Error Type: connection Detail: Fetching

Hi,
The IP I have given is correct 172.104.239.204. And if you just look for 172.104.239.204 in the broswer, it gives the Nginx default page.
Looks like there is some mixup somewhere.

Running command :
root@localhost:~# curl http://openbooksocial.com

301 Moved Permanently

301 Moved Permanently


nginx/1.17.10 (Ubuntu)

Check your DNS records in Softlayer. You will see that you have 172.109 in your DNS A record (some random FCC IP) rather than 172.104 (your Linode).

Your local curl test notwithstanding (which is probably affected by /etc/hosts on that machine), your A record is incorrect.

1 Like

Hi,
Ok there was some goofup in IP. Now the IP is 172.104.239.204
I did get the certificate.
But now I have problem starting my nginx.

Blockquote
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-06-26 05:15:57 UTC; 1min 4s ago
Docs: man:nginx(8)
Process: 16051 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Jun 26 05:15:57 localhost systemd[1]: Starting A high performance web server and a reverse proxy server…
Jun 26 05:15:57 localhost nginx[16051]: nginx: [emerg] cannot load certificate “/etc/letsencrypt/live/example.com/fullchain.pem”: BIO_new_file() failed (SSL: error>
Jun 26 05:15:57 localhost nginx[16051]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jun 26 05:15:57 localhost systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jun 26 05:15:57 localhost systemd[1]: nginx.service: Failed with result ‘exit-code’.
Jun 26 05:15:57 localhost systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Blockquote

certbot response:

Blockquote root@localhost# certbot --nginx -d openbooksocial.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for openbooksocial.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mastodon
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mastodon
Congratulations! You have successfully enabled https://openbooksocial.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=openbooksocial.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/openbooksocial.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/openbooksocial.com/privkey.pem
    Your cert will expire on 2020-09-24. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Does that REALLY say “example.com” ?
If so, there is your problem.
There is no such cert nor path.
If not, and you just changed it before posting… You missed the real domain in a while lot of other places.
[So I don’t really think this was an intentional “coverup” fail]

1 Like

hi @rg305 No, there is no cover up. Its actually example.com in the output.

In my files I have :

dir /etc/letsencrypt/live/openbooksocial.com/

cert.pem chain.pem fullchain.pem privkey.pem README

Sorry, my bad. Had missed updating site name for letsencrypt setting.

So did you get it working?

My Nginx server is working http://172.104.239.204/
But the server block at https://openbooksocial.com/ with mastodon install, is not redirecting properly.
Any clue would be great. Thanks!

The redirection seems to be looping:

curl -Iki http://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:17 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

curl -Iki https://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:20 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

HTTP > HTTPS [this is good]
HTTPS > ITSELF [this is bad - endless loop]

Can we see the vhost configs for HTTP and HTTPS?

Thanks.
Can we see the vhost configs for HTTP and HTTPS?

Do you know your way around NGINX?
If not, show the output of:
grep -Eri 'server_name|SSL|listen' /etc/nginx/

Are you using anything like WordPress?

Not Wordpress. Its Mastodon.

