<div dir="ltr">Somehow we all missed that - of course you can't run `http2` on port 80 and have it work since `http2` requires SSL.<div>With that configuration, you would have been able to get to the chat subdomain only by going to `https:// chat.mydomain .com:80/` - notice that it is https but is forced back to port 80. (I purposely added spaces to prevent that from being a link in many mail clients.)<br></div><div><br></div><div>To answer the question about LetsEncrypt renewal, you need to leave nginx running in order for it to work since it still relies on nginx to serve the `.well-known` files that make the domain verification work. If you would stop nginx, you would be unable to run the validation.</div><div><br></div><div>The one thing that you do need to do is make sure that LetsEncrypt knows to reload nginx when a certificate changes so that nginx can see the new certificate file.</div><div>If you are on a system that uses SystemD, this is what you need to do:</div><div><br></div><div>Create a shell script in `/etc/letsencrypt/renewal-hooks/deploy` with the following contents:</div><div><br></div><div><font face="monospace, monospace">#!/bin/bash</font></div><div><font face="monospace, monospace">/bin/systemctl reload nginx.service</font></div><div><br></div><div>Make sure to set it as executable, and then Certbot will run it automatically for every renewal.</div><div><br></div><div>Alternatively, you can go into each file in `/etc/letsencrypt/renewal/*` and add the following line in the `[renewalparams]` section:</div><div><br></div><div><font face="monospace, monospace">deploy_hook = /bin/systemctl reload nginx</font><br></div><div><br></div><div>Of course, that means you need to modify the renewal file for each domain separately.</div><div><br></div><div>Moshe<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--<br>Moshe Katz<br>-- <a href="mailto:kohenkatz@gmail.com" target="_blank">kohenkatz@gmail.com</a><br>-- +1(301)867-3732</div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Wed, May 16, 2018 at 1:42 AM Nginx-Chris <<a href="mailto:nginx-forum@forum.nginx.org" target="_blank">nginx-forum@forum.nginx.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Here is what makes everything work ok:<br>
<br>
In the cloud.conf (Seafile) I deleted the "http2" in the server part that<br>
listens on port 80 and redirects.<br>
<br>
It looks like this now:<br>
<br>
server {<br>
<br>
listen 80;<br>
listen [::]:80; <br>
server_name <a href="http://cloud.mydomain.com" rel="noreferrer" target="_blank">cloud.mydomain.com</a>;<br>
<br>
rewrite ^ https://$http_host$request_uri? permanent; # force redirect<br>
http to https<br>
<br>
# Enables or disables emitting nginx version on error pages and in the<br>
"Server" response header field.<br>
server_tokens off;<br>
<br>
}<br>
<br>
Noe everything works fine.<br>
<br>
I am not sure what advantage / disadvantage http2 had, to be honest.<br>
<br>
Maybe the http2 part should only be inside the config part that configures<br>
the 443 access?<br>
<br>
Well, this did the trick at least.<br>
<br>
I am still interested in the config that you posted on gist though.<br>
It looks really tidy and well organised.<br>
<br>
So I would still like to know if I can leave Nginx running for letsencrypt<br>
bot to work ;-))<br>
<br>
Greetings, Chris<br>
<br>
Posted at Nginx Forum: <a href="https://forum.nginx.org/read.php?2,279794,279811#msg-279811" rel="noreferrer" target="_blank">https://forum.nginx.org/read.php?2,279794,279811#msg-279811</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div>