After launching SSL Certficate, cannot access website

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:odoocodes.com

I ran this command:

./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.odoocodes.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.odoocodes.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.odoocodes.com/.well-known/acme-challenge/yA5-q_RIRXCkEA6UcshDeY94HFFLI9_b-sOpdOCMQOs: Too many redirects

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.odoocodes.com
    Type: connection
    Detail: Fetching
    http://www.odoocodes.com/.well-known/acme-challenge/yA5-q_RIRXCkEA6UcshDeY94HFFLI9_b-sOpdOCMQOs:
    Too many redirects

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.2 x64

My hosting provider, if applicable, is:

Digital Ocen

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.23.0

#2

Hi @Odoocodes

you have direct loops ( https://check-your-website.server-daten.de/?q=odoocodes.com ):

Domainname Http-Status redirect Sec. G
http://odoocodes.com/
142.93.249.116 301 http://odoocodes.com/ 0.213 L
http://www.odoocodes.com/
142.93.249.116 301 http://www.odoocodes.com/ 0.210 L
https://odoocodes.com/
142.93.249.116 200 2.340 B
https://www.odoocodes.com/
142.93.249.116 200 2.093 N
Certificate error: RemoteCertificateNameMismatch
http://odoocodes.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
142.93.249.116 301 http://odoocodes.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.214 L
Visible Content: 301 Moved Permanently nginx/1.14.0 (Ubuntu)
http://www.odoocodes.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
142.93.249.116 301 http://www.odoocodes.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.210 L
Visible Content: 301 Moved Permanently nginx/1.14.0 (Ubuntu)

http -> http, every version redirects to the same page.

So share the content of your port 80 - vHost to find that loop or remove it.

PS: But you see: Your https doesn’t have redirects. It’s only a problem of your port 80 vHost.

#3

Thank you for response.

But I’m trying this first time and newbie on this. I’m not sure what where to see loop for port 80.

Please help me with that.

#4

There should be a file under

/etc/nginx/nginx.conf

Check that file. Perhaps there are additional files in

/etc/nginx/sites-available/

one with your domain name.

There may be something like

server {
    listen 80;
    listen 443 ssl;
    server_name www.old-name.com;
    return 301 $scheme://www.new-name.com$request_uri;
}

the last is a redirect.

Find a listen 80 - block -> http and check that.

#5

I’ve two files under sites-available

  1. default

server {
listen 80;
server_name odoocodes.com www.odoocodes.com;
return 301 http://$host$request_uri;
}

server {
#listen 80 default_server;
#listen [::]:80 default_server;

    listen 443 ssl;
    server_name odoocodes.com www.odoocodes.com;

Haves this info,

and another files is with name : odoocodes

Having this info,

server {
listen 80;
server_name odoocodes.com;

location / {
    proxy_pass http://localhost:8076;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

Do I need to remove the odoocodes file? if yes, then how can i forward 8076 port to ssl?

Regards,

#6

This is your direct redirect. http is redirected to http. Remove that row - add #

Or better:

Change the http to https, then it looks good.

Then recheck the domain with https://check-your-website.server-daten.de/

#7

@JuergenAuer,

Thanks that helped. by updating http to https.

Now I got the following screen

Now at least the nginx loaded, now what should be next step to launch my website instead nginx?

Regards,

#8

Your root directive may miss. Looks you have changed a lot of things.

Now you have no loop, but an incomplete certificate.

Your certificate has only one domain name:

CN=odoocodes.com
	01.03.2019
	30.05.2019
expires in 89 days	odoocodes.com - 1 entry

So your www-version is defined (has a dns-entry), but not secure ( https://check-your-website.server-daten.de/?q=odoocodes.com ):

Domainname Http-Status redirect Sec. G
http://odoocodes.com/
142.93.249.116 301 https://odoocodes.com/ 0.210 A
http://www.odoocodes.com/
142.93.249.116 301 https://www.odoocodes.com/ 0.213 A
https://odoocodes.com/
142.93.249.116 200 2.096 B
https://www.odoocodes.com/
142.93.249.116 200 2.094 N
Certificate error: RemoteCertificateNameMismatch

So you should create one certificate with both domain names and use that instead.

