Certificates installed on nginx, but https does not open

rmgomes · September 10, 2018, 7:37pm

Hello guys,

I’m trying to get this site to work on HTTPS, so I used letsencrypt / certbot to install the certificates and configure nginx:

gestaourbana.prefeitura.sp.gov.br

It seems the cert was succesfully generated, but the site doesnt open on https request.
https://transparencyreport.google.com/https/certificates/WucglXkkfEWsCsZCVYfrKXPGuWBbn2tfpfV4FS6HrCE%3D

I even tried to change the conf files according to this standard: https://mozilla.github.io/server-side-tls/ssl-config-generator/ but it didn’t work.

How can I check the cause of the problem? Thanks in advance.

schoen · September 10, 2018, 7:46pm

Bom dia @rmgomes,

I’m guessing that there could be a firewall (either on the server or on the network level) blocking inbound connections on port 443. This is the most likely problem in this situation (since the TCP connection on port 443 can’t be established at all).

On the server you could also run ss -tlp to confirm that nginx itself is listening on port 443 (https). If it is, the firewall hypothesis is more likely to be right.

stevenzhu · September 10, 2018, 8:10pm

Hi,

The error message states that you have a firewall blocking issue:

Querying target system called:

gestaourbana.prefeitura.sp.gov.br

Attempting to resolve name to IP address...

Name resolved to [IP REMOVED]

querying...

TCP port 443 (https service): FILTERED

Please check if there are any firewall blocking.. (either on network or on your local machine or router...)

Thank you

rmgomes · September 10, 2018, 8:49pm

Bom dia, @schoen =D
It seems nginx is listening on https just like http:
LISTEN 0 128 *:http : users:(("nginx",25423,8),("nginx",25424,8),("nginx",25425,8),("nginx",25426,8),("nginx",25428,8))
LISTEN 0 128 *:https : users:(("nginx",25423,9),("nginx",25424,9),("nginx",25425,9),("nginx",25426,9),("nginx",25428,9))

I checked for it and inserted a rule through the following command:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
service iptables save

Is there a way to check if other "thing" blocking it?
Thank you

schoen · September 10, 2018, 9:16pm

One idea is to check from further and further away, for example if you can test from another machine on the same LAN (curl -v https://gestaourbana.prefeitura.sp.gov.br/). This might reveal whether the problem is an iptables rule or a router or firewall elsewhere on the network.

You could also post your complete iptables output here so that we could see if there's any apparent problem with the iptables rules (assuming that they don't contain any confidential information).

prefeitura.sp.gov.br

Por curiosidade, porque a cidade de São Paulo não precisava usar prefeitura.saopaulo.sp.gov.br como seria o caso para outros municípios? É por ser a capital do estado homônimo, ou apenas por ser muito grande e conhecida?

stevenzhu · September 10, 2018, 9:33pm

Hi,

Now the port 443 is unblocked.
It's redirecting to http://www.capital.sp.gov.br/

I have no idea... I could only know if any port is "Not Listening" "Filtered" "Listening".

Thank you

rmgomes · September 12, 2018, 8:23pm

SOLVED!

The problem was in the server’s network proxy, managed by a third party company. I had to ask them to open port 443 for external connections.

Now I only need to fix some minor (hardcoded) links to point to the https before redirecting all traffic to the 443, but the main issue is closed

Thank you guys for everything!

rmgomes · September 12, 2018, 8:26pm

Nunca parei para pensar a respeito... Creio que o primeiro motivo - por ser capital do estado homônimo.

Obrigado novamente.

system · October 12, 2018, 8:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.