0

Not sure how to quickly summary this issue, so I will put my scenario in bulletpoints:

  • Normal basic nginx install
  • I only use https(443), so I removed all http(80) config
  • When you start nginx (or restart it), the process seems to listen on port 80 as well (ss -tulp)
  • When I add a config in /etc/nginx/sites-enabled with a listener on http(80) and then;
  • Reload nginx, using systemctl reload nginx (note: reload, not restart)
  • It does not work, as if nginx is still not listening for traffic on port 80
  • If I run systemctl restart nginx it does work.

I noticed this, because LetsEncrypt couldn't renew my certificates. After investigating the issue, I noticed the behaviour described above.
Because I had no nginx config listening on http(80), I think nginx just doesn't add any listeners or something when I start nginx (although port 80 was claimed by nginx)
And if Certbot then tries to renew my certificates, it would add a temporary http(80) config to the nginx config directory, presumably followed by a "reload" of nginx, rather than a restart (which is as expected and as it should)
But since nginx was started without http(80) config, it didn't process the traffic from LetsEncrypt to that temporary challenge config.
My solution was quite simple, to add a basic http(80) config block to nginx with only a return 404; and restarted nginx. After that, Certbot worked just fine and could renew all my certificates.

I was wondering if this is expected behaviour, or if this is a (known) bug in Nginx.

Thanks

Update:

nginx version: nginx/1.18.0
Debian 11 (Bullseye)
Jesse
  • 101
  • 1
  • 3
  • You'd need to share your actual config for us to be able to help with this. – shearn89 Feb 03 '22 at 08:44
  • @shearn89 not sure how my config would help. Because the config itself doesn't seem relevant, it is more the lack of config that seems to cause the issue. If I don't have a config which listens on port 80, and if I then add a config for port 80 (doesn't matter which config) then a reload of the service does not error, but it also does not listen on port 80. I have to restart the service, before the config is operational. While normally a reload is sufficient. – Jesse Feb 03 '22 at 13:40
  • You say you 'removed all http(80) config' and then 'add a config in ...'. Trying to guess what your config looks like from your description is difficult and error prone. If you add it to the question we can tell you if it's misconfiguration of a bug in Nginx. – shearn89 Feb 03 '22 at 13:44
  • Well the problem is that it doesn't work as expected when I don't provide that config. With that config it does work, so again, not sure how providing the config would help. But as I stated in the original post, my config is just a return 404; listen 80; server_name _; return 404; – Jesse Feb 03 '22 at 17:19

1 Answers1

0

I don't think this is a bug, I think this is something wrong at your end. I can't recreate your issue.

I've spun up a fresh EC2 instance with Amazon Linux and installed nginx.

Commented out http server, uncommented https, and generated certs:

#    server {
#        listen       80;
#        listen       [::]:80;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        error_page 404 /404.html;
#        location = /404.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#        location = /50x.html {
#        }
#    }

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/cert.pem";
        ssl_certificate_key "/etc/pki/nginx/key.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        # ssl_ciphers PROFILE=SYSTEM;
        # ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Certs:

[root@ip-10-0-0-110 nginx]# ls -l /etc/pki/nginx/
total 8
-rw-r--r-- 1 nginx nginx 2155 Feb  4 09:28 cert.pem
-rw-r--r-- 1 nginx nginx 3272 Feb  4 09:28 key.pem

Start up the server, and port 80 is not in use, but 443 is:

[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':80'
[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':443'
tcp  LISTEN 0      511                            0.0.0.0:443       0.0.0.0:*    users:(("nginx",pid=32264,fd=6),("nginx",pid=32262,fd=6),("nginx",pid=32205,fd=6))
tcp  LISTEN 0      511                               [::]:443          [::]:*    users:(("nginx",pid=32264,fd=7),("nginx",pid=32262,fd=7),("nginx",pid=32205,fd=7))

Uncomment HTTP and do a systemctl reload nginx, and both are in use:

[root@ip-10-0-0-110 nginx]# vim /etc/nginx/nginx.conf
[root@ip-10-0-0-110 nginx]# systemctl reload nginx
[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':443'
tcp  LISTEN 0      511                            0.0.0.0:443       0.0.0.0:*    users:(("nginx",pid=32288,fd=6),("nginx",pid=32287,fd=6),("nginx",pid=32205,fd=6))
tcp  LISTEN 0      511                               [::]:443          [::]:*    users:(("nginx",pid=32288,fd=7),("nginx",pid=32287,fd=7),("nginx",pid=32205,fd=7))
[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':80'
tcp  LISTEN 0      511                            0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=32288,fd=13),("nginx",pid=32287,fd=13),("nginx",pid=32205,fd=13))
tcp  LISTEN 0      511                               [::]:80           [::]:*    users:(("nginx",pid=32288,fd=14),("nginx",pid=32287,fd=14),("nginx",pid=32205,fd=14))
[root@ip-10-0-0-110 nginx]#

Comment it out and reload again, only 443 is listening.

Version installed:

[root@ip-10-0-0-110 nginx]# yum list nginx
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Installed Packages
nginx.x86_64                               1:1.20.0-2.amzn2.0.4
shearn89
  • 3,403
  • 2
  • 15
  • 39
  • Ah, forgot to mention my version: "nginx version: nginx/1.18.0" on Debian 11. Will check if I can reproduce it on fresh install. Maybe it is solved in 1.20 – Jesse Feb 07 '22 at 15:41