Let's Encrypt certbot plugin with nginx-mainline

ketonik · November 5, 2019, 6:05pm

Has anyone figured out if it is possible to get Let’s Encrypt certbot plugin with nginx-mainline working to auto renew certificates?

Apparently, so i’m told the certbot nginx plugin does not support mainline

in the terminal I get:

certbot --nginx

The nginx plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError(“Could not find a usable ‘nginx’ binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.”)

I can’t seem to get auto renew working if created manually. Maybe a script can be configured and a systemd timer to run it on the day the cert is meant to expire?

puneetse · November 5, 2019, 9:49pm

I bet certbot is looking for /usr/bin/nginx like it would normally be installed.

The nginx-mainline package installed to a different path: /usr/bin/nginx-mainline to avoid conflicting with the regular nginx package.

Looks like certbot can be redirect to a different binary path with --nginx-ctl.

certbot --help nginx
usage:
...

nginx:
  Nginx Web Server plugin

  --nginx-server-root NGINX_SERVER_ROOT
                        Nginx server root directory. (default: /etc/nginx)
  --nginx-ctl NGINX_CTL
                        Path to the 'nginx' binary, used for 'configtest' and
                        retrieving nginx version number. (default: nginx)

ketonik · March 3, 2020, 10:20am

I cannot get this to work, at all ever, why are things so complicated on this OS, why are things not standard and have commands just work??

$ certbot --nginx-ctl /usr/bin/nginx-mainline

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Error while running /usr/bin/nginx-mainline -c /etc/nginx/nginx.conf -t.

2020/03/03 21:04:45 [emerg] 29910-29910: open() “/etc/nginx/nginx.conf” failed (2: No such file or directory)

nginx: configuration file /etc/nginx/nginx.conf test failed

Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

$ certbot --nginx-server-root /etc/nginx-mainline

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

I’ve created the certbot config file in /etc/letsencrypt/cli.ini

I searched for hours looking for example config file but nothing shows the info expected for the nginx authenticator

github.com

nelhage/letsencrypt/blob/b79b5e5f47ed709a2f1a32761f2474361d158d7f/examples/cli.ini

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
# email = foo@example.com

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

This file has been truncated. show original

All I want is to have SSL certificates automatically renewed, I’m not an linux expert, i’ve contracted 3 Letsencrypt freelancer experts and none of those guys were able to configure this for me, best that can do is give me instructions to do it manually.

So i’m frustrated having to set calendar events before certification expiry, every 60 days, taking the server offline and perform 4 manual DNS cert renews, running 4 cert bot commands, retrieving the CNAME txt records, logging into my Domain Registrar, pasting those in, waiting to populated and be acknowledged by certbot on the command line again, it almost never works the first time and I waste about 30 minutes with my server offline.

certbot certonly --manual -d *.example.com -d example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

There’s a guy on github with and acme.sh shell script, but it doesn’t appear to be any easier.

https://www.cyberciti.biz/faq/how-to-configure-nginx-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/

Who’s actually even running nginx-mainline on Clear Linux and ever got certbot auto renew to actually work?

ahkok · March 3, 2020, 7:20pm

Our certbot plugins are untested. The above errors are due to the config file path being different for nginx-mainline.

I personally run certbot standalone to avoid this issue - i.e. shutdown nginx-mainline, then certbot renew and everything should work (permitted this doesn’t attempt to start nginx, which would be wrong).

I haven’t looked yet at how to make these plugins work. There are a lot of them, and so this is a significant amount of work.

inmanturbo · May 27, 2020, 4:57pm

I recommend this one:

MIT license. About 200 lines of python and an easy read. README has instructions for setting up auto renew. Requires a little diy but it is lightweight and perfect for custom configurations and building plugins. Used by a ton of admin web appliance thingies, the most popular probably being Virtualmin GPL.

cyberpika2 · September 21, 2022, 1:35pm

Try to add a line to the cerbot service, a pre-execution command to make a symbolic link from nginx to nginx-mainline and the same for the config file. The links will get removed by swupd, but recreated next time it runs.

If running nginx-mainline and nginx side-by-side, you may just have to get a bit more creative.

For systemd syntax, see “magic 3 lines” after the comment: