X1
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
nginx: [emerg] cannot load certificate "/etc/dehydrated/certs/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/dehydrated/certs/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed


+++++++++++++nginx.conf+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
server {
listen 98.158.137.114
server_name 98.158.137.114

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}



+++++++++++++++++++++++++++/etc/nginx/sites-enabled/fusionpbx++++++++++++++++++++++++++++++++++++++++++++


server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

client_max_body_size 80M;
client_body_buffer_size 128k;

location / {
root /var/www/fusionpbx;
index index.php;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}

# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
fastcgi_read_timeout 15m;
}

# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}

server {
listen 80;
server_name fusionpbx;

#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}

#rewrite rule - send to https with an exception for provisioning
if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
rewrite ^(.*) https://$host$1 permanent;
break;
}

#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}

#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;

#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

#Snom
rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

client_max_body_size 80M;
client_body_buffer_size 128k;

location / {
root /var/www/fusionpbx;
index index.php;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}

# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
fastcgi_read_timeout 15m;
}

# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}

server {
listen 443 ssl;
#listen 443 ssl http2;
server_name fusionpbx;

#ssl_certificate /etc/dehydrated/certs/fusionpbx.mydomain.com/fullchain-1666191791.pem;
#ssl_certificate_key /etc/dehydrated/certs/fusionpbx.mydomain.com/privkey-1666191791.pem;
ssl_protocols TLSv1.2 TLSv1.3;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 2h;
ssl_session_tickets off;

#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}

#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}

#message media
rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;

#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;

#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

client_max_body_size 80M;
client_body_buffer_size 128k;

location / {
root /var/www/fusionpbx;
index index.php;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}

# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
fastcgi_read_timeout 15m;
}

# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
include /etc/nginx/includes/fusionpbx-domains;
 

viiiwonder

Member
Sep 24, 2022
49
2
8
41
It’s unclear whether these errors are happening when you manually start nginx or when you’re re-running the script.

At this point, I would see if your certs are being created, and then manually update the nginx.conf (and/or includes) with the new cert file names and manually start nginx to see if you get the same error.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
Sorry i thought i replied, the certs in nginx.conf are as follows


s
root@fusionpbx:~# cd /usr/src/fusionpbx-install.sh/debian/resources/
root@fusionpbx:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.74.0-1.3+deb11u2).
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Domain Name: fusionpbx.mydomain.com
Email Address: andrew.wells@mydomain.com
Cloning into 'dehydrated'...
remote: Enumerating objects: 2341, done.
remote: Counting objects: 100% (194/194), done.
remote: Compressing objects: 100% (88/88), done.
remote: Total 2341 (delta 118), reused 174 (delta 106), pack-reused 2147
Receiving objects: 100% (2341/2341), 902.18 KiB | 5.13 MiB/s, done.
Resolving deltas: 100% (1471/1471), done.
# INFO: Using main config file /etc/dehydrated/config
+ Account already registered!
# INFO: Using main config file /etc/dehydrated/config
Processing fusionpbx.kooltel.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jan 21 00:50:09 2023 GMT (Longer than 30 days). Skipping renew!
nginx: [emerg] cannot load certificate "/etc/dehydrated/certs/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/dehydrated/certs/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

When i go to /etc/nginx/nginx.conf the only two lines that are commented out are:

include /etc/nginx/conf.d/*.conf;------------------------------------------this one is empty when i try to access it
include /etc/nginx/sites-enabled/*;-------------------

#ssl_certificate /etc/dehydrated/certs/fusionpbx.mydomain.com/fullchain-1666191791.pem;
#ssl_certificate_key /etc/dehydrated/certs/fusionpbx.mydomain.com/privkey-1666191791.pem;

The issue is that there is no file /etc/dehydrated/certs/mydomain.com/fullchain.pem

But there is for /etc/dehydrated/certs/fusionpbx.mydomain.com and server4.mydomain.com

Is there any way to fix this as i nginx isnt running and there is no web interface.


1.Should i completely remove dehydrated (if that is possible) and start over....as i believe that since i initially used a wildcard cert for mydomain.com, the config is looking for it, but i have no idea how as i cannot find any reference to it.
 

viiiwonder

Member
Sep 24, 2022
49
2
8
41
Once again, if it were me:

At this point, I would see if your certs are being created, and then manually update the nginx.conf (and/or includes) with the new cert file names and manually start nginx to see if you get the same error.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
Once again, if it were me:

At this point, I would see if your certs are being created, and then manually update the nginx.conf (and/or includes) with the new cert file names and manually start nginx to see if you get the same error.
i have tried many times, and i get the same error.

Oct 21 13:03:23 fusionpbx systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 21 13:03:23 fusionpbx nginx[3158]: nginx: [emerg] cannot load certificate "/etc/dehydrated/certs/mydomain.com/fullchain.pem": BIO_new_>
Oct 21 13:03:23 fusionpbx nginx[3158]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 21 13:03:23 fusionpbx systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Oct 21 13:03:23 fusionpbx systemd[1]: nginx.service: Failed with result 'exit-code'.
Oct 21 13:03:23 fusionpbx systemd[1]: Failed to start A high performance web server and a reverse proxy server.

