Error isn't resolving

I’m banging my head since yesterday. Even reformatted my DO droplet.
My domain is y21.xyz
I’ve installed Letsencrypt certs and keys with ‘successful’ msg thru my ubuntu terminal.

I used this command to install: certbot --nginx
My Nginx conf file is as under:

server {
    if ($host = y21.xyz) {
        return 301 https://$host$request_uri;}  # managed by Certbot

	listen 80;
	listen [::]:80;

 	server_name y21.xyz;
	root /var/www/y21-wp;
	# Add index.php to the list if you are using PHP 
	index index.html index.htm index.nginx-debian.html;
}

server {
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot

	server_name y21.xyz;
	root /var/www/y21-wp;

	# Add index.php to the list if you are using PHP 
	index index.html index.htm index.nginx-debian.html;

#	ssl_certificate /etc/ssl/y21.xyz.crt;
#	ssl_certificate_key /etc/ssl/y21.xyz.key;
    
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_certificate /etc/letsencrypt/live/y21.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/y21.xyz/privkey.pem; # managed by Certbot
}

It produced this output on FF/Even on mobile: An error occurred during a connection to y21.xyz. PR_END_OF_FILE_ERROR

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Linux 1c-3g-60g-3tb 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

1 Like

Hi @BathindaHelper

there is a check of your domain, ~~30 minutes old - https://check-your-website.server-daten.de/?q=y21.xyz

Good: You have created two certificates.

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-26 2020-02-24 y21.xyz - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-11-21 2020-02-19 www.y21.xyz, y21.xyz - 2 entries duplicate nr. 1

So it’s not a certificate creation, only a certificate installation problem.

What says

nginx -T

Do you have multiple

Perhaps remove the ipv6 listen to see, if that changes something.

Works it internal?

curl https://y21.xyz/
2 Likes

Now there is a new check.

The non-www domain has a Grade B -> the certificate is 90 days valid.

What was the problem?

1 Like

Nginx -T is like this (they are actually 2 conf files inside ‘conf.d’ directory. One ‘y21.conf’ I though have already pasted above, but anyway, here goes the output of the command):

root@1c-3g-60g-3tb:~# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/bathinda.conf:
server {
        listen 80;
        listen [::]:80;

        server_name bathinda.xyz;
        root /var/www/bathinda;
                index index.html index.htm index.nginx-debian.html index.php;

# If you comment the above line (/var/www/5), then uncomment the next one.
#       return 404; # managed by Certbot

    if ($host = bathinda.xyz) {
        return 301 https://$host$request_uri;} # managed by Certbot
}

server {
  listen 443 ssl http2;  listen [::]:443 ssl http2;
  server_name bathinda.xyz;  # <-- change this

#  ssl on; #the following is the path of ssl certs if you generated them thru certbot, not thru disco installation.
#       ssl_certificate      /etc/ssl/certs/chosen_name.crt;
#       ssl_certificate_key  /etc/ssl/private/chosen_name.key;
#       ssl_certificate      /var/discourse/shared/web_only/letsencrypt/bobu.xyz/bobu.xyz.cer; #this path is guess from disco orig installation.
#       ssl_certificate_key    /var/discourse/shared/web_only/letsencrypt/bobu.xyz/bobu.xyz.key; #this path is guess from disco orig installation.
#       ssl_certificate      /var/discourse/shared/bathinda/ssl/bathinda.xyz.cer;
#       ssl_certificate_key  /var/discourse/shared/bathinda/ssl/bathinda.xyz.key;


  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_protocols TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  add_header Strict-Transport-Security "max-age=63072000;";
#  ssl_stapling on; #(for increased security, disco uses stapling, but I had to turn it off if I built the disco my way, from self signed certs)
  ssl_stapling_verify on;

  client_max_body_size 0;

  location / {
    proxy_pass http://unix:/var/discourse/shared/bathinda/nginx.http.sock:;
    proxy_set_header Host $http_host;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Real-IP $remote_addr;
  }

  location /errorpages/ {
    alias /var/www/errorpages/;
  }
  error_page 502 =502 /errorpages/discourse_offline.html;
  error_page 504 =504 /errorpages/discourse_offline.html;
  proxy_intercept_errors on;
}
# configuration file /etc/nginx/conf.d/y21-wp.conf:
server {
    listen 80;
    listen [::]:80;

#    return 302 https://$server_name$request_uri;
     server_name y21.xyz;
        root /var/www/y21-wp;
        index index.html index.htm index.nginx-debian.html;

}

server {
       listen 443 ssl;
       listen [::]:443 ssl;

# Uncomment the below line if it works ok (it should, if you created the snippets files).
#        include /etc/nginx/snippets/ssl-params.conf;

        server_name y21.xyz;
        root /var/www/y21-wp;
        index index.html index.htm index.nginx-debian.html;

        ssl_certificate /etc/letsencrypt/live/y21.xyz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/y21.xyz/privkey.pem;

        location / {
                try_files $uri $uri/ =404;
        }
}

And curl command:

root@1c-3g-60g-3tb:~# curl https://y21.xyz/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to y21.xyz:443
1 Like

Your last check - there is html-content.

Domainname Html-Element name/equiv/ property/rel href/src/content HttpStatus msg Status
https://y21.xyz/
139.59.84.48 a http://nginx.com/ 1 ok
a http://nginx.org/ 1 ok
https://www.y21.xyz/
139.59.84.48 a http://nginx.com/ 1 ok
a http://nginx.org/ 1 ok

So your configuration had worked - one minute.

2 Likes

I was experimenting a lot. But don’t know why isn’t it working.
But now I’ve stopped experimenting and am waiting for your reply.

Can you pls tell what this curl command result is telling?
And if its wrong, what should be the expected result here of this curl command?

The html output of your page is expected.

Test

curl https://community.letsencrypt.org/
curl https://www.google.com/

or with the -I parameter, then you see only the headers. So it’s not possible to create a SSL-connection internal.

But as written:

I’ve pasted the output for nginx -T.
Do you see any errors there? You say it worked for a moment. Then I was changing code in the conf files (was just experimenting a bit).

Actually I’ve two websites on the same droplet. Thus 2 conf files.

When I generated and installed ssl certificates, there were successful msgs. Without any errors.

When I check out and reload nginx, there are no errors. All ok.

When certs are OK. Nginx is ok. Http version is ok. What remains?

The last check is from 15:16:02, so ~~ 120 minutes - https://check-your-website.server-daten.de/?q=y21.xyz

Checked internal, https has send the complete nginx default website with a valid SSL-connection.

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Inside www/y21-wp</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

So that time -> there was a valid and working configuration.

2 Likes

Do you mean that we no longer can find the fault? (since it was working fine when we last checked it)

I sincerely hope, if you could just give me a vague idea /direction.

I deleted the other file (which was meant for another website), lying in its neighbourhood.
And then it works fine.

I’ll see what that file is doing wrong later on (although nginx -t tests ok even on that file, still that file seems to be the root of the problem).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.