So here's what I did:Starting with the standard config (A), I ran the follow

1. So here's what I did:
2.  
3. Starting with the standard config (A), I ran the following:
4.  
5. I followed this guide: https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
6.  
7. sudo apt-get install certbot
8. sudo apt-get install python3-certbot-nginx
9.  
10. Let that install, and then
11.  
12. sudo certbot --nginx -d trog.co.za
13.  
14. That changed my proxy.conf file to look like config (B). Which doesn't work. If I type ombi.trog.co.za I get a 404, and if I add https I get "ERR_SSL_PROTOCOL_ERROR".
15.  
16.  
17. So I asked around and did some reading and tried the following:
18.  
19. I removed the certbot I got from apt-get and instead followed the actual instructions for Certbot from https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal.
20.  
21. So I ran:
22.  
23. sudo snap install --classic certbot
24. sudo ln -s /snap/bin/certbot /usr/bin/certbot
25. sudo snap set certbot trust-plugin-with-root=ok
26. sudo snap install certbot-dns-gandi (This didn't work)
27.  
28. So then
29. pip install certbot-plugin-gandi (From https://github.com/obynio/certbot-plugin-gandi)
30. I followed the rest of the instructions from that github page: Create gandi.ini, add API key from gandi, sudo chmod 600 gandi.ini.
31.  
32. I then ran
33. certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi/gandi.ini -d trog.co.za
34.  
35. Only to realise I should probably have done the wildcard version cuz I'm stupid and didn't read it the first time. So I ran this
36.  
37. certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi/gandi.ini -d domain.com -d \*.domain.com --server https://acme-v02.api.letsencrypt.org/directory
38.  
39. This was apparently successful, but it still doesn't work. It creates keys in the same place as the apt-get version does, so I kept config (B) and restarted nginx and fuckall.
40.  
41. Then I asked for help from someone else, and got config (C). This config redirects HTTP to https, which is great. But still ends up with "ERR_SSL_PROTOCOL_ERROR" for me, but "SSL_ERROR_RX_RECORD_TOO_LONG" for him for some reason.
42.  
43.  
44. Thanks for coming to my TED Talk.
45. ************************************************************************************
46. Config A:
47.  
48. server {
49. # The IP that you forwarded in your router (nginx proxy)
50. listen 80;
51.  
52. # Make site accessible from http://localhost/
53. server_name trog.co.za;
54.  
55. # The internal IP of the VM that hosts your Apache config
56. set $upstream 192.168.0.203:5000;
57.  
58. location / {
59.  
60. proxy_pass_header Authorization;
61. proxy_pass http://$upstream;
62. proxy_set_header Host $host;
63. proxy_set_header X-Real-IP $remote_addr;
64. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
65. proxy_http_version 1.1;
66. proxy_set_header Connection "";
67. proxy_buffering off;
68. client_max_body_size 0;
69. proxy_read_timeout 36000s;
70. proxy_redirect off;
71.  
72. }
73. }
74.  
75. ************************************************************************************
76. Config B:
77.  
78. server {
79. # The IP that you forwarded in your router (nginx proxy)
80.  
81. # Make site accessible from http://localhost/
82. server_name trog.co.za;
83.  
84. # The internal IP of the VM that hosts your Apache config
85. set $upstream 192.168.0.203:5000;
86.  
87. location / {
88.  
89. proxy_pass_header Authorization;
90. proxy_pass http://$upstream;
91. proxy_set_header Host $host;
92. proxy_set_header X-Real-IP $remote_addr;
93. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
94. proxy_http_version 1.1;
95. proxy_set_header Connection "";
96. proxy_buffering off;
97. client_max_body_size 0;
98. proxy_read_timeout 36000s;
99. proxy_redirect off;
100.  
101. }
102.  
103. listen 443 ssl; # managed by Certbot
104. ssl_certificate /etc/letsencrypt/live/trog.co.za/fullchain.pem; # managed by Certbot
105. ssl_certificate_key /etc/letsencrypt/live/trog.co.za/privkey.pem; # managed by Certbot
106. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
107. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
108.  
109. }
110. server {
111. if ($host = trog.co.za) {
112. return 301 https://$host$request_uri;
113. } # managed by Certbot
114.  
115.  
116. listen 80;
117. server_name trog.co.za;
118. return 404; # managed by Certbot
119.  
120.  
121. }
122.  
123. ************************************************************************************
124. Config C:
125.  
126. server {
127. listen 80;
128. server_name ombi.trog.co.za;
129. return 301 https://$server_name$request_uri;
130. }
131.  
132. server {
133. listen 443 ssl;
134. server_name ombi.trog.co.za;
135. ssl_certificate /etc/letsencrypt/live/trog.co.za/fullchain.pem; # managed by Certbot
136. ssl_certificate_key /etc/letsencrypt/live/trog.co.za/privkey.pem; # managed by Certbot
137. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
138. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
139.  
140. # The IP that you forwarded in your router (nginx proxy)
141.  
142. # Make site accessible from http://localhost/
143. # server_name trog.co.za;
144.  
145. # The internal IP of the VM that hosts your Apache config
146. set $upstream 192.168.0.203:5000;
147.  
148. location / {
149.  
150. proxy_pass_header Authorization;
151. proxy_pass http://$upstream;
152. proxy_set_header Host $host;
153. proxy_set_header X-Real-IP $remote_addr;
154. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
155. proxy_http_version 1.1;
156. proxy_set_header Connection "";
157. proxy_buffering off;
158. client_max_body_size 0;
159. proxy_read_timeout 36000s;
160. proxy_redirect off;
161. }
162. }
163. ************************************************************************************