#9

Thanks @JuergenAuer,

You are so supportive,

I’ve followed this video https://www.youtube.com/watch?v=m9aa7xqX67c
to setup free SSL.

I followed that video step by step, May i know how to create the same certficate for both domain name?

Regards,

#10

Your certbot / letsencrypt is very old.

version 0.23. Perhaps install certbot-auto - https://certbot.eff.org/

Then you can add new domains with the -d option.

./certbot-auto certonly -a webroot --config /usr/local/etc/le-renew-webroot.ini -d odoocodes.com -d www.odoocodes.com
#11

I’ve updated the certificates, and this is following output after updating it.

Which names would you like to activate HTTPS for?


1: odoocodes.com
2: www.odoocodes.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/odoocodes.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
nginx: [warn] conflicting server name “odoocodes.com” on 0.0.0.0:80, ignored

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default
nginx: [warn] conflicting server name “odoocodes.com” on 0.0.0.0:80, ignored


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://odoocodes.com and
https://www.odoocodes.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=odoocodes.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.odoocodes.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/odoocodes.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/odoocodes.com/privkey.pem
    Your cert will expire on 2019-05-31. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

#12

@JuergenAuer,

Your steps, helped me

NOw I’ve received following response

root@odoo-codes:/opt/letsencrypt# ./certbot-auto certonly -a webroot --config /usr/local/etc/le-renew-webroot.ini -d odoocodes.com -d www.odoocodes.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/odoocodes.com.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/odoocodes.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/odoocodes.com/privkey.pem
    Your cert will expire on 2019-05-31. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@odoo-codes:/opt/letsencrypt#
root@odoo-codes:/opt/letsencrypt#

#13

I’ve updated certificate and received congratulations message, which is posted, but still the nginx is redirected instead of website.

#14

Yep, now your certificate has both domain names:

CN=odoocodes.com
	02.03.2019
	31.05.2019
expires in 90 days	odoocodes.com, www.odoocodes.com - 2 entries

And both connections use that certificate, Grade C is ok.

Looks like you have different server definitions. So Certbot doesn’t know which is the correct version - and had created a second vHost.

Check your vHost definitions and remove duplicate entries. Every combination of port and server name should be unique.

#15

Thanks @JuergenAuer,

let me check and remove the duplicate server definition.

server defintation you mean, would be like

server {…}, correct?

#16

I was having two files under /etc/nginx/site-enabled, 1. default and 2 odoocodes

In 1st file there are two server defineation, 1 is handles port 80, and redirects to the site port which is 8076 and another server {} defination which is listen port 443 ssl port.

and 2nd file was port forwarding and was listing to port 80 which I’ve removed. so Now, I’ve one one file which is default.

Here is the detail of defaults file which is under /etc/nginx/site-enabled, let me share here.

server {
if ($host = www.odoocodes.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = odoocodes.com) {
    return 301 https://$host$request_uri;
} # managed by Certbot


   listen 80;
   server_name odoocodes.com www.odoocodes.com;
   return 301 https://$host$request_uri;


 location / {
    proxy_pass https://localhost:8076;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

server {
#listen 80 default_server;
#listen [::]:80 default_server;

    listen 443 ssl;
    server_name odoocodes.com www.odoocodes.com;
    ssl_certificate /etc/letsencrypt/live/odoocodes.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/odoocodes.com/privkey.pem; # managed by Certbot

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    location ~ /.well-known{
               allow all;

}
# pass PHP scripts to FastCGI server
#
#location ~ .php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #       deny all;
    #}

}

Virtual Host configuration for example.com

You can move that to a different file under sites-available/ and symlink that

to sites-enabled/ to enable it.

#server {

listen 80;

listen [::]:80;

server_name example.com;

root /var/www/example.com;

index index.html;

location / {

try_files $uri $uri/ =404;

}

#}

#17

Didn’t checked that. But in one block two server_name declarations doesn’t look good.

#18

Ok, so should i remove that line?

#19

I’ve removed that extra line server_name_; and restarted the nginx, but nothing changed.

#20

PS: Is there

your website? Is there a page? If not, create there a index.html and test, if this page is loaded.