Can't re-enable LetsEncrypt. Nginx fails to reload


#1

I ran into an issue where EasyEngine was telling me that my LetsEncrypt certificate was valid, but browsers were reporting it expired. EasyEngine wouldn’t renew it because it was valid for more than 30 days.

Following some recommendations on this forum, I decided to try to remove LetsEncrypt and re-enable it using:

sudo ee site update themeofthecrop.com --letsencrypt=off

Then re-enable it using:

sudo ee site update themeofthecrop.com --letsencrypt

The certificate issue seems to go smoothly, however, nginx fails to reload (note, I chose option 2 below, but have tried 1, 2, and 3 as well):

crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ sudo ee site update themeofthecrop.com --letsencrypt
Letsencrypt is currently in beta phase. 
Do you wish to enable SSl now for themeofthecrop.com?
Type "y" to continue [n]:y
You already have an existing certificate for the domain requested.
(ref: /etc/letsencrypt/renewal/themeofthecrop.com.conf)
Please select an option from below?
	1: Reinstall existing certificate
	2: Keep the existing certificate for now
	3: Renew & replace the certificate (limit ~5 per 7 days)

Type the appropriate number [1-3] or any other key to cancel: 2
Using Existing Certificate files
Let's Encrypt successfully setup for your site
Your certificate and chain have been saved at /etc/letsencrypt/live/themeofthecrop.com/fullchain.pem
Configuring Nginx SSL configuration
Adding /var/www/themeofthecrop.com/conf/nginx/ssl.conf
Adding /etc/nginx/conf.d/force-ssl-themeofthecrop.com.conf
Added HTTPS Force Redirection for Site  http://themeofthecrop.com
Creating Cron Job for cert auto-renewal
Reload : nginx     [Failed]
service nginx reload failed. check issues with `nginx -t` command

Running nginx -t shows me a permissions error, however, running with sudo the tests pass fine:

crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ nginx -t
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2018/03/05 06:30:26 [warn] 24669#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2018/03/05 06:30:26 [emerg] 24669#0: BIO_new_file("/etc/letsencrypt/live/themeofthecrop.com/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/themeofthecrop.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ sudo !!
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

When I look at /var/log/ee/ee.log, I see this entry which looks to be related to the reload process:

reload: Job is not running: nginx
2018-03-05 06:30:16,888 (INFO) ee : [Failed]
2018-03-05 06:30:16,889 (ERROR) ee : service nginx reload failed. check issues with `nginx -t` command

I have tried manually restarting nginx with sudo service nginx restart and it works fine. When I check the site info, it reports SSL is disabled:

crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ sudo ee site info themeofthecrop.com
Information about themeofthecrop.com:

Nginx configuration	 wp basic (enabled) 
PHP Version		 5.6
HHVM			 disabled
SSL			 disabled

I’ve spent a while now reading entries in this forum and elsewhere and trying to sort through it, but I’m running out of ideas. Can anyone spot where I might be going wrong here?

Thanks.


LetsEncrypt is working but site info says SSL disabled and can't renew
#2

Hello, try to disable letsencrypt and then to remove the folder /etc/letsencrypt/live/themeofthecrop.com before launching ee site update --letsencrypt There is an error with the current cert


#3

Thanks @virtubox. When trying that I get a new error:

crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ sudo !!
sudo rm -r /etc/letsencrypt/live/themeofthecrop.com
crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ ee site update themeofthecrop.com --letsencrypt

Only root or sudo user can run this EasyEngine

crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ sudo !!
sudo ee site update themeofthecrop.com --letsencrypt
Letsencrypt is currently in beta phase. 
Do you wish to enable SSl now for themeofthecrop.com?
Type "y" to continue [n]:y
You already have an existing certificate for the domain requested.
(ref: /etc/letsencrypt/renewal/themeofthecrop.com.conf)
Please select an option from below?
	1: Reinstall existing certificate
	2: Keep the existing certificate for now
	3: Renew & replace the certificate (limit ~5 per 7 days)

Type the appropriate number [1-3] or any other key to cancel: 1
/etc/letsencrypt/live/themeofthecrop.com/cert.pem file is missing.

The same error appears whether I choose option 1, 2 or 3.


#4

Use sudo before the ee comand if you are not logged in as root, I haven’t add sudo before the ee command because I run it as root


#5

I’m running as a sudo user using the sudo !! to re-run the command. I removed some other files that were recommended for removal in another thread:

sudo rm -rf /etc/letsencrypt/live/themeofthecrop.com
sudo rm /etc/letsencrypt/renewal/themeofthecrop.com.conf
sudo rm -rf /etc/letsencrypt/archive/themeofthecrop.com
sudo rm /etc/nginx/conf.d/force-ssl-themeofthecrop.com.conf

And then re-ran the command to install LetsEncrypt. It installed it, but I’m still running into the issue with restarting nginx.

crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ sudo ee site update themeofthecrop.com --letsencrypt
Letsencrypt is currently in beta phase. 
Do you wish to enable SSl now for themeofthecrop.com?
Type "y" to continue [n]:y
Please Wait while we fetch SSL Certificate for your site.
It may take time depending upon network.
Let's Encrypt successfully setup for your site
Your certificate and chain have been saved at /etc/letsencrypt/live/themeofthecrop.com/fullchain.pem
Configuring Nginx SSL configuration
Adding /var/www/themeofthecrop.com/conf/nginx/ssl.conf
Adding /etc/nginx/conf.d/force-ssl-themeofthecrop.com.conf
Added HTTPS Force Redirection for Site  http://themeofthecrop.com
Creating Cron Job for cert auto-renewal
Reload : nginx     [Failed]
service nginx reload failed. check issues with `nginx -t` command

#6

Can you should the error log when you run sudo nginx -t now ?


LetsEncrypt is working but site info says SSL disabled and can't renew
#7
crop@themeofthecrop-ubuntu-2gb-nyc3-01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

#8

It looks like the issue has finally cleared. I’m not sure, but it may have been an issue with duplicate services trying to run on the same port. I ended up running sudo netstat -tulpn to view what was running on ports. It looked like nginx was running on the right ports already, but I ran sudo fuser -k 80/tcp to clear it up and restarted nginx.

It didn’t clear things immediately, so that may not have been what fixed it in the end. But that’s the last thing I did, and when I checked 20 mins later my site’s cert seems to resolved at the browser end.

Oddly, when I run sudo ee site info themeofthecrop.com, it is still telling me that SSL is disabled.