Can't connect to website after installing Certbot SSL Certificate

varela · March 4, 2023, 6:34pm

Isn't the port open in this print:

And is there something else I should close?

Osiris · March 4, 2023, 6:41pm

First thing that caught my eye is that your port 80 rule is below the -j REJECT rule. However, I'm not getting a rejection from port 80, but a time out.. So it seems my TCP connection isn't hitting the -j REJECT rule either? So perhaps something else is still blocking access to your server on port 80, as it doesn't seem to be reaching that iptables either.

Although @Bruce5051 is getting a "closed" answer on port 80 instead of the "filtered" (i.e.: time out) I'm getting.. So perhaps putting the port 80 rule above the -j REJECT might fix it for a numbe of people, but still weird I'm getting a timeout.

Hm, nevermind, the ipvoid.com site Bruce just used is now also seeing "filtered".. Did you change anything in your iptables rules to make the change from "closed" to "filtered"?

varela · March 4, 2023, 6:53pm

Previously I had three rules for port 80. I deleted all three and created the one that you are seeing.

I can also confirm that the port 80 is now filtered and not closed:

griffin · March 4, 2023, 7:06pm

This will accept domain names:

varela · March 4, 2023, 7:09pm

I was already using that website before. It show that ports 443 and 22 are open but port 80 isn't and I don't know why...

griffin · March 4, 2023, 7:33pm

Is your ISP blocking?

Bruce5051 · March 4, 2023, 8:58pm

Using traceroute on Port 80 looks like the IPv4 Address causing the blockage is 129.151.227.103, the host server itself (or possibly a router with NAT and port forwarding to the host).

$ sudo traceroute -T -p80 varelasnkrs.com
traceroute to varelasnkrs.com (129.151.227.103), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.183 ms  0.222 ms  0.250 ms
 2  96.120.60.137 (96.120.60.137)  11.240 ms  11.227 ms  11.214 ms
 3  162.151.125.157 (162.151.125.157)  11.199 ms  11.186 ms  11.172 ms
 4  68.85.243.154 (68.85.243.154)  11.478 ms  11.464 ms  11.452 ms
 5  96.216.60.245 (96.216.60.245)  11.116 ms  11.102 ms  11.129 ms
 6  ae-69-ar01.troutdale.or.bverton.comcast.net (68.85.243.197)  12.186 ms  12.832 ms  12.813 ms
 7  4.68.37.245 (4.68.37.245)  12.068 ms  9.553 ms  9.508 ms
 8  ae1.3107.edge1.Marseille3.level3.net (4.69.158.178)  167.303 ms  167.997 ms  171.596 ms
 9  140.91.250.25 (140.91.250.25)  166.889 ms 140.91.250.10 (140.91.250.10)  166.875 ms 140.91.250.7 (140.91.250.7)  166.516 ms
10  129.151.227.103 (129.151.227.103)  172.088 ms !X  169.430 ms !X  168.920 ms !X

$ sudo traceroute -T -p443 varelasnkrs.com
traceroute to varelasnkrs.com (129.151.227.103), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.233 ms  0.199 ms  0.144 ms
 2  96.120.60.137 (96.120.60.137)  8.942 ms  8.879 ms  8.842 ms
 3  162.151.125.157 (162.151.125.157)  15.399 ms  15.373 ms  15.355 ms
 4  68.85.243.154 (68.85.243.154)  14.447 ms  14.413 ms  14.384 ms
 5  96.216.60.245 (96.216.60.245)  14.358 ms  13.500 ms  14.308 ms
 6  ae-69-ar01.troutdale.or.bverton.comcast.net (68.85.243.197)  16.774 ms  19.883 ms  37.883 ms
 7  4.68.37.245 (4.68.37.245)  41.848 ms  10.143 ms  10.021 ms
 8  ae1.3107.edge1.Marseille3.level3.net (4.69.158.178)  168.263 ms  167.923 ms  173.439 ms
 9  140.91.250.24 (140.91.250.24)  172.206 ms 140.91.250.3 (140.91.250.3)  172.403 ms 140.91.250.24 (140.91.250.24)  172.148 ms
10  129.151.227.103 (129.151.227.103)  167.089 ms  167.642 ms  172.447 ms

$ nmap -Pn varelasnkrs.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-04 20:54 UTC
Nmap scan report for varelasnkrs.com (129.151.227.103)
Host is up (0.17s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 11.51 seconds

varela · March 4, 2023, 11:26pm

I found the problem, I just don't know how to fix it...

I can only have one port open at a time, and I don't know why. I removed everything from the table and added port 80 first and then port 433. Now port 80 is open and port 433 is closed...

varela · March 4, 2023, 11:29pm

Never mind I opened port 433 and not port 443. Now both of them are open:

Bruce5051 · March 4, 2023, 11:31pm

Looks good from my IPv4 location as well

$ nmap -Pn varelasnkrs.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-04 23:30 UTC
Nmap scan report for varelasnkrs.com (129.151.227.103)
Host is up (0.17s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 12.96 seconds

varela · March 4, 2023, 11:33pm

Here is another problem:
These 3 links work:

https://www.varelasnkrs.com

But this one doesn't:
http://www.varelasnkrs.com

And I also would like to make the www. version the default address (that everything gets redirected to) and not the one without www, but I don't know what to change to make that happen...

Bruce5051 · March 4, 2023, 11:38pm

Here is an online tool to assist with checking redirects https://www.redirect-checker.org/

$ curl -Ii http://www.varelasnkrs.com/
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 04 Mar 2023 23:38:23 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

$ curl -Ii https://varelasnkrs.com/
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 04 Mar 2023 23:37:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <https://varelasnkrs.com/wp-json/>; rel="https://api.w.org/"
Link: <https://varelasnkrs.com/wp-json/wp/v2/pages/1986>; rel="alternate"; type="application/json"
Link: <https://varelasnkrs.com/>; rel=shortlink

$ curl -k -Ii https://www.varelasnkrs.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 04 Mar 2023 23:37:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: https://varelasnkrs.com/

$ curl -Ii http://varelasnkrs.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 04 Mar 2023 23:38:00 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://varelasnkrs.com/

Bruce5051 · March 4, 2023, 11:41pm

You might find nginx documentation and https://forum.nginx.org/ helpful as well.

rg305 · March 4, 2023, 11:59pm

I will have to go back and RTFM to learn what is meant by "filtered" [if NOT "closed"]...

Osiris · March 5, 2023, 12:09am

Filtered is when no packages get returned by the server, whereas closed means the server actively closed the connection when receiving an incoming connection using an ICMP reply. OP used such a firewall rule earlier shown in this thread (the one with -j REJECT).

varela · March 5, 2023, 12:35am

I know this is unrelated but can you help me? This website is migrated using all-in-one wp migration plugin from another host to a nginx server running in Oracle Cloud. After the migration the permalinks broke and I can't find a way to fix them. I can only access the homepage. I already tried changing the structure to another one and back to the old one and it didn't work. Making another .htaccess file doesn't work either (this wp never created one).

Bruce5051 · March 5, 2023, 12:47am

I do not actually know enough to be able to help.
Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

Osiris · March 5, 2023, 8:55am

I'm afraid that's quite out of the scope of this Community.

Bruce5051 · March 5, 2023, 6:45pm

Please see Post #26 in this thread:

system · April 4, 2023, 6:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.