SOLVED nginx not starting..
- Thread starter jessiem
- Start date
-
- Tags
- nginx nginxservice
- Status
Next line says it can't find the cert. Double check it's being created by the script and permissions are correct.
This is what I get. I see that it's having some issue thing with resolving. Is there a way I can make it use the DNS server on my network?
In order for the dns-01 to work, letsencrypt gives you a text based token that you must add to the zone file on your dns server. Letsencrypt then makes a request to lookup the dns record for the domain you are trying to obtain the certificate for.
If it see the token you have put there, then it knows you are the valid owner/controller of that domain.
Dehydrated can do this process automatically, but that generally requires you to write what is know as a dns-hook script. This script knows how to access your dns to update the zone file and how to get the dns server to publish the changes.
So:
1. request a certificate and get the token
2. update your dns zone file with the token
3. tell lentencrypt you have done it
4. letsencrypt checks the token
5. if it is good certificate is issued
6. edit dns zone file and remove token.
Needless to say this needs to be a real domain and a real dns server on the internet.
PS: resolv.conf could look something like this:
If it see the token you have put there, then it knows you are the valid owner/controller of that domain.
Dehydrated can do this process automatically, but that generally requires you to write what is know as a dns-hook script. This script knows how to access your dns to update the zone file and how to get the dns server to publish the changes.
So:
1. request a certificate and get the token
2. update your dns zone file with the token
3. tell lentencrypt you have done it
4. letsencrypt checks the token
5. if it is good certificate is issued
6. edit dns zone file and remove token.
Needless to say this needs to be a real domain and a real dns server on the internet.
PS: resolv.conf could look something like this:
Code:
search mydomain.com
nameserver 208.67.222.222What I'm working with is a real domain. However, despite several attempts, It can never seem to find the record it's looking for. This system is not facing the open internet. My goal eas to do DNS locally (like it is for literally every single other client on my network), and sort of force it to find the right record by manually pointing it to the internal IP of my DNS server.
What is additionally confusing to me is the use of the term "file" after DNS Zone. My records are either managed locally, or in my registrar. None of which is a "file".
Unless Letsencrypt can access your DNS records via a public DNS server like 8.8.8.8, dns-01 validation is not going to work.
I use the term zone file because the most popular dns server on the internet is called bind, and bind stores it's configuration in zone files that are located in /var.cache/bind. These are just pure text files, nothing special, and very easy for something like sed (stream editor) to add a token to the file (and also remove it again) whilst also updating the serial number in the file.
I use the term zone file because the most popular dns server on the internet is called bind, and bind stores it's configuration in zone files that are located in /var.cache/bind. These are just pure text files, nothing special, and very easy for something like sed (stream editor) to add a token to the file (and also remove it again) whilst also updating the serial number in the file.
Ah. okay. is there a way I could make nginx run without requiring the whole lets encrypt thing? I'm not too concerned about non-https traffic accessing the web ui of the demo instance that I'm trying.
Yes, by default, nginx has a certificate key pair called snakeoil which are merely self signed certificates, nothing wrong with using them.
Code:
#ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!ADH:!MD5:!aNULL;
They are the lines you would have in the nginx site configuration file:
/etc/nginx/sites-available/fusionpbx
I think you have a very steep learning curve ahead of you
/etc/nginx/sites-available/fusionpbx
Code:
server {
listen 443;
server_name fusionpbx;
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;I think you have a very steep learning curve ahead of you
I do indeed have a very steep learning curve since I don't know anything about Linux. I got used to freepbx, and I've decided to go to something a bit more difficult, while completely underestimating the learning curve and installation and management process. I do thank you for all of the help that you've generously provided.They are the lines you would have in the nginx site configuration file:
/etc/nginx/sites-available/fusionpbx
Code:server { listen 443; server_name fusionpbx; ssl on; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
I think you have a very steep learning curve ahead of you
It doesn't look like it accepted the code.. At the end of the last screenshot it says "no such file" (looking in journalctl -xeu nginx.service)
I think your nginx installation is still trying to use (parts of) dehydrated. I'm not sure what you did in the first place to enable this, so it is difficult for me to tell you how to remove it.
Having said that, your screenshot does show nginx failing to open /etc/dehydrated/certs/hadaller.ca/fullchain.pem. This is part of the problem but because you no longer require Letsencrypt certificates it wll be safe to remove all references to dehydrated for your nginx configuration.
Look at all the config files under /etc/nginx and comment out (with a # at the beginning of the line) all lines that make reference to dehydrated, then try starting it again.
Having said that, your screenshot does show nginx failing to open /etc/dehydrated/certs/hadaller.ca/fullchain.pem. This is part of the problem but because you no longer require Letsencrypt certificates it wll be safe to remove all references to dehydrated for your nginx configuration.
Look at all the config files under /etc/nginx and comment out (with a # at the beginning of the line) all lines that make reference to dehydrated, then try starting it again.
I think this is what might be messing with things? I've attached both before and after I commented it out. (I hope I did it correctly.)
Evidently, it wasn't. When I tried to start it it exited with the same error, and I have sifted through the following directories, and can't find any mentions of dehydrated, anywhere.
I might just be tempted to try to re-install everything and try again.
Evidently, it wasn't. When I tried to start it it exited with the same error, and I have sifted through the following directories, and can't find any mentions of dehydrated, anywhere.
- conf.d (empty)
- fastcgi.conf (no references)
- koi-utf(no references)
- koi-win(no references)
- modules-available(no references)
- modules-enabled(no references)
- nginx.conf(no references)
- proxy_params(no references)
- scgi_params(no references)
- sites-available(no references)
- sites-enabled > fusionpbx (pictured below)
- ssl(no references)
- uwsgi_params(no references)
- win-utf(no references)
I might just be tempted to try to re-install everything and try again.
You are showing the section for the http server on port 80
what about the https section for port 443 (listen 443)?
You can find a reference file of what the basic fusionpbx nginx site file here:
https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/nginx/fusionpbx
what about the https section for port 443 (listen 443)?
You can find a reference file of what the basic fusionpbx nginx site file here:
https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/nginx/fusionpbx
- Status