Add certificate to my site when accessing without "www"

Help
1

My domain is: www.nace.network

My web server is (include version): nginx version: nginx/1.15.8

The operating system my web server runs on is (include version): Ubuntu 14.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Recently I was able to renew my certificate for my website, I can access it through www.nace.network but when accessing my site without using the "www" it sends me the "Warning: Potential Security Risk Ahead" alert, in what way could I fix it? this is the content of my nginx file:

server {
listen 8080 default_server;
listen [::]:8080 default_server ipv6only=on;
server_name www.nace.network;
root /home/ubuntu/nace/public; #could maybe change this to dummy location like /nul
location / {
return 301 https://$host$request_uri;
}#location
}#server

server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name www.nace.network;
passenger_enabled on;
rails_env production;
root /home/ubuntu/nace/public;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location / {
deny 46.229.168.0;
deny 51.68.152.0;
}#locatoin
location = /50x.html {
root html;
}#location
ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

}#server

at the time I renew the certificate with this command :

ubuntu@ip-171-32-0-204:~/letsencrypt$ sudo -H ./letsencrypt-auto certonly --standalone -d nace.network -d www.nace.network

and this was the result

./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
1 Like
2

Hi @luis77

your dns setup is correct - https://check-your-website.server-daten.de/?q=nace.network

The non-www has the same ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
nace.network A 52.33.85.110 Portland/Oregon/United States (US) - Amazon.com, Inc. Hostname: ec2-52-33-85-110.us-west-2.compute.amazonaws.com yes 2 0
AAAA yes
www.nace.network C nace.network yes 1 0
A 52.33.85.110 Portland/Oregon/United States (US) - Amazon.com, Inc. Hostname: ec2-52-33-85-110.us-west-2.compute.amazonaws.com

But your vHost doesn't have the non-www version.

Change that

to

server_name www.nace.network nace.network;

But your error

says: There is another instance port 80. What's running there? Standalone -> new webserver.

There are redirects http -> https without a Server header.

2 Likes
3

yes, apparently port 80 is being occupied by varnishd

root@ip-171-32-0-204:/home/ubuntu/letsencrypt# sudo netstat -tulpn | grep :80
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 2075/nginx: worker
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1326/varnishd
tcp6 0 0 :::8080 :::* LISTEN 2075/nginx: worker
tcp6 0 0 :::80 :::* LISTEN 1326/varnishd

1 Like
4

Please read your older topic:

There is your correct command. If you use the wrong command with your varnish-Setup, that can't work.

Standalone is wrong with your configuration.

1 Like
5

ok, I modified my server line in the nginx file, and I ran the following command with the change to port 8080: sudo -H ./letsencrypt-auto certonly --standalone -d nace.network -d www.nace.network --http-01-port 8080

but apparently it still throws me error

./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 8080: Could not bind to IPv4 or IPv6.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.