Certbot ran successfully, but connect via https times out


#1

Hello,

certbot ran successfully: there are certificates, there are SSL lines in the nginx server block, nginx has restarted. http://folkrnn.org works, as before. But https://folkrnn.org doesn’t connect.

This all feels quite vanilla, but it’s not working for me, I can’t work out why, and it’s driving me mad. In particular I can’t find any sign of why it’s not working in e.g. systemctl status nginx.

(I’m reverse-proxying a daphne ASGI app. But even requesting a static file, entirely handled by nginx, doesn’t work. I’ve included the nginx conf below, at the end.)

I’ve read many threads here with other people’s issues but not got any leads.

Any pointers?

Thanks in advance,

Toby

My domain is:

folkrnn.org

I ran this command:

sudo certbot --non-interactive --nginx --agree-tos -m <redacted> -d folkrnn.org -d www.folkrnn.org -d themachinefolksession.org -d www.themachinefolksession.org

It produced this output:

…is beyond scrollback’s reach. But it said it was happy. And, e.g.

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: folkrnn.org
    Domains: folkrnn.org themachinefolksession.org www.folkrnn.org www.themachinefolksession.org
    Expiry Date: 2018-08-13 16:21:58+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/folkrnn.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/folkrnn.org/privkey.pem
-------------------------------------------------------------------------------

My web server is (include version):

$ nginx -V
nginx version: nginx/1.10.3 (Ubuntu)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads

The operating system my web server runs on is (include version):

Ubuntu 16.04

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

Aaaaaand for good measure, here is the nginx sites-available file.

$ cat /etc/nginx/sites-available/folkrnn.org
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
    server_name folkrnn.org www.folkrnn.org;
    client_max_body_size 1000M;

    location /static {
         alias /folk_rnn_static;
    }

    location / {
        proxy_pass http://unix:/folk_rnn_tmp/folk_rnn.org.socket;
        proxy_set_header Host folkrnn.org;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/folkrnn.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/folkrnn.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

#2

Looks like a simple case of server firewall.

Do you have ufw? firewalld?

ufw status
firewall-cmd --list-all

#3

Oh rubber duck time: is it ufw


#4

Boom! Of course. I’d delete the thread… but hopefully someone will read this and save themselves the hours of fiddling around.


#5

I have the same issue, implemented the certificates by running certbot e.g. $ sudo certbot --apache for my two domains sportingnation.com / banksypoem.com including www sub-domain. Now both sites timeout.

ufw status - returns inactive.
firewall-cmd is not installed.

Any other suggestions for troubleshooting this?

I’m using ubuntu 16.04 on an AWS EC2 instance.

Server version: Apache/2.4.18 (Ubuntu)
Server built: 2017-09-18T15:09:02

Cheers,

Tom


#6

Check your EC2 security group, and otherwise check iptables:

iptables -L -n

#7

You’re a legend - was simply my AWS security group inbound rules - added https - working! Thanks.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.