Server Fault Asked by LoneWolfPR on January 19, 2021
I’ve got a few virtual hosts set up through nginx on my centos7 server. I’m getting certs by using letsencrypt certbot. By default certbot writes the vhost info to the /etc/nginx/nginx.conf
file. This isn’t the behavior I want. I use the /sites-available
and /site-enabled
folders with separate .conf files for each vhost. If I connect to a site in which the vhost and ssl info is listed in the nginx.conf
it works fine. However if I copy the directives out and put them in a new conf file in the site-available
folder (with a symlink in sites-enabled
) it serves up the wrong certificate. It serves the one related to another vhost. I’d really like to keep my vhost configs in separate files rather than building them into the nginx.conf, but I can’t seem to make that work.
UPDATE:
As requested here is the contents of my nginx -T
call. None of the server blocks that are outside the conf are shown here though. They’re loaded via the line that reads include /etc/nginx/sites-enabled/*.conf
.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server_names_hash_bucket_size 128;
server {
server_name stairwell-soundboard-api.lonewolfdigital.com; # managed by Certbot
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/stairwell-soundboard-api.lonewolfdigital.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/stairwell-soundboard-api.lonewolfdigital.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = stairwell-soundboard-api.lonewolfdigital.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name stairwell-soundboard-api.lonewolfdigital.com;
return 404; # managed by Certbot
}
}
# configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-http-perl.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";
# configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-mail.conf:
load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";
# configuration file /usr/share/nginx/modules/mod-stream.conf:
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "THIS-CONTENT-REMOVED";
UPDATE 2
my /etc/nginx/sites-enabled/stairwell-soundboard-player.lonewolfdigital.com.conf file
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name stairwell-soundboard-player.lonewolfdigital.com; # managed by Certbot
root /opt/soundboard-player/build;
index index.html index.htm;
location / {
try_files $uri /index.html;
}
ssl_certificate /etc/letsencrypt/live/stairwell-soundboard-player.lonewolfdigital.com/fullchain.pem; #managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/stairwell-soundboard-player.lonewolfdigital.com/privkey.pem; #managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = stairwell-soundboard-player.lonewolfdigital.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name stairwell-soundboard-player.lonewolfdigital.com;
return 404; # managed by Certbot
}
UPDATE 3:
As requested here’s the output of the two folders
sites-available:
➜ ~ cd /etc/nginx/sites-available
➜ sites-available ls -l
total 24
-rw-r--r-- 1 root root 612 Feb 15 2018 draft.indygaa.com.conf
-rw-r--r-- 1 root root 1492 Oct 28 14:49 fullcontactmotherhood.conf
-rw-r--r-- 1 root root 424 Oct 25 2017 indygaa.com.conf
-rw-r--r-- 1 root root 639 Sep 7 2019 lonewolfdigital.com.conf
-rw-r--r-- 1 root root 996 Oct 29 21:43 stairwell-soundboard-player.lonewolfdigital.com
-rw-r--r-- 1 root root 556 Oct 27 20:39 webhooks.lonewolfdigital.com.conf
sites-enabled:
➜ sites-available cd ../sites-enabled
➜ sites-enabled ls -l
total 8
lrwxrwxrwx 1 root root 53 Oct 29 21:05 fullcontactmotherhood.conf -> /etc/nginx/sites-available/fullcontactmotherhood.conf
lrwxrwxrwx 1 root root 51 Oct 29 21:44 lonewolfdigital.com.conf -> /etc/nginx/sites-available/lonewolfdigital.com.conf
lrwxrwxrwx 1 root root 74 Oct 28 15:33 stairwell-soundboard-player.lonewolfdigital.com -> /etc/nginx/sites-available/stairwell-soundboard-player.lonewolfdigital.com
lrwxrwxrwx 1 root root 60 Oct 29 21:07 webhooks.lonewolfdigital.com.conf -> /etc/nginx/sites-available/webhooks.lonewolfdigital.com.conf
Your include line is include /etc/nginx/sites-enabled/*.conf;
so you are including files ending in .conf. As I requested, your sites-enabled vhost configuration files are:
➜ sites-available cd ../sites-enabled
➜ sites-enabled ls -l
total 8
lrwxrwxrwx 1 root root 53 Oct 29 21:05 fullcontactmotherhood.conf -> /etc/nginx/sites-available/fullcontactmotherhood.conf
lrwxrwxrwx 1 root root 51 Oct 29 21:44 lonewolfdigital.com.conf -> /etc/nginx/sites-available/lonewolfdigital.com.conf
lrwxrwxrwx 1 root root 74 Oct 28 15:33 stairwell-soundboard-player.lonewolfdigital.com -> /etc/nginx/sites-available/stairwell-soundboard-player.lonewolfdigital.com
lrwxrwxrwx 1 root root 60 Oct 29 21:07 webhooks.lonewolfdigital.com.conf -> /etc/nginx/sites-available/webhooks.lonewolfdigital.com.conf`
Note that stairwell-soundboard-player.lonewolfdigital.com does not end in .conf but .com. Delete the link and make a new one which ends in .conf and reload your nginx:
ln -s /etc/nginx/sites-enabled/stairwell-soundboard-player.lonewolfdigital.com.conf /etc/nginx/sites-available/stairwell-soundboard-player.lonewolfdigital.com
systemctl reload nginx
Correct answer by Jesús Ángel on January 19, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP