certbot-nginx could not parse file nginx.conf: Expected string_end, found 'http'

[TimB87]

Hi everybody 👋

This is the same issue as reported in #9416 which is still an issue with certbot 2.10.0 today, it seems.

My operating system is (include version):

CRUX version 3.7, with python version 3.10.14

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

The OS package manager.

I ran this command and it produced this output:

# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not parse file: /etc/nginx/nginx.conf due to Expected string_end, found 'http'  (at char 192), (line:16, col:1)
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):

Certbot's behavior differed from what I expected because:

I expect to see a list of websites hosted.

Here is a Certbot log showing the issue (if available):

Logs are stored in /var/log/letsencrypt by default. Feel free to redact domains, e-mail and IP addresses as you see fit.

2024-05-20 09:27:49,370:DEBUG:certbot._internal.main:certbot version: 2.10.0
2024-05-20 09:27:49,371:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-05-20 09:27:49,371:DEBUG:certbot._internal.main:Arguments: []
2024-05-20 09:27:49,371:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-05-20 09:27:49,388:DEBUG:certbot._internal.log:Root logging level set at 30
2024-05-20 09:27:49,389:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-05-20 09:27:49,428:WARNING:certbot_nginx._internal.parser:Could not parse file: /etc/nginx/nginx.conf due to Expected string_end, found 'http'  (at char 192), (line:16, col:1)
2024-05-20 09:27:49,435:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
[....]

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

There is a custom log_format defined:

  log_format logger-json escape=json '{'
    '"msec": "$msec", '
    '"connection": "$connection", '
    '"connection_requests": "$connection_requests", '
    '"pid": "$pid", '
    '"request_id": "$request_id", '
    '"request_length": "$request_length", '
    '"remote_addr": "$remote_addr", '
    '"remote_user": "$remote_user", '
    '"remote_port": "$remote_port", '
    '"time_local": "$time_local", '
    '"time_iso8601": "$time_iso8601", '
    '"request": "$request", '
    '"request_uri": "$request_uri", '
    '"args": "$args", '
    '"status": "$status", '
    '"body_bytes_sent": "$body_bytes_sent", '
    '"bytes_sent": "$bytes_sent", '
    '"http_referer": "$http_referer", '
    '"http_user_agent": "$http_user_agent", '
    '"http_x_forwarded_for": "$http_x_forwarded_for", '
    '"http_host": "$http_host", '
    '"server_name": "$server_name", '
    '"request_time": "$request_time", '
    '"upstream": "$upstream_addr", '
    '"upstream_connect_time": "$upstream_connect_time", '
    '"upstream_header_time": "$upstream_header_time", '
    '"upstream_response_time": "$upstream_response_time", '
    '"upstream_response_length": "$upstream_response_length", '
    '"upstream_cache_status": "$upstream_cache_status", '
    '"ssl_protocol": "$ssl_protocol", '
    '"ssl_cipher": "$ssl_cipher", '
    '"scheme": "$scheme", '
    '"request_method": "$request_method", '
    '"server_protocol": "$server_protocol", '
    '"pipe": "$pipe", '
    '"gzip_ratio": "$gzip_ratio", '
    '"http_cf_ray": "$http_cf_ray",'
    #'"geoip_country_code": "$geoip_country_code"'
    '}';

removing it allows certbot-nginx to work as expected.

[josevavia]

Same issue here with this error:

Could not parse file: /etc/nginx/nginx.conf due to Expected string_end, found 'http' (at char 422), (line:17, col:1)

My nginx.conf:

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';


    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2;
#        listen       [::]:443 ssl http2;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers PROFILE=SYSTEM;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        error_page 404 /404.html;
#        location = /404.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#        location = /50x.html {
#        }
#    }

}

The problem in my case is with these block:

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

If I remove it, everything works OK

[TimB87]

It seems to me that saving the offending part to a different file and using include thatfile.conf fixes the problem for me, although certbot will still complain about it.