2

Although there's aplethora of articles on the web about this, I'm still having issues getting this to work.

I've set up nginx on ubunto 18.04 - everythings is patched to date.

I installed Certbot (sudo apt-get install python-certbot-nginx)

I'm using "default" config as I'm not going to be running anything on this server except the reverse proxy:

Heres the config - working fine on http:

##
# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    server_name _;

    location / {

            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }
}
#
## Redirect to internal servers
#
# HomeAssistant
server {
    listen 80;
    server_name hass.mysite.com;

    proxy_set_header Host   $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
            proxy_pass http://192.168.1.245:8123;
            proxy_buffering off;
    }
}
#
# SSH Tunnel
server {
    listen 80;
    server_name remote.mysite.com;

    proxy_set_header Host   $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
            proxy_pass http://192.168.1.250:443;
            proxy_buffering off;
    }
}

I'm happy to redirect all external connections to https and leave internal as http.

If I run sudo certbot --nginx I get this and can approve both sites

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hass.mysite.com
2: remote.mysite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input

There's no prompt from Certbot to redirect all traffic to https and I;m struggling to set it up to do so - do I have to configure "listen 443" on each redirect?

Scepticalist
  • 131
  • 1
  • 8
  • 1
    Did you stop there? You need to choose the two sites and continue. – Michael Hampton Feb 07 '19 at 13:36
  • Yes of course, I chose both and completed - but as I said, the prompt to redirect all to https didn;t appear. – Scepticalist Feb 07 '19 at 13:57
  • You want to do it via certbot or you can edit it yourself? I can help with a man-made configuration. – flaixman Feb 07 '19 at 16:24
  • 1
    This isn't the first time I've seen certbot nginx make a hash of it. I prefer to use certonly and do the configuration myself, so I know it's right. [Here is a sample configuration.](https://serverfault.com/a/896555/126632) – Michael Hampton Feb 07 '19 at 18:52

1 Answers1

1

Ok, after a lot of trial and error, it seems that it didn't like certificating subdomains without the parent domain.

Luckily I'm running in a VM so I rolled back to before the Certbot install.

I commented out this line in the config:

server_name _;

..and added the root domain sites:

server {
    server_name mysite.com www.mysite.com;

    root /var/www/html;

    index index.html index.htm mysite.html;
}

I then got certificates for the root domains:

sudo certbot --nginx -d mysite.com -d www.mysite.com

When I did this, Certbot added the SSL config successfully to the root domains, so I went ahead with certifying the subdomains and this also worked fine.

Scepticalist
  • 131
  • 1
  • 8