nginx cannot load certificate fullchain.pem – Certbot Fix

Eroarea nginx cannot load certificate path/fullchain.pem apare cand testam serviciul NGINX dupa ce stergem certificate Let’s Encrypt generate cu Certbot.

In server eroarea apare de genul:

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Background eroare nginx

Intr-un articol precedent am aratat cum poti sterge din Certbot domeniile care au fost gazduite in trecut pe server dar care in prezent nu mai sunt active. Delete old domains Certbot certificates (Let’s Encrypt Certificate).

Atunci cand stergi certificate SSL pentru domenii active, care mai sunt gazduite pe server, prin comanda: sudo certbot delete, certificatul este sters automat, insa el ramane activ in sesiuni pana la restartarea serviciului nginx. La comanda nginx -t (testarea serviciului) poti avea surpiza ca testul sa esueze cu eroarea de mai sus. Rezolvarea este insa foarte simpla.

Fix nginx: [emerg] cannot load certificate fullchain.pem

Atunci cand instalezi un certificat SSL Let’s Encrypt prin Certbot, in fisierul de configurare al nginx pentru domeniu, se adauga cateva linii care indica existenta certificatului. Atunci cand certificatul este sters, liniile raman in nginx config si trebuie sterse manual. Adica liniile de mai jos:

.....    

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name example.com www.example.com;
    listen 80;
    return 404; # managed by Certbot

Dupa ce stergeti aceste linii din fisierul confg nginx al domeniului pentru care ati eliminat certificatul SSL, executati comanda nginx -t pentru a verifica daca totul este ok.

• Delete old domains Certbot certificates (Let’s Encrypt Certificate)
• Cum instalam manual certificat SSL pentru website fara cPanel / VestaCP [NGINX]
• Certificate TLS / SSL – O noua limita a duratei de valabilitate impusa din septembrie 2020
• WP Super Cache vs. W3 Total Cache (WordPress Page Load Speed)
• Cum mutam un blog sau un website WordPress de pe HTTP pe HTTPS (NGINX)

[root@server]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@server]# 

Acum puteti restarta in siguranta serviciul nginx.