Certs not running & website became a mess

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.yppgi.org

I ran this command: sudo certbot certonly --nginx. Then I ran another command : sudo certbot install --nginx

It produced this output:

My web server is (include version): Ubuntu 18.04.4 LTS

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: own vps

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Wordpress

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I’m new and trying to set up an ssl on my website. After installation, my website got messed up and the cert is not running on my website at all. I use Wordpress for my website.
I don’t know where I got it wrong and can’t seem to find a solution for it.

here’s my conf:

server {

listen 443 ssl;

server_name yppgi.org www.yppgi.org;
#ssl on;

ssl_certificate /etc/letsencrypt/live/prtg.intosolusi.net.id/cert.pem;

ssl_certificate_key /etc/letsencrypt/live/prtg.intosolusi.net.id/privkey.pem;

location / {
proxy_pass http://192.168.99.101;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl $scheme;

return 301 $scheme://yppgi.org$request_uri;

}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/yppgi.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yppgi.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = yppgi.org) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name yppgi.org www.yppgi.org;
return 404; # managed by Certbot

}

2 Likes

Hi @MarioYoku

your non-www https://yppgi.org/ works, but there is a lot of mixed content.

Your certificate has only the non-www, so www doesn’t work.

Create one certificate with both domain names.

PS: Now the check is ready - https://check-your-website.server-daten.de/?q=yppgi.org#html-content

Really a lot of mixed content. You use WordPress, there is something like a base url, change that to https.

3 Likes

You actually have issued a certificate for that domain. Just not fot www.yppgi.org as well.

On the non-www site you have mixed content issues, those are the reason it looks messed up. The www site has no certificate and you only see the http site.

3 Likes

My apologies for this but could please tell me what exactly should I do ?
Should I remove some contents ?
I have no idea installing certs would do that.
how do i remove the certs and all installation ? and start fresh ?

2 Likes

Is there a guide on how to install certbot properly ?
This is what I did.
“sudo certbot certonly --nginx”
Then I ran another command : sudo certbot install --nginx"

Were those wrong commands ?

2 Likes

No, but you could have done both things just by omitting certonly in the first command.

Right now your certificate is only valid for yppgi.org but it looks like you also want it to be valid for www.yppgi.org as well. You need certbot to get a certificate for both. (certbot --nginx then select both)

After you do this, you need to tell wordpress (from /wp-admin/options-general.php) that your website is https, so it can stop trying to load stuff over http and make the website look broken.

3 Likes

That would not help. If you want to use a certificate, you have to change your http links to https.

https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox

3 Likes

Hi,

I have changed it on /wp-admin/options-general.php as instructed, but now I can’t call up my domain name. Tried to open on browser and it says " 404 Not Found"

I can’t even open /wp-admin anymore now.

Is there something elese I need to configure in the nginx ?

2 Likes

Show me your nginx config.

Use ```pre on a line by itself before each file, and ``` on a line by itself after each file.

2 Likes

I don’t know how WordPress works. Perhaps ask in a WordPress-Forum.

May be the wrong vHost answers.

May be there is the wrong root. So the nginx ignores the WordPress.

2 Likes

Hi,

My apologies, I don’t know what you mean by using pre and .

but here’s my config :

server {
listen 80;
listen 443 ssl;
server_name yppgi.org www.yppgi.org;
return 404; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/yppgi.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yppgi.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($host = yppgi.org) {
return 301 https://$host$request_uri;
}
#ssl on;

ssl_certificate /etc/letsencrypt/live/prtg.intosolusi.net.id/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/prtg.intosolusi.net.id/privkey.pem;
location / {
proxy_pass http://192.168.99.101;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl $scheme;
return 301 $scheme://yppgi.org$request_uri;
}

1 Like

I mean literally copy paste what I typed:

```pre
paste your file here
```

Ok, what’s http://192.168.99.101?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: yppgi.org

I ran this command: sudo certbot --nginx -d yppgi.org -d www.yppgi.org

It produced this output:
" No matching insecure server blocks listening on port 80 found.
No matching insecure server blocks listening on port 80 found.


Your existing certificate has been successfully renewed, and the new certificate
has been installed. "

My web server is (include version): Ubuntu 18.04.4 LTS

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: WORDPRESS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Please help me with this. It has been almost 4 days now. going confused why my website can’t run on HTTPS.

here’s my config on ngix/sites-available/

server {
listen 80;
listen 443 ssl;
server_name yppgi.org www.yppgi.org;
ssl on;
ssl_certificate /etc/letsencrypt/live/yppgi.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yppgi.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://192.168.99.101;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl $scheme;
}
}

You do have HTTPS enabled: https://www.yppgi.org.

