Http to https issues

My domain is:
atasapr.org
My web server is (include version):
nginx 1.22.1
The operating system my web server runs on is (include version):
Rocky Linux
My hosting provider, if applicable, is:
Vultr
The version of my client is:
2.11.0

I followed along with the steps detailed on this page: Nginx + certbot - redirect https www to https and I was unable to get the results I want. Testing within web browsers produces varied results, where some times http variants of the URL work, and in other cases they do not. Using a python script as well as using uptrends.com show that all http pages fail. The browsers were tried in private tabs to sidestep cache. After being unsuccessful with the steps detailed on that page, I tried modifying the configuration. I had certificate issues when the certificate issued to the root url was being applied to the subdomain, and I also did not see a reason to have a server block for the www subdomain considering this should redirect to root at the DNS level via a CNAME record. Current config attached. Any help resolving this greatly appreciated.
nginx.txt (2.4 KB)

You can change your nginx configuration all you want, but that's not where the (current) issue is: your IP address is entirely unresponsive on port 80, even though it's responding on port 22 (SSH) and 443 (HTTPS). Most likely a firewall problem blocking access to TCP port 80.

And, two things about your nginx config

1. You listen for IPv6 in all of your server blocks except the one for port 443 and your www subdomain. This is not harmful at the moment since you do not have an AAAA address in your DNS. But, it is an easy thing to forget or notice if you ever do since your other ones do listen properly

2. Your cert only has your apex name in it. So, requests going directly to your www subdomain will fail as its cert does not include its name

Using a browser is not a great way to test redirects. Something as simple as curl will show what is happening better. Some browsers will try both HTTP and HTTPS simultaneously and use HTTPS if it worked. Other browsers will not.

For example

curl -I http://www.atasapr.org
curl: (7) Failed to connect to www.atasapr.org port 80 after 47 ms: 
No route to host

curl -I https://www.atasapr.org
curl: (60) SSL: no alternative certificate subject name matches 
target host name 'www.atasapr.org'

curl -I https://atasapr.org
HTTP/1.1 200 OK
Server: nginx
(...)

Oh, and a CNAME record only redirects DNS queries. So, your www subdomain will have the IP for the name it points to. But, the HTTP(S) requests will be handled by your nginx server.

Hello @ATAS,

Here is a list of issued certificates crt.sh | atasapr.org

image1042×429 6.06 KB

The most recent certificate was issued by Let’s Encrypt previous ones were not. However the important point about the previous certificates is they were certificates containing wildcard domain names. The present certificate only contains the name atasapr.org, so www.atasapr.org is no longer covered.

The DNS-01 challenge is the only challenge that "You can use this challenge to issue certificates containing wildcard domain names" of the Challenge Types - Let's Encrypt

Edit

Demonstrating the currently being served certificate crt.sh | 14529899938 for both atasapr.org and www.atasapr.org, which only contains the name atasapr.org.

• PASS - atasapr.org https://decoder.link/sslchecker/atasapr.org/443
• FAIL - www.atasapr.org https://decoder.link/sslchecker/www.atasapr.org/443

Edit 2:
Maybe you are also looking for Strict-Transport-Security - HTTP | MDN (i.e. HSTS).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.