Unless you’ve configured something in default, you can remove that without any issues.
this is in the “default” file, not in zammad.conf
do you mean these, and what should I remove?
(…)
Default server configuration
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
(…)
ok, when I remove port 80, I get the error page not found.
If I add port 80 again, I get this message with status nginx.
maybe it helps ?!
(…)
Dez 06 19:16:44 zammad systemd[1]: Starting A high performance web server and a reverse proxy server…
Dez 06 19:16:44 zammad nginx[1376]: nginx: [warn] conflicting server name “support.tooth-media.de” on 0.0.0.0:80, ignored
Dez 06 19:16:44 zammad nginx[1376]: nginx: [warn] conflicting server name “support.tooth-media.de” on [::]:80, ignored
Dez 06 19:16:44 zammad nginx[1377]: nginx: [warn] conflicting server name “support.tooth-media.de” on 0.0.0.0:80, ignored
Dez 06 19:16:44 zammad nginx[1377]: nginx: [warn] conflicting server name “support.tooth-media.de” on [::]:80, ignored
Dez 06 19:16:44 zammad systemd[1]: Started A high performance web server and a reverse proxy server.
is there the possibility to simply send the two files (default and zammad.conf) to you?
it’s just a little something …
Okay, thanks for testing that.
The port forward is working correctly then, it just that Nginx is serving up the wrong website when you access http://yourdomain.de/
It should show you the Zammad login page, but instead it shows the default Nginx website.
We’re almost there 
There is something wrong in your zammad.conf file then, causing Nginx to serve up the wrong website.
You can attach both files here if you want, I don’t think there is any ‘secret’ information in either file.
Ok, here my zammad.conf
# this is the nginx config for zammad
#
upstream zammad-railsserver {
server 127.0.0.1:3000;
}
upstream zammad-websocket {
server 127.0.0.1:6042;
}
server {
listen 80;
listen [::]:80;
# replace 'localhost' with your fqdn if you want to use zammad from remote
server_name support.tooth-media.de;
# security - prevent information disclosure about server version
server_tokens off;
root /opt/zammad/public;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;
client_max_body_size 50M;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
expires max;
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_pass http://zammad-websocket;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Change this line in an SSO setup
proxy_set_header X-Forwarded-User "";
proxy_read_timeout 300;
proxy_pass http://zammad-railsserver;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}
and this is my “default” File, that was created by certbot:
#
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
# With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name support.tooth-media.de; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/support.tooth-media.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/support.tooth-media.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = support.tooth-media.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name support.tooth-media.de;
return 404; # managed by Certbot
}
The errrors are telling you that it’s finding the same server_name on the same port for two different web configurations. Above you see the default.conf file is telling nginx to use the default site for ssl. See the part where the root points to /var/www/html. That’s why you’re getting the default nginx welcome page. Any web server, nginx, apache, etc. can only serve up a specific site, on a specific port, one time. So if your default.conf file is taking traffic on port 443 and sending it to the location where the default nginx page is for the “server_name” support.tooth-media.de you cannot have another configuration file also handling traffic for that name on that port. I understand that this is something that certbot did, but that’s most likely because certbot saw the server_name directive for that domain in your default.conf file first.
Try resetting the default.conf back to the default, make sure that “server_name” directive is nowhere to be found in the default.conf for that support.tooth-media.de domain name and that it only exists in the zammad.conf file. You might also rename the zammad.conf file to “support.tooth-media.de.conf” since that’s a good practice to get into, particularly if you’re hosting many sites on the same box/vm.
Edit: You will will want to migrate your certificates to the zammad conf, so it would look something like this if we take @MrGeneration 's link to the original ssl version of the file, along with @rowdy 's excellent feedback:
# this is the nginx config for zammad
#
upstream zammad-railsserver {
server 127.0.0.1:3000;
}
upstream zammad-websocket {
server 127.0.0.1:6042;
}
server {
listen 80;
listen [::]:80;
# replace 'localhost' with your fqdn if you want to use zammad from remote
server_name support.tooth-media.de;
# security - prevent information disclosure about server version
server_tokens off;
# root /opt/zammad/public;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;
client_max_body_size 50M;
location /.well-known/ {
root /var/www/html;
}
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
expires max;
}
if ($host = support.tooth-media.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name support.tooth-media.de; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/support.tooth-media.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/support.tooth-media.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# From original Zammad ssl conf
# security - prevent information disclosure about server version
server_tokens off;
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000" always;
location = /favicon.ico {
access_log off; log_not_found off;
}
root /opt/zammad/public;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;
client_max_body_size 50M;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
expires max;
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_pass http://zammad-websocket;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Change this line in an SSO setup
proxy_set_header X-Forwarded-User "";
proxy_read_timeout 300;
proxy_pass http://zammad-railsserver;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}
After you backup the current files before making these changes, you will want to restart nginx and then do a certbot dry run to see what will happen when the certs are renewed:
sudo certbot renew –dry-run
(unless you’re already running as root then remove sudo)
Hello,
thanks for the answer. Unfortunately I don’t know how the original default.conf looked like before. 
Make a copy of the current file, something like default.conf.bak, if you’re doing it from the command line:
cp default.conf default.conf.bak
and then overwrite with the following contents:
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
# With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
Can you also show what’s in the sites-enabled folder? Run:
ls /etc/nginx/sites-enabled
And also run
ls /etc/nginx/sites-available
and paste results form both commands here so we can see what nginx is attempting to serve up.
Hi stable,
now it gets complicated…
I have the files “default” and zammad.conf in BOTH directories ?!
I only ever edited the default.conf and the zammad.conf in the / etc / nginx / sites-enabled directory
NEVER in the / etc / nginx / sites-available directory !!
which one is used by Zammad now?
which should I edit?
greetings
Hello @all
I made it today, everything works now.
I explicitly dealt with nginx and reverse proxy again
I then deleted all “default” files, then ran certbot again, and everything worked.
many, many thanks to all of you for your patience!
greetings to everyone, have a peaceful time and stay healthy.
Mario
2 Likes
Good to hear everything is working now!
2 Likes
Great news. Well done. To answer your question above, typically the folder labeled sites-available is where the files with the actual configuration details reside. The sites-enabled folder is where nginx will look to see which of the available sites it should load. Those files are really just links to the files inside the sites-available folder.
Way to stick with it.
1 Like
many thanks again to @all
I’ve learned a lot in the last 4 days, even if it was difficult.
I am so glad that there is this forum and such great people who make the effort to help others.
best wishes
Mario
1 Like
This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.