Certbot Nginx/Ubuntu16.04 timeout on AWS - Port 443 Rule Missing

Hello everyone.

After successfully configuring nginx on my EC2 server/Ubuntu Xenial 16.04 I tried to install certbot several times but failed every time by having a timeout issue.

I followed the procedure at https://certbot.eff.org/#ubuntuxenial-nginx I get a success message, but when I go to test : https://www.ssllabs.com/ssltest/analyze.html?d=mysite.com

It doesn’t work. Also if I try: curl -I https://54.238.241.237:443 # it fails However: curl -I http://54.238.241.237:80 # works

My Nginx config is the following:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;
        root /var/www/html;
        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;
        server_name mysite.com;
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                # With php7.0-cgi alone:
                #fastcgi_pass 127.0.0.1:9000;
                # With php7.0-fpm:
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
                deny all;
        }
        location ~ /.well-known {
                    allow all;
        }
    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com-0002/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com-0002/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

My UFW status is the following

Status: active

To Action From


22 ALLOW Anywhere
Nginx Full ALLOW Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)

I really wonder where does this problem come from, and would appreciate any help on this matter. Thanks in advance.

I see that the UFW allows 443.
But maybe the EC2 settings must also allow 443.

hi @BlackSwing

I suspect @rg305 is right. From your internet gateway in AWS to your VPC there is a firewall and you will need to allow 443 through that otherwise your traffic will not be able to reach your servers

Andrei

Thanks to both of you, you were right, I forgot to open the 443 port from the AWS security group…
Problem solved.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.