Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: ggc.world
I ran this command:
Hi!,
Following these well done indications: https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8 I installed the certification:
(base) marco@pc01:~$ sudo nano /etc/nginx/sites-available/ggc.world.conf
server {
listen 80;
listen [::]:80;
server_name ggc.world www.ggc.world;
root /var/www/ggc.world;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
(base) marco@pc01:~ sudo rm /etc/nginx/sites-enabled/default
(base) marco@pc01:~ sudo ln -s /etc/nginx/sites-available/ggc.world.conf /etc/nginx/sites-enabled/ggc.world.conf
(base) marco@pc01:~ sudo systemctl reload nginx
(base) marco@pc01:~ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-02-11 11:16:22 CET; 1h 3min ago
Docs: man:nginx(8)
Process: 19025 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 4461 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─ 4461 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─19026 nginx: worker process
├─19027 nginx: worker process
├─19028 nginx: worker process
├─19029 nginx: worker process
├─19030 nginx: worker process
├─19031 nginx: worker process
├─19032 nginx: worker process
└─19033 nginx: worker process
feb 11 11:16:22 pc01 systemd[1]: Starting A high performance web server and a reverse proxy server…
feb 11 11:16:22 pc01 systemd[1]: Started A high performance web server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(base) marco@pc01:~ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88,7 kB]
Get:4 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease [88,7 kB]
Hit:5 http://dl.google.com/linux/chrome/deb stable Release
Get:6 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease [74,6 kB]
Get:8 http://it.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [851 kB]
Get:9 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [38,6 kB]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 48x48 Icons [17,6 kB]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 64x64 Icons [41,5 kB]
Get:12 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [42,1 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [111 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2.464 B]
Get:15 http://it.archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [294 kB]
Get:16 http://it.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 48x48 Icons [73,8 kB]
Get:17 http://it.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 64x64 Icons [140 kB]
Get:18 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [264 kB]
Get:19 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 48x48 Icons [203 kB]
Get:20 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 64x64 Icons [464 kB]
Get:21 http://it.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2.468 B]
Get:22 http://it.archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [8.280 B]
Fetched 2.807 kB in 1s (3.005 kB/s)
Reading package lists... Done
(base) marco@pc01:~ sudo apt-get install software-properties-common
Reading package lists… Done
Building dependency tree
Reading state information… Done
software-properties-common is already the newest version (0.96.24.32.12).
software-properties-common set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
(base) marco@pc01:~ sudo add-apt-repository universe
'universe' distribution component is already enabled for all sources.
(base) marco@pc01:~ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu.
Note: Packages are only provided for currently supported Ubuntu releases.
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or Ctrl-c to cancel adding it.
Hit:1 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
Ign:4 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:5 http://security.ubuntu.com/ubuntu bionic-security InRelease
Get:6 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease [21,3 kB]
Hit:7 http://dl.google.com/linux/chrome/deb stable Release
Get:9 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main amd64 Packages [8.032 B]
Get:10 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main i386 Packages [8.028 B]
Get:11 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main Translation-en [4.176 B]
Fetched 41,5 kB in 1s (58,8 kB/s)
Reading package lists… Done
(base) marco@pc01:~$ sudo apt-get update
Hit:1 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Ign:3 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://dl.google.com/linux/chrome/deb stable Release
Hit:7 http://security.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists… Done
(base) marco@pc01:~ sudo apt-get install certbot python-certbot-nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.31.0-1+ubuntu18.04.1+certbot+1).
python-certbot-nginx is already the newest version (0.31.0-1+ubuntu18.04.1+certbot+1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
(base) marco@pc01:~ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): ippolito.marco@gmail.com
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
(A)gree/©ancel: A
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
1: ggc.world
2: www.ggc.world
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ggc.world
http-01 challenge for www.ggc.world
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/ggc.world.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/ggc.world.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/ggc.world.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/ggc.world.conf
Congratulations! You have successfully enabled https://ggc.world and
https://www.ggc.world
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world
https://www.ssllabs.com/ssltest/analyze.html?d=www.ggc.world
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ggc.world/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ggc.world/privkey.pem
Your cert will expire on 2020-05-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew” -
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal. -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Following the indications here: https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
I then modified /etc/nginx/sites-available/ggc.world.conf and /etc/letsencrypt/options-ssl-nginx.conf for a tighter security:
(base) marco@pc01:~$ sudo nano /etc/nginx/sites-available/ggc.world.conf
server {
server_name ggc.world www.ggc.world;
root /var/www/ggc.world;
index index.html;
location / {
try_files $uri $uri/ =404;
}
#listen [::]:443 ssl ipv6only=on; # managed by Certbot
#listen 443 ssl; # managed by Certbot
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
gzip off;
ssl_certificate /etc/letsencrypt/live/ggc.world/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ggc.world/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/ggc.world/chain.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.ggc.world) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = ggc.world) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name ggc.world www.ggc.world;
return 404; # managed by Certbot
}
(base) marco@pc01:~$ sudo nano /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
I then reloaded and restarted nginx server:
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-02-11 11:16:22 CET; 1h 30min ago
Docs: man:nginx(8)
Process: 23810 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 4461 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─ 4461 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─23813 nginx: worker process
├─23815 nginx: worker process
├─23816 nginx: worker process
├─23817 nginx: worker process
├─23818 nginx: worker process
├─23819 nginx: worker process
├─23820 nginx: worker process
└─23821 nginx: worker process
feb 11 11:16:22 pc01 systemd[1]: Starting A high performance web server and a reverse proxy
server...
feb 11 11:16:22 pc01 systemd[1]: Started A high performance web server and a reverse proxy
server.
feb 11 11:59:29 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy
server.
feb 11 11:59:29 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy
server.
feb 11 12:19:28 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy
server.
feb 11 12:19:28 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy
server.
feb 11 12:46:16 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy
server.
feb 11 12:46:16 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy
server.
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
It produced this output:
According to https://www.ssllabs.com/ssltest/analyze.html?d=www.ggc.world the overall rating reached is A: https://drive.google.com/open?id=1VdItr6osTNCedxQ8OZcKQC4eVi9f8IC_
I then checked with https://check-your-website.server-daten.de/ :
https://check-your-website.server-daten.de/?q=ggc.world
and I see two errors:
|C| Error - no version with Http-Status 200|
|H| fatal error: No https - result with http-status 200, no encryption
My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 18.04.4 Desktop
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot --version certbot 0.31.0