Allow API on HHTP force everything else to HTTPS (nginx)

Hi all, first off what a bloody brilliant tool this is. I tip my hat to the deves.

Now I am moving of IIS to nginx, and have got my test site up and running forcing all traffic to HTTPs. However my API will not load now over HTTPs as its only HTTP. How can I allow http to this one end point of localhost:3000. My conf is for nginx is here: https://dpaste.org/Zx2E

My domain is: dev.fishpal.com

I ran this commands: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

It produced this output: Install the tool and applied HTTPS

My web server is (include version): nginx 1.4.0

The operating system my web server runs on is (include version):
NAME=“Ubuntu”
VERSION="18.04.4 LTS (Bionic Beaver)

My hosting provider, if applicable, is:Azure

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.31.0

Hi @JoeEarly

what’s your question?

Checking your main domain there is already a redirect http -> https - https://check-your-website.server-daten.de/?q=dev.fishpal.com

Domainname Http-Status redirect Sec. G
http://dev.fishpal.com/ 65.52.130.37 301 https://dev.fishpal.com/ Html is minified: 107,78 % 0.047 A
https://dev.fishpal.com/ 65.52.130.37 GZip used - 7010 / 29338 - 76,11 % Inline-JavaScript (∑/total): 3/1790 Inline-CSS (∑/total): 0/0 200 Html is minified: 168,43 % 3.593 I

Checking your config file the subfolder /api/ has a proxy. Checking that address - https://check-your-website.server-daten.de/?q=dev.fishpal.com%2Fapi%2F it’s the same - a redirect http -> https.

Domainname Http-Status redirect Sec. G
http://dev.fishpal.com/api/ 65.52.130.37 301 https://dev.fishpal.com/api/ Html is minified: 107,78 % 0.050 A
https://dev.fishpal.com/api/ 65.52.130.37 GZip used - 141 / 178 - 20,79 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 403 Html is minified: 108,54 % 3.250 M
Forbidden

So every user of /api/ should use https, because http doesn’t send any content, only a redirect.

Sorry if I wasn’t more clear. I wish to allow traffic to http://dev.fishpal.com/api/ without SSL

Currently if you attempt to load https://dev.fishpal.com/api/status it returns a 404. I need to allow traffic her on just http. (As per fishpal.com as a live example)

That’s

the wrong way. You should update your configuration so your API works with https instead of downgrading that.

That I can do easily. Can I use the same cert generated by certdog for the api that sits on the same domain or should I create a new one using the CLI for .com/api

You use already the same certificate - see the output of https://check-your-website.server-daten.de/?q=dev.fishpal.com%2Fapi%2F

There is no certificate error, it’s only the wrong content (403 page). So your internal proxy may not work or sends the wrong content.

Ok so I got my API SSL done but getting an issue with trying to access the folders that contain the certs.

[2020-02-22T18:33:13.885Z] { Error: EACCES: permission denied, open ‘/etc/letsencrypt/live/dev.fishpal.com/privkey.pem’

What permission do I need for my node app running in /var/www/dev.fishpal.com/api so it can see the files in ‘/etc/lets…/’

drwxr-xr-x 40 joefishpal joefishpal 4096 Feb 22 17:09 dev.fishpal.com
drwxr-xr-x 2 joefishpal joefishpal 4096 Feb 19 22:19 fishpal.com
drwxr-xr-x 2 joefishpal joefishpal 4096 Feb 19 00:36 html

-rw-r–r-- 1 root root 692 Feb 21 23:00 README
lrwxrwxrwx 1 root root 39 Feb 21 23:00 cert.pem -> …/…/archive/dev.fishpal.com/cert1.pem
lrwxrwxrwx 1 root root 40 Feb 21 23:00 chain.pem -> …/…/archive/dev.fishpal.com/chain1.pem
lrwxrwxrwx 1 root root 44 Feb 21 23:00 fullchain.pem -> …/…/archive/dev.fishpal.com/fullchain1.pem
lrwxrwxrwx 1 root root 42 Feb 21 23:00 privkey.pem -> …/…/archive/dev.fishpal.com/privkey1.pem

By default these are only readable by root.

What user and group is the node app running under? Is it joefishpal and joefishpal?

I believe it to be ‘root’

Any thoughts anyone?

On the left side of your screenshot, you can see that the node service is running as the user fishpal+ - the + indicates that the name has been truncated for the output. It seems fairly likely that the node service is running as the fishpaladmin user (the one you’re logged-in as).

Yea i understand that but why cant he access the folder for the certs ?

Should I add fishpaladmin into a group that has access to the folder /etc/letsencrypt/live/dev.fishpal.com

As @schoen said, by default the certificate tree is only readable by “root”. Definitely do NOT add fishpaladmin to root. However, it might be appropriate in your case for certbot to use a --deploy-hook action to provide a copy of the certificate chain with appropriate fishpaladmin-accessible permissions to a node directory.

Some hooks are described here: https://certbot.eff.org/docs/using.html?highlight=hook#renewing-certificates

So in short, when renewing/creating, create a script to run that takes a copy of the files to the appropriate node dir with fishpal admin rights?

Fairly new to linux in general if that wasn’t clear by now :slight_smile:

Yep! There’s even an example deploy-hook if you scroll down in that link I posted, so you might be able to adjust it to your system without much problem.

Keep it up, you’re doing great!

1 Like

So I got my bash script running with my renewal process. Will drop it into the appropriate folder for auto run later. My issue is the files are not actually appearing in the expected folder.

No errors are produced from what i can see so far.

deploy-hook script: https://dpaste.org/k3rf
certbot-commnad: sudo certbot renew --force-renewal --deploy-hook /var/www/dev.fishpal.com/api/config/ssl/certbot-script.sh

fishpaladmin@fishpalngnix:~ bash -n /var/www/dev.fishpal.com/api/config/ssl/certbot-script.sh fishpaladmin@fishpalngnix:~ sudo certbot renew --force-renewal --deploy-hook /var/www/dev.fishpal.com/api/config/ssl/certbot-script.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/dev.fishpal.com.conf


Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Running deploy-hook command: /var/www/dev.fishpal.com/api/config/ssl/certbot-script.sh


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/dev.fishpal.com/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/dev.fishpal.com/fullchain.pem (success)


I got them moved but still unable to load my api over SSL. Keep getting 404s
nginx error log for an api request: https://dpaste.org/4EiW
nginx conf: https://dpaste.org/E2nP

Anyone any ideas what am doing wrong?

Hi @JuergenAuer, still having trouble getting this to work. Are you sure I can use the same certs on my api as when I do the below on the server itself, you see the error as well as 404 when browsing directly

curl -i -H "Accept: application/json" -H "Content-Type: application/json" https://127.0.0.1:3000/api/status
curl: (51) SSL: no alternative certificate subject name matches target host name '127.0.0.1'

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.