You are missing the HTTP-to-HTTPS redirect, though. That’s what the error message is complaining about - it can’t figure out how to apply the redirect.

I think the problem is that Certbot’s nginx plugin can’t deal with combined port 80 and port 443 virtual hosts.

If you want to have an HTTP-to-HTTPS redirect, you may need to maintain separate server {} blocks for port 80 and port 443.

2 Likes

Hi,

Thank you. will try it now.

I have tried maintain separate server as instructed but when I call up https://www.yppgi.org. it shows “welcome to nginx” " he nginx web server is successfully installed and working".

Since it’s reverse proxy, is there something I need to configure on the VirtualHost ?

Here’s my config on nginx

server {
server_name yppgi.org www.yppgi.org;

    location / {
    proxy_pass http://192.168.99.101;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl $scheme;

}
}
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/yppgi.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yppgi.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
if ($host = yppgi.org) {
return 301 https://$host$request_uri;}

    listen 80;
    server_name yppgi.org www.yppgi.org;
    return 404;

}

and this is for Virtual Host

<VirtualHost *:443>
ServerName YPPGI.org
ServerAlias www.YPPGI.org
ServerAdmin webmaster@YPPGI.org
DocumentRoot /var/www/YPPGI
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

<VirtualHost *:80>
ServerName YPPGI.org
ServerAlias www.YPPGI.org
ServerAdmin webmaster@YPPGI.org
DocumentRoot /var/www/YPPGI
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

The nginx config looks okay, but it doesn’t match how your server is actually behaving.

At this point I’d try something like this:

server {
  listen 443 ssl;
  
  ssl on;
  ssl_certificate /etc/letsencrypt/live/yppgi.org/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/yppgi.org/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  location / {
    proxy_pass http://192.168.99.101;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection ‘upgrade’;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl $scheme;
  }
}

server {
  listen 80;
  server_name yppgi.org www.yppgi.org;
  return 301 https://$host$request_uri;
}

and make sure it is a valid configuration:

sudo nginx -t
sudo systemctl reload nginx

Hi,
Thank you for your reply again.
I have done exactly as instructed.
However the website is now looks messed up. check it https://www.yppgi.org/

What caused this ?
I already change the settings on WORDPRESS. https://yppgi.org.

Whenever i change it to HTTPS, the website somehow looks messed up and I can’t access wp-admin

Good news is the redirect is working okay.

Have you definitely updated your WordPress Site URL to https://www.yppgi.org/? See https://wordpress.org/support/article/changing-the-site-url/ . It is the first step to fixing mixed-content issues.

Otherwise, you may need to make some changes to your theme, because these links seem to be hardcoded to http://:

      <link rel='stylesheet' id='wp-block-library-css'  href='http://www.yppgi.org/wp-includes/css/dist/block-library/style.min.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='awsm-ead-public-css'  href='http://www.yppgi.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.6.1' type='text/css' media='all' />
    <link rel='stylesheet' id='contact-form-7-css'  href='http://www.yppgi.org/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.2' type='text/css' media='all' />
    <link rel='stylesheet' id='font-awesome-css'  href='http://www.yppgi.org/wp-content/plugins/tp-education/assets/css/font-awesome.min.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='jquery-ui-css'  href='http://www.yppgi.org/wp-content/plugins/tp-education/assets/css/jquery-ui.min.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='tp-education-style-css'  href='http://www.yppgi.org/wp-content/plugins/tp-education/assets/css/tp-education-style.min.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='newsup-fonts-css'  href='//fonts.googleapis.com/css?family=Montserrat%3A400%2C500%2C700%2C800%7CWork%2BSans%3A300%2C400%2C500%2C600%2C700%2C800%2C900%26display%3Dswap&#038;subset=latin%2Clatin-ext' type='text/css' media='all' />
    <link rel='stylesheet' id='bootstrap-css'  href='http://www.yppgi.org/wp-content/themes/newsup/css/bootstrap.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='newsup-style-css'  href='http://www.yppgi.org/wp-content/themes/newsup/style.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='newsup-default-css'  href='http://www.yppgi.org/wp-content/themes/newsup/css/colors/default.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='owl-carousel-css'  href='http://www.yppgi.org/wp-content/themes/newsup/css/owl.carousel.css?ver=5.4.2' type='text/css' media='all' />
    <link rel='stylesheet' id='smartmenus-css'  href='http://www.yppgi.org/wp-content/themes/newsup/css/jquery.smartmenus.bootstrap.css?ver=5.4.2' type='text/css' media='all' />
    <script type='text/javascript' src='http://www.yppgi.org/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp'></script>
    <script type='text/javascript' src='http://www.yppgi.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1'></script>

You can use https://www.whynopadlock.com/ to identify all of them.