root@localhost:/var/www/html# grep -Eri ‘server_name|SSL|listen’ /etc/nginx/
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/nginx.conf: # server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf: # server_name_in_redirect off;
/etc/nginx/nginx.conf: # SSL Settings
/etc/nginx/nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
/etc/nginx/nginx.conf: ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf:# listen localhost:110;
/etc/nginx/nginx.conf:# listen localhost:143;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon: listen [::]:443 ssl ipv6only=on; # managed by Certbot
/etc/nginx/sites-available/mastodon: listen 443 ssl; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon:#listen 443;
/etc/nginx/sites-available/mastodon:# listen 443 ssl http2;
/etc/nginx/sites-available/mastodon: # listen [::]:443 ssl http2;
/etc/nginx/sites-available/mastodon:# server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon:# ssl_protocols TLSv1.2 TLSv1.3;
/etc/nginx/sites-available/mastodon: # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
/etc/nginx/sites-available/mastodon: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/mastodon: #ssl_session_cache shared:SSL:10m;
/etc/nginx/sites-available/mastodon:# ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem;
/etc/nginx/sites-available/mastodon: # ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem;
/etc/nginx/sites-available/mastodon: listen 80;
/etc/nginx/sites-available/mastodon: listen [::]:80;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/default: listen 80 default_server;
/etc/nginx/sites-available/default: listen [::]:80 default_server;
/etc/nginx/sites-available/default: # server_name openbooksocial.com;
/etc/nginx/sites-available/default: # SSL configuration
/etc/nginx/sites-available/default: # listen 443 ssl default_server;
/etc/nginx/sites-available/default: # listen [::]:443 ssl default_server;
/etc/nginx/sites-available/default: # Note: You should disable gzip for SSL traffic.
/etc/nginx/sites-available/default: # Read up on ssl_ciphers to ensure a secure configuration.
/etc/nginx/sites-available/default: # Self signed certs generated by the ssl-cert package
/etc/nginx/sites-available/default: server_name _;
/etc/nginx/sites-available/default:# listen 80;
/etc/nginx/sites-available/default:# listen [::]:80;
/etc/nginx/sites-available/default:# server_name example.com;
/etc/nginx/snippets/snakeoil.conf:# Self signed certificates generated by the ssl-cert package
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;

OK, all the “magic” seems to be happening here:
/etc/nginx/sites-available/mastodon

Let’s have a look at that entire file.


root@localhost:/var/www/html# cat /etc/nginx/sites-available/mastodon
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

upstream backend {
    server 127.0.0.1:3000 fail_timeout=0;
}

upstream streaming {
    server 127.0.0.1:4000 fail_timeout=0;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;

server {
  server_name openbooksocial.com;
  root /home/mastodon/live/public;
#root /var/www/html;
 location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
#listen 443;
#return 301 http://$host$request_uri;


#  listen 443 ssl http2;
 # listen [::]:443 ssl http2;
#  server_name openbooksocial.com;

#  ssl_protocols TLSv1.2 TLSv1.3;
 # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
 # ssl_prefer_server_ciphers on;
  #ssl_session_cache shared:SSL:10m;

  # Uncomment these lines once you acquire a certificate:

# ssl_certificate     /etc/letsencrypt/live/openbooksocial.com/fullchain.pem;
  # ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;


  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

#  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;
  }

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;
    add_header Strict-Transport-Security "max-age=31536000";

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";

    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;
}


server {
    if ($host = openbooksocial.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name openbooksocial.com;
    return 404; # managed by Certbot


}
root@localhost:/var/www/html#

Please edit your post and add a line above and below with just these three back ticks:
```

[so we can read it better]

This block doesn’t need to redirect:

server {
  server_name openbooksocial.com;
  root /home/mastodon/live/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; } <<<<<<<<<<<<<<<<<<  take this out 
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

This block doesn’t have a listen statement…
So I’m not sure what it does, if anything:

server {
  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;
  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  location / {
    try_files $uri @proxy;
  }
  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }
  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }
  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;
    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;
    add_header Strict-Transport-Security "max-age=31536000";
    tcp_nodelay on;
  }
  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    tcp_nodelay on;
  }
  error_page 500 501 502 503 504 /500.html;
}

So what do you suggest?
Should I include

 listen 443;

Edit :No this does not work.

I suggest you first figure out why that block exists.
There are already two blocks for that FQDN.
The one that listens on 80 - which is doing it’s job just fine (sending everything it hears to 443]
And the one that listens on 443 - which had that extra redirection which you should have removed.
So I don’t know why that third blocks exists nor what you should do with it.
Perhaps it is somehow used/required for mastodon - I would not know.
If so, it might need to go into the block that listens on 443 - but again, I am not sure about it.