Generated Certs Not Working (Digital Ocean - Nginx + Ubuntu Tutorial)

lendoza · March 14, 2017, 12:43am

Hello.

I have a digital ocean server setup that is utilizing nginx and ubuntu with 4 different domain names:

http://campusnow.com (needs letsencrypt)
https://intelligenteconomist.com (using comodo ssl already)
https://prateekargarwal.com (has letsencrypt installed already)
http://psons.com (needs letsencrypt)

I am attempting to set ssl certificates using this video: https://www.youtube.com/watch?v=m9aa7xqX67c and accompanying blog post: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

I have generated the ssl certificates and they can be found in /etc/letsencrypt/live/campusnow.com and /etc/letsencrypt/live/psons.com directories

I have also set my server blocks for /etc/nginx/sites-available/campusnow.com, /etc/nginx/sites-enabled/campusnow.com, /etc/nginx/sites-available/campusnow.com.conf and /etc/nginx/sites-enabled/campusnow.com.conf to be:

server {
        listen 80;
        server_name campusnow.com www.campusnow.com;
        return 301 https://$host$request_uri;
}

server {

        listen 443 ssl;
        server_name campusnow.com www.campusnow.com;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/campusnow.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/campusnow.com/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        # ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA3$
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
}

I have done an identical setup for psons.com in directories specific for psons

If anyone could help me understand where I have went wrong and why these certificates are not working I would greatly appreciate it.

schoen · March 14, 2017, 12:46am

Hi @lendoza, could you explain more about exactly what isn't working and what error messages you see?

lendoza · March 14, 2017, 12:51am

I am receiving no error messages in my terminal.

When I run ‘sudo nginx -t’ everything is ok

I’m not sure what other information I can provide

The certificates are in there correct position and I believe the server blocks I have written are correct but when I navigate to campusnow.com or psons.com they are not secured

lendoza · March 14, 2017, 1:02am

This is my /etc/nginx/sites-available/default and my /etc/nginx/sites-enabled/default server block:

# You may add here your
# server {
#       ...
# }
# statements for each of your virtual hosts to this file

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

server {
#       listen 81 default_server;
#       listen [::]:81 default_server ipv6only=on;

        listen 443 ssl;

        root /usr/share/nginx/html;
        index index.html index.htm;

        # Make site accessible from http://localhost/
        server_name localhost;
        location ~ /.well-known {
                allow all
        }

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }

        # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
        #location /RequestDenied {
        #       proxy_pass http://127.0.0.1:8080;
        #}

        #error_page 404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page 500 502 503 504 /50x.html;


        # Make site accessible from http://localhost/
        server_name localhost;
        location ~ /.well-known {
                allow all
        }

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }

        # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
        #location /RequestDenied {
        #       proxy_pass http://127.0.0.1:8080;
        #}

        #error_page 404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page 500 502 503 504 /50x.html;
        #location = /50x.html {
        #       root /usr/share/nginx/html;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #       # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        #
        #       # With php5-cgi alone:
                fastcgi_pass 127.0.0.1:9000;
                # With php5-fpm:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}

schoen · March 14, 2017, 4:45am

What error message do you receive in your browser?

schoen · March 14, 2017, 4:47am

OK, I noticed that all of your virtual hosts are serving the intelligenteconomist cert that you had before. Can you post the configuration for that virtual host too?

lendoza · March 14, 2017, 6:26pm

I just spoke with the site owner and he has told me that the https://intelligenteconomist.com cert was setup by another developer and I’m not sure how he went about doing that nor do I know where to look in my server configuration in order to find that setup.

https://prateekargarwal.com was setup by the site owner using this tutorial: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

However, this server no longer uses apache and instead uses nginx virtual hosts.

http://campusnow.com, https://intelligenteconomist, and http://psons.com are all located in my /etc/letsencrypt/live folder as well.

schoen · March 14, 2017, 6:27pm

Maybe grep -lr intelligenteconomist /etc/nginx ?

lendoza · March 14, 2017, 6:37pm

That returned /etc/nginx/sites-enabled/intelligenteconomist.com.conf which I set up using the aforementioned nginx/ubuntu/digital-ocean method

server {
    listen 80;
    server_name intelligenteconomist.com www.intelligenteconomist.com
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl;

    server_name intelligenteconomist.com www.intelligenteconomist.com;
    return 301 https://$server_name$request_uri;

    ssl on;
    ssl_certificate  /etc/letsencrypt/live/intelligenteconomist.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/intelligenteconomist.com/privkey.pem;

    sl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:E$
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
}

system · April 13, 2017, 6:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.