Certbot + Nginx + Ubuntu 16.04

Hey!

First, I would like to thank the developers for this awesome certbot but I have some problems configuring it on my server.
I have followed all instructions here - https://certbot.eff.org/#ubuntuxenial-nginx
I installed certbot, the nginx plugin, I have set the cron, restarted server and… Sites are not https. Actually some sites (only wordpress ones) work with https but the stylesheets are not being read and they look so screwed. Do I have to manually redirect in the nginx config all enabled sites to ssl? Also there is only one error I got from following the instructions and it was:
Cannot find a VirtualHost matching domain reverse-xxx.xxx.xxx.xxx.domain.tld

where xxx is parts of the IP and domain.tld is the domain from PTR record of the host.

Any idea how to fix this? It looks like it is almost done, I just need to add something but I am not quite sure what that may be. Also, sites are using cloudflare for free, not sure how that is related but thought to mention it.

Thanks in advance!

Nobody can help you, as long as you don’t mention your real domain name. Also provide a link to the wordpress site whose css is not loaded.

<!— NSFW! —>

OK. Example domain name allfree.xxx :slight_smile:
Without even changing the config it works on https://allfree.xxx but it does not redirect to https.

<!— NSFW! —>

I think it is because the stylesheets come from unauthorized sources without https but they are on the same domain.

Also, I assume I should edit wordpress settings and set the urls to https but that only leads to the screwed version where the stylesheets could not be read. As for non-wordpress sites, they don’t even work with https after the install. Also, not all wordpress sites work with https after the install. This is kind of odd. What should I modify in the sites enabled or default configs to make cerbot works properly?

This plugin pretty much solves the problem but what about those non-wordpress sites?
Plugin - https://wordpress.org/plugins/really-simple-ssl/

In case of mixed content, you may easily spot the reason with the help of the following site: https://www.whynopadlock.com/

You have to make sure that all resources are loaded via https if the page is displayed via https.

That means, you should avoid full qualified urls (http://foobar.com/css/main.css) and use path names to the resources (/css/main.css) instead. If the resources are located on an external site, you have to include them via https://...

Thanks but the sites don’t even work on https. I get an error “unable to connect”.

On the same server? This error indicates that nginx is not listening on port 443. I also notice, that your first mentioned (nsfw) domain is hosted via cloudflare, do you terminate your ssl there and only offer http on your server?

You can check that with the following command on the server:

netstat -tpln

It shows, which program is listening on which port.

1 Like

Of course - nginx is listening on port 80. I did not know I had to change it manually on all enabled sites to 443. That’s pretty much what I was asking. So, I have to do all the rewrites from http to https and http://www. to https://? Oh… :smiley: I thought the nginx plugin does that automatically. I change the port, restart the server, but I still get “Unable to connect” error.

@bytecamp, yes it looks like CloudFlare is in the mix:

Name: allfree.xxx
Addresses: 2400:cb00:2048:1::681b:9928
2400:cb00:2048:1::681b:9828
104.27.152.40
104.27.153.40

CloudFlare IP block:
https://whois.arin.net/rest/net/NET-104-16-0-0-1/pft?s=104.27.152.40

You are saying I should disable cloudflare?

NO. But it has to be taken into consideration.

Could you please provide one of the domain names where you cannot connect to?

Sure!

NSFW https://wocams.com/ - does not work, http://wocams.com works.

Your webserver (nginx) is not configured to listen on port 443 (https) or you have a firewall which drops inbound connections to that port.

1 Like

Please post your output of sudo iptables -S and also post your full vhost config for wocams.com here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.