Can't access my website through ssl

rjalphadog · September 24, 2017, 12:25am

My domain is: www.stoke-fest.co.uk

I ran this command: sudo certbot --nginx -d stoke-fest.co.uk -d www.stoke-fest.co.uk

It produced this output: Connection reset by peer

My web server is (include version): Nginx 1.10.1

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’ve been attempting to set up my website to work with https today, at first I was running into issues actually generating certificates using the certbot --nginx flag, but managed to get it to work using --webroot, I have my config set up to use ssl and when I port scan my domain it shows 443 open.

I’ve tried various commands to verify ufw etc aren’t blocking the connection, and that nginx is listening on 443.

When I attempt to us certbot --nginx it errors out with: Connection reset by peer.

I’m using hurricane electric for dns.

Let me know if i can provide any additional information.

Thanks

stoke-fest.co.uk server config

server {
    listen 80;
    listen [::]:80;

    #SSL

    listen 443 ssl;
    listen [::]:443 ssl;
    index index.html index.php;

    ssl on;
    include snippets/ssl-stoke-fest.co.uk.conf;
    include snippets/ssl-params.conf;

    ## Begin - ServerInfo
    root /var/www/stoke-fest.co.uk/html;
    server_name stoke-fest.co.uk www.stoke-fest.co.uk;
    ## End - Server Info

    location ~ /.well-known {
    allow all;
    }

    ## Begin - Index
    location / {
        try_files $uri $uri/ /index.php?_url=$uri&$query_string;
    }
    ## End - Index

    ## Begin - Security
    # deny all direct access for these folders
    location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
    # deny running scripts inside core system folders
    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny running scripts inside user folder
    location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny access to specific files in the root folder
    location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
    ## End - Security

    ## Begin - PHP
    location ~ \.php$ {
        # Choose either a socket or TCP/IP address
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
    }
    ## End - PHP
}

ssl-stoke-fest.co.uk.conf

ssl_certificate /etc/letsencrypt/live/stoke-fest.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stoke-fest.co.uk/privkey.pem;

ssl-params.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

sudo lsof -i :443

COMMAND  PID     USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
nginx   6782     root    8u  IPv4 12769716      0t0  TCP *:https (LISTEN)
nginx   6782     root    9u  IPv6 12769717      0t0  TCP *:https (LISTEN)
nginx   6784 www-data    8u  IPv4 12769716      0t0  TCP *:https (LISTEN)
nginx   6784 www-data    9u  IPv6 12769717      0t0  TCP *:https (LISTEN)

netstat -tulpen|grep 443

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          12769716   -                   
tcp6       0      0 :::443                  :::*                    LISTEN      0          12769717   -

sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
1194/udp                   ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)             
1194/udp (v6)              ALLOW       Anywhere (v6)

rg305 · September 24, 2017, 2:47am

Please provide the complete command string that produced the cert, the version of certbot, and have you tried "certbot-auto"?

Have you checked in the opposite/outbound direction?
curl https://letsencrypt.org/

And although you added an SSL section to your file, you failed to use the cert obtained: crt.sh | 216489535
Probably due to "certonly" being used in original command string.

rjalphadog · September 24, 2017, 9:32am

I had previously used:

certbot certonly -a webroot --webroot-path=/var/www/stoke-fest.co.uk/html -d stoke-fest.co.uk -d www.stoke-fest.co.uk

but after reading through the docs am now using:

sudo certbot run -a webroot -i nginx -w /var/www/stoke-fest.co.uk/html/ -d stoke-fest.co.uk -d www.stoke-fest.co.uk

both of these commands run without errors (I had to directly include the contents of the certificate snippet but other than that no changes)

the certificates have been reinserted into the config by certbot as follows:

ssl_certificate /etc/letsencrypt/live/stoke-fest.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/stoke-fest.co.uk/privkey.pem; # managed by Certbot

curl https://letsencrypt.org/ seems to work as expected, I can post the exact output if required but it seems to fully mirror the same page loaded in browser