++++i believe that it is trying to load certificates from my old setup using a wildcard for mydomain.com....However, that folder is empty and it should be going to /etc/dehydrated/certs/fusionpbx.mydomain.com as mentioned.

I dont know why or how this keeps using this old config when it doesnt exist.

Where can i edit this so it points to the correct folder as i have said i cannot find it anywhere in the etc/nginx folder.
 

viiiwonder

Member
Sep 24, 2022
49
2
8
41
i have tried many times, and i get the same error.

Your posts don't indicate that:
server {
listen 443 ssl;
#listen 443 ssl http2;
server_name fusionpbx;

#ssl_certificate /etc/dehydrated/certs/fusionpbx.mydomain.com/fullchain-1666191791.pem;
#ssl_certificate_key /etc/dehydrated/certs/fusionpbx.mydomain.com/privkey-1666191791.pem;
ssl_protocols TLSv1.2 TLSv1.3;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 2h;
ssl_session_tickets off;

#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}
If you took a look at the letsencrypt script, you would see that is uses the SED module to do a direct replacement of original default certs in nginx.conf - because you switched from one base domain to another, and you don't have the default strings in nginx.conf, you can run that script til you're blue in the face and it's not going to update the nginx.conf properly. You're going to have to do it manually, and not just comment out the old certs - go put in paths to your new, good ones that get generated after dehyrdrated does its thing.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
Your posts don't indicate that:

If you took a look at the letsencrypt script, you would see that is uses the SED module to do a direct replacement of original default certs in nginx.conf - because you switched from one base domain to another, and you don't have the default strings in nginx.conf, you can run that script til you're blue in the face and it's not going to update the nginx.conf properly. You're going to have to do it manually, and not just comment out the old certs - go put in paths to your new, good ones that get generated after dehyrdrated does its thing.

Your posts don't indicate that:

If you took a look at the letsencrypt script, you would see that is uses the SED module to do a direct replacement of original default certs in nginx.conf - because you switched from one base domain to another, and you don't have the default strings in nginx.conf, you can run that script til you're blue in the face and it's not going to update the nginx.conf properly. You're going to have to do it manually, and not just comment out the old certs - go put in paths to your new, good ones that get generated after dehyrdrated does its thing.
Thanks viiiwonder, i can tell by your response that you are frustrated but not nearly as me, as i am way past the blue in the face part. I never heard of the SED module, so again, i am a newbie at this as i have exclaimed. I can follow instructions fairly well, and i have reviews the letsencrypt.sh script.
I uncommented the two lines in sites-enabled, and it didnt work. I changed it back to what is was originally, before i made any manual changes to it.

Now i have:
ssl_certificate /etc/dehydrated/certs/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/mydomain.com/privkey.pem;

However, when run the letsencrypt.sh script for fusionpbx.mydomain.com, i still get a similar error:

+ Valid till Jan 21 00:50:09 2023 GMT (Longer than 30 days). Skipping renew!
nginx: [emerg] cannot load certificate "/etc/dehydrated/certs/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/dehydrated/certs/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

I dont recall manually removing the mydomain.com certs, but i may have in trying to fix it, i am not sure.

I cannot get past this point.
 

hfoster

Active Member
Jan 28, 2019
684
81
28
34
I think this dehydrated script has just confused matters tbh. Forget running it over and over.

1. Check the certificates exist in that directory:
$ sudo ls -la /etc/dehydrated/certs/mydomain.com/

2. Check the config lines in the nginx config are correct:
$ sudo grep ssl_certificate /etc/nginx/sites-enabled/fusionpbx

That should be the only requirement for nginx to pass the config test.

Personally, I would recommend getting a fresh distro and mess around with:

1. Installing nginx
2. Installing certbot or dehydrated (or any of the ACME clients really)
3. Creating an nginx config to host website, that allows certbot to renew a certificate
4. Experimenting with other SSL options like the https://cipherlist.eu/
5. Using cron or systemd timers to renew it automatically and reload nginx upon renewal

Knowing how this stuff works sorts you out for 90% of appliances hosted on Linux. As for 'sed', it's a rudimentary text editor that is used in scripts to replace lines in configs, quite difficult to master but worth spending a night on.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
I think this dehydrated script has just confused matters tbh. Forget running it over and over.

1. Check the certificates exist in that directory:
$ sudo ls -la /etc/dehydrated/certs/mydomain.com/

2. Check the config lines in the nginx config are correct:
$ sudo grep ssl_certificate /etc/nginx/sites-enabled/fusionpbx

That should be the only requirement for nginx to pass the config test.

Personally, I would recommend getting a fresh distro and mess around with:

1. Installing nginx
2. Installing certbot or dehydrated (or any of the ACME clients really)
3. Creating an nginx config to host website, that allows certbot to renew a certificate
4. Experimenting with other SSL options like the https://cipherlist.eu/
5. Using cron or systemd timers to renew it automatically and reload nginx upon renewal

Knowing how this stuff works sorts you out for 90% of appliances hosted on Linux. As for 'sed', it's a rudimentary text editor that is used in scripts to replace lines in configs, quite difficult to master but worth spending a night on.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
1. Check the certificates exist in that directory:
$ sudo ls -la /etc/dehydrated/certs/mydomain.com/

They are empty as mentioned, not sure why

2. Check the config lines in the nginx config are correct:
$ sudo grep ssl_certificate /etc/nginx/sites-enabled/fusionpbx

That should be the only requirement for nginx to pass the config test.

ssl_certificate /etc/dehydrated/certs/nydomain..com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/mydomain.com/privkey.pem;

These are the same as in the last post..

I am not tying to create a cert for mydomain.com, I am trying to make a cert for fusionpbx.mydomain.com....

The mydomain.com was from a wildcard cert that i had initially and found out that it was the wrong strategy.

Regarding fresh install, i am trying to avoid that. Moreover, i am not sure that installing nginx will help me with my limited knowledge as it comes installed with freepbx...anyways.

Thanks
 

viiiwonder

Member
Sep 24, 2022
49
2
8
41
The new certs wont be in
/etc/dehydrated/certs/mydomain.com/
after switching to doing subdomain, they will be in the directory named after the first domain in your domains list you provided do the letsencrypt script.

sudo ls -la /etc/dehydrated/certs/
Find the certs, and then update the sites-enabled conf ssl paths.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
i had tried that previously, this time i also changed the fusionpbx.save file to match it and at least i made some progress; however nginx wont start for the same error below in bold

After letencrypt.sho

# INFO: Using main config file /etc/dehydrated/config
+ Account already registered!
# INFO: Using main config file /etc/dehydrated/config
Processing fusionpbx.mydomain.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jan 21 00:50:09 2023 GMT (Longer than 30 days). Skipping renew!
nginx: [warn] conflicting server name "127.0.0.1" on 127.0.0.1:80, ignored
nginx: [warn] conflicting server name "fusionpbx" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "fusionpbx" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
nginx: [warn] conflicting server name "127.0.0.1" on 127.0.0.1:80, ignored
nginx: [warn] conflicting server name "fusionpbx" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "fusionpbx" on 0.0.0.0:443, ignored
nginx: [error] invalid PID number "" in "/run/nginx.pid"
root@fusionpbx:/usr/src/fusionpbx-install.sh/debian/resources# cd
root@fusionpbx:~# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-10-21 13:03:23 EDT; 6 days ago
Docs: man:nginx(8)
Process: 3158 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 41ms

Oct 21 13:03:23 fusionpbx systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 21 13:03:23 fusionpbx nginx[3158]: nginx: [emerg] cannot load certificate "/etc/dehydrated/certs/mydomain.com/fullchain.pem": BIO_new_>
Oct 21 13:03:23 fusionpbx nginx[3158]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 21 13:03:23 fusionpbx systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Oct 21 13:03:23 fusionpbx systemd[1]: nginx.service: Failed with result 'exit-code'.
Oct 21 13:03:23 fusionpbx systemd[1]: Failed to start A high performance web server and a reverse proxy server.
...skipping...
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-10-21 13:03:23 EDT; 6 days ago
Docs: man:nginx(8)
Process: 3158 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 41ms

Oct 21 13:03:23 fusionpbx systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 21 13:03:23 fusionpbx nginx[3158]: nginx: [emerg] cannot load certificate "/etc/dehydrated/certs/mydomain.com/fullchain.pem": BIO_new_>
Oct 21 13:03:23 fusionpbx nginx[3158]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 21 13:03:23 fusionpbx systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Oct 21 13:03:23 fusionpbx systemd[1]: nginx.service: Failed with result 'exit-code'.
Oct 21 13:03:23 fusionpbx systemd[1]: Failed to start A high performance web server and a reverse proxy server.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
i have a quick question, when i check the certs of my server, it says they dont need to be renewed until April 12 as i just renewed them manually. However, when i go to SSLlabs.com, it says they are expiring in 6 days...should i worry??????
 

hfoster

Active Member
Jan 28, 2019
684
81
28
34
Don't forget to reload nginx. You'll either want a systemd-timer, cron job or certbot post hook to do this automatically.
 

koolandrew

Member
Aug 5, 2022
42
0
6
44
Hi hfoster, thanks for the reply.

I used systemctl restart nginx to reload it, no change. I rebooted the server, no change when testing using ssllabs.com

Regarding the crontab, i have inserted this a few months ago, but it doesnt look like it works, and i am not sure how to test it.

crontab -e

/tmp/crontab.lFQf9g/crontab
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
14 3 * * 5 /usr/bin/dehydrated -c

I am concerned about the certificates expiring as i know so little about this stuff, and i am sure it will bring in a whole new world of problems.

The strange thing is that when i run it looks good!

dehydrated -x -c
# INFO: Using main config file /etc/dehydrated/config
Processing fusionpbx.mydomain.com
+ Checking expire date of existing cert...
+ Valid till Apr 12 01:43:16 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
 
Status
Not open for further replies.