Cannot access my site via https after installing certificate using certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ctf.sonoma.edu

I ran this command: certbot --nginx --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple -d ctf.sonoma.edu

It produced this output: succesfully installed. Header is not supported.

My web server is (include version):

The operating system my web server runs on is (include version): redhat 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

Problem:
I cannot seem to figure out why my site cannot be displayed via https, when the certificate installation was successful. (http was fine before I installed the certificates) for example on chrome says: “This site can’t be reached”. Firefox says: “Secure Connection Failed”. I cannot seem to find a direct answer for this, any help would be appreciated.
My conf file before nginx-certbof modified it:
server{
listen 80;
server_name ctf.sonoma.edu;
root /path/to/project;
proxy_http_version 1.1;

    location /{
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://unix:/path/to/project/HelloProject/myproject.sock;
    }

}
After certbot modified it:
server {
server_name ctf.sonoma.edu;
root /path/to/project/HelloProject;
proxy_http_version 1.1;

    location /{
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://unix:/path/to/project/HelloProject/myproject.sock;
   }


listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ctf.sonoma.edu/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ctf.sonoma.edu/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot


ssl_trusted_certificate /etc/letsencrypt/live/ctf.sonoma.edu/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot

}
server {
if ($host = ctf.sonoma.edu) {
return 301 https://$host$request_uri;
} # managed by Certbot

    listen    80;
    server_name ctf.sonoma.edu;
    root /path/to/file/HelloProject;
    proxy_http_version 1.1;

    location /{
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://unix:/path/to/project/HelloProject/myproject.sock;
    }

}

1 Like

Well, nginx is sending a TCP reset after the client sends the SSL ClientHello message, so something is going wrong inside the SSL stack on the server side.

Does anything at all appear in the nginx error log?

tail -n 20 /var/log/nginx/error.log

Edit: I wonder if this is because you’re using an “OCSP Must Staple” configuration, but I don’t see a resolver set in your configuration. nginx/OpenSSL might be aborting the connection because it can’t fetch an OCSP response because it can’t resolve the OCSP URL.

Can you try add:

resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;
1 Like

Hi, there are no errors displayed in the error log. I’m actually pretty new at using Nginx, however, i don’t know if adding the resolver would help. Reason is that this is my second time reinstalling the certificates with all these arguments (ocsp) that i followed from here. The first time installing the certificated my site was not view able, which is why i decided to try these new arguments.