certbot-auto

certbot-auto: command not found

https://www.ssllabs.com/ssltest/analyze.html?d=stoke-fest.co.uk&hideResults=on

Assessment failed: No secure protocols supported

rg305 · September 24, 2017, 5:50pm

Which version of certbot are you using?
certbot --version

Getting certbot-auto may help. see: Migration to new server and also apache to nginx - #4 by MitchellK

external access disagrees:
openssl s_client -connect www.stoke-fest.co.uk:443
CONNECTED(000000FC)
write:errno=0
--
no peer certificate available
--
No client certificate CA names sent
--
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
--
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1506275444
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

rjalphadog · September 24, 2017, 6:13pm

certbot --version

certbot 0.14.2

sudo ./certbot-auto renew --nginx --dry-run

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/stoke-fest.co.uk.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for stoke-fest.co.uk
tls-sni-01 challenge for www.stoke-fest.co.uk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (stoke-fest.co.uk) from /etc/letsencrypt/renewal/stoke-fest.co.uk.conf produced an unexpected error: Failed authorization procedure. www.stoke-fest.co.uk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection reset by peer, stoke-fest.co.uk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection reset by peer. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/stoke-fest.co.uk/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/stoke-fest.co.uk/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.stoke-fest.co.uk
   Type:   connection
   Detail: Connection reset by peer

   Domain: stoke-fest.co.uk
   Type:   connection
   Detail: Connection reset by peer

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

sudo ./certbot-auto --version

certbot 0.18.2

rg305 · September 24, 2017, 6:26pm

so you have two versions of certbot.
0.14.2
0.18.2
I would remove the 0.14.2 version and just use certbot-auto
Try an actual renewal using:
sudo ./certbot-auto renew --nginx
(I suspect it will fail - but we can at least rule out the older version)
if fails, show
sudo ./certbot-auto certificates

rjalphadog · September 24, 2017, 6:39pm

sudo certbot-auto renew --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/stoke-fest.co.uk.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/stoke-fest.co.uk/fullchain.pem (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------

sudo certbot-auto --force-renewal --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: rjalphadog.co.uk
2: repo.rjalphadog.co.uk
3: sgc.rjalphadog.co.uk
4: test.rjalphadog.co.uk
5: www.rjalphadog.co.uk
6: stoke-fest.co.uk
7: www.stoke-fest.co.uk
8: stokegoldingclub.co.uk
9: www.stokegoldingclub.co.uk
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 6, 7
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for stoke-fest.co.uk
tls-sni-01 challenge for www.stoke-fest.co.uk
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/stoke-fest.co.uk for set(['www.stoke-fest.co.uk', 'stoke-fest.co.uk'])
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/stoke-fest.co.uk for set(['www.stoke-fest.co.uk', 'stoke-fest.co.uk'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://stoke-fest.co.uk and
https://www.stoke-fest.co.uk

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=stoke-fest.co.uk
https://www.ssllabs.com/ssltest/analyze.html?d=www.stoke-fest.co.uk
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/stoke-fest.co.uk/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/stoke-fest.co.uk/privkey.pem
   Your cert will expire on 2017-12-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I tried renewing but it told me it doesn’t need renewing yet, tried forcing which says it succeeded but ssllabs is still showing no cert

mnordhoff · September 24, 2017, 7:15pm

Please stop creating new certificates. You’re going to run into the rate limits soon, and you don’t need more.

https://letsencrypt.org/docs/rate-limits/

Beyond that, i can only guess at what’s wrong…

Could you run “nginx -T” and paste the configuration?

Are the DNS records correct?

Could you run “iptables-save” and “ip6tables-save” to dump the firewall configuration and ensure it’s correct?

If you have a DigitalOcean Cloud Firewall, is it configured to allow port 443?

rjalphadog · September 24, 2017, 8:32pm

weirdly while replying to you I noticed my screenshots were under https:// and have just checked with ssllabs and it’s now working… I haven’t changed anything since my last post when it wasn’t working.

rjalphadog · September 24, 2017, 8:48pm

It seems there may be a conflict due to other vhost configs, I had forgotten that i had disabled my other vhosts, turning any of them back on kills the ssl connection. I’ll take a look at them all tomorrow to see if i can find any reason.

system · October 24, 2017, 8:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.