Nginx – Let’s encrypt certificate and NGINX – Cannot find a cert or key directive

certbotlets-encryptnginxubuntu-16.04

My server runs on a LEMP Stack Ubuntu 16.04 and last version of nginx

I already have a SSL certificate installed on my server for the following domains and subdomains : example.com, domain1.example.com and everything is working fine.

What I try to achieve

I'd like to create a new certificate for domain2.example.com

To do so, I tried this command:

sudo certbot --nginx -d example.com -d domain1.example.com -d domain2.example.com --expand

Error message

Cannot find a cert or key directive in /etc/nginx/sites-enabled/example.com for set(['www.example.com', '*.example.com', 'example.com']). VirtualHost was not modified.

nginx config

server {

   # SSL configuration

   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
   include snippets/ssl-example.com.conf;
   include snippets/ssl-params.conf;


    root /var/www/laravel/public;
    index index.php index.html index.htm;


    server_name example.com *.example.com www.example.com ;
}

Questions

What am I doing wrong ? How can I recreate the certificate to add the domain2 ?

Best Answer

Here is what I had to do.

First find the existing certificates by typing certbot certificates
Then identify the certificate you wish to expand
Update the certificate by typing sudo certbot certonly --cert-name example.com -d example.com -d domain1.example.com -d domain2.example.com --expand.
Select 2: Place files in webroot directory (webroot)
Enter new webroot which was for me /var/www/laravel

Related Solutions

Nginx – Properly setting up a “default” nginx server for https

I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

Test the nginx configuration before reloading/restarting : nginx -t
Reload a enjoy: sudo service nginx reload

Hope it helps.

NginX + WordPress + SSL + non-www + W3TC vhost config file questions

Please don't post multiple questions in one.

The first step, when you don't know how something works, is to search for the documentation. In the case of nginx, directives are exhaustively explained through the official documentation directive index.

It depends on the location block nature. Prefixed location blocks order is not important, but regex location blocks order is, since the first one matching the request URI will be picked.
Configuration directives order does not matter except for few cases like if blocks. Gzip directives are not part of these.
In fact ssl on is the old way to do it and the listen directive parameter ssl is the new one. The usage of ssl on forces the server block to accept HTTPS only while the usage of the listen directive parameter allows to handle both HTTP and HTTPs in the same server block.
Actually you explicitely asked nginx to do this. Another way to have the same result is using return 301 https://domain.com$request_uri. The rewrite patten ^(.*) matches all URIs and capture them. Then it rewrites them permanently (301 redirect) to https://domain.com<uri>. Refer to the documentation to understand how the rewrite directive works if you are confused.
Opinion-based questions do not fit SF standards.