SOLVED nginx not starting..

Status
Not open for further replies.

jessiem

Member
Feb 11, 2024
41
1
8
19
Hi, I'm having an issue where nginx just isn't starting, but also isn't giving a specific error code. Attached is in the journalctl thing.

1708027987500.png1708027998921.png
 

cemotyz09

Member
Apr 23, 2020
83
7
8
I believe you want to try
Code:
nginx -t
that should give you the reason why it isn't starting.
 

jessiem

Member
Feb 11, 2024
41
1
8
19
Next line says it can't find the cert. Double check it's being created by the script and permissions are correct.
This is what I get. I see that it's having some issue thing with resolving. Is there a way I can make it use the DNS server on my network?1708318367342.png
 

jessiem

Member
Feb 11, 2024
41
1
8
19
It doesn't throw too much of a fit when I do the multi subdomain method, but it still throws these errors. I admit, I don't really know what I am doing when it comes to the cli side..

Left: domain registrar, Right: debian/FusionPBX server. 1708395199693.png
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
In order for the dns-01 to work, letsencrypt gives you a text based token that you must add to the zone file on your dns server. Letsencrypt then makes a request to lookup the dns record for the domain you are trying to obtain the certificate for.
If it see the token you have put there, then it knows you are the valid owner/controller of that domain.

Dehydrated can do this process automatically, but that generally requires you to write what is know as a dns-hook script. This script knows how to access your dns to update the zone file and how to get the dns server to publish the changes.

So:
1. request a certificate and get the token
2. update your dns zone file with the token
3. tell lentencrypt you have done it
4. letsencrypt checks the token
5. if it is good certificate is issued
6. edit dns zone file and remove token.

Needless to say this needs to be a real domain and a real dns server on the internet.

PS: resolv.conf could look something like this:
Code:
search mydomain.com
nameserver 208.67.222.222
 

jessiem

Member
Feb 11, 2024
41
1
8
19
In order for the dns-01 to work, letsencrypt gives you a text based token that you must add to the zone file on your dns server. Letsencrypt then makes a request to lookup the dns record for the domain you are trying to obtain the certificate for.
If it see the token you have put there, then it knows you are the valid owner/controller of that domain.

Dehydrated can do this process automatically, but that generally requires you to write what is know as a dns-hook script. This script knows how to access your dns to update the zone file and how to get the dns server to publish the changes.

So:
1. request a certificate and get the token
2. update your dns zone file with the token
3. tell lentencrypt you have done it
4. letsencrypt checks the token
5. if it is good certificate is issued
6. edit dns zone file and remove token.

Needless to say this needs to be a real domain and a real dns server on the internet.

PS: resolv.conf could look something like this:
Code:
search mydomain.com
nameserver 208.67.222.222
What I'm working with is a real domain. However, despite several attempts, It can never seem to find the record it's looking for. This system is not facing the open internet. My goal eas to do DNS locally (like it is for literally every single other client on my network), and sort of force it to find the right record by manually pointing it to the internal IP of my DNS server.

What is additionally confusing to me is the use of the term "file" after DNS Zone. My records are either managed locally, or in my registrar. None of which is a "file".
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Unless Letsencrypt can access your DNS records via a public DNS server like 8.8.8.8, dns-01 validation is not going to work.

I use the term zone file because the most popular dns server on the internet is called bind, and bind stores it's configuration in zone files that are located in /var.cache/bind. These are just pure text files, nothing special, and very easy for something like sed (stream editor) to add a token to the file (and also remove it again) whilst also updating the serial number in the file.
 

jessiem

Member
Feb 11, 2024
41
1
8
19
Unless Letsencrypt can access your DNS records via a public DNS server like 8.8.8.8, dns-01 validation is not going to work.

I use the term zone file because the most popular dns server on the internet is called bind, and bind stores it's configuration in zone files that are located in /var.cache/bind. These are just pure text files, nothing special, and very easy for something like sed (stream editor) to add a token to the file (and also remove it again) whilst also updating the serial number in the file.
Ah. okay. is there a way I could make nginx run without requiring the whole lets encrypt thing? I'm not too concerned about non-https traffic accessing the web ui of the demo instance that I'm trying.
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Yes, by default, nginx has a certificate key pair called snakeoil which are merely self signed certificates, nothing wrong with using them.
Code:
    #ssl                     on;
    ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             HIGH:!ADH:!MD5:!aNULL;
 

jessiem

Member
Feb 11, 2024
41
1
8
19
Yes, by default, nginx has a certificate key pair called snakeoil which are merely self signed certificates, nothing wrong with using them.
Code:
    #ssl                     on;
    ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             HIGH:!ADH:!MD5:!aNULL;
Am I doing something wrong? 1708546058172.png
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
They are the lines you would have in the nginx site configuration file:
/etc/nginx/sites-available/fusionpbx

Code:
server {
    listen 443;
    server_name fusionpbx;
    ssl                     on;
    ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;

I think you have a very steep learning curve ahead of you:)
 

jessiem

Member
Feb 11, 2024
41
1
8
19
They are the lines you would have in the nginx site configuration file:
/etc/nginx/sites-available/fusionpbx

Code:
server {
    listen 443;
    server_name fusionpbx;
    ssl                     on;
    ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;

I think you have a very steep learning curve ahead of you:)
I do indeed have a very steep learning curve since I don't know anything about Linux. I got used to freepbx, and I've decided to go to something a bit more difficult, while completely underestimating the learning curve and installation and management process. I do thank you for all of the help that you've generously provided.

It doesn't look like it accepted the code.. At the end of the last screenshot it says "no such file" (looking in journalctl -xeu nginx.service) 1708547769289.png1708547806921.png1708547829235.png1708547857666.png1708547886712.png1708547907408.png
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
I think your nginx installation is still trying to use (parts of) dehydrated. I'm not sure what you did in the first place to enable this, so it is difficult for me to tell you how to remove it.
Having said that, your screenshot does show nginx failing to open /etc/dehydrated/certs/hadaller.ca/fullchain.pem. This is part of the problem but because you no longer require Letsencrypt certificates it wll be safe to remove all references to dehydrated for your nginx configuration.

Look at all the config files under /etc/nginx and comment out (with a # at the beginning of the line) all lines that make reference to dehydrated, then try starting it again.
 

jessiem

Member
Feb 11, 2024
41
1
8
19
I think this is what might be messing with things? I've attached both before and after I commented it out. (I hope I did it correctly.)

Evidently, it wasn't. When I tried to start it it exited with the same error, and I have sifted through the following directories, and can't find any mentions of dehydrated, anywhere.

  • conf.d (empty)
  • fastcgi.conf (no references)
  • koi-utf(no references)
  • koi-win(no references)
  • modules-available(no references)
  • modules-enabled(no references)
  • nginx.conf(no references)
  • proxy_params(no references)
  • scgi_params(no references)
  • sites-available(no references)
  • sites-enabled > fusionpbx (pictured below)
  • ssl(no references)
  • uwsgi_params(no references)
  • win-utf(no references)
Last image is contents of nginx.
I might just be tempted to try to re-install everything and try again.
1708646282710.png
1708646382838.png
1708646845502.png
 
Status
Not open for further replies.