Https not working after Cerbot modifies nginx conf

Hi all,

I have an opensuse (V15.3) server. It has been running nginx with http for some time. I have recently installed cerbot onto a test domain, and successfully installed the certificate. Cerbot modified my nginx conf (for that domain) as shown below.

Unfortunately, it is NOT working, and I am seeking help to fix it.

server {

server_name my.domain.name *.my.domain.name;

access_log on;
access_log  /BaseFolder/my.domain.name/logs/access.log;

error_log on;
error_log  /BaseFolder/my.domain.name/logs/error.log;

location / {
    root /BaseFolder/my.domain.name/defaultpage/;
    index index.html;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.domain.name/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.domain.name/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = my.domain.name) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;

server_name my.domain.name *.my.domain.name;
return 404; # managed by Certbot

}

I did the following tests using Firefox:-
Localnet:-
http://my.domain.name = okay
https://my.domain.name = "Unable to connect"
http://IPAddress = okay
https://IPAddress = "Unable to connect"

Internet:-
http://my.domain.name = okay
https://my.domain.name = "The connection has timed out"
http://IPAddress = okay
https://IPAddress = "The connection has timed out"

There is a variation when using a browser:-
Localnet:-
http://www.my.domain.name = 404 (this is from "return 404; # managed by Certbot")
http://my.domain.name = gets converted to https://my.domain.name, but then fails with "net::ERR_CONNECTION_REFUSED"

Internet:-
http://www.my.domain.name = 404 (this is from "return 404; # managed by Certbot")
http://my.domain.name = gets converted to https://my.domain.name, but then fails with "net::ERR_CONNECTION_TIMED_OUT"

I have logs turned on everywhere with nginx, but I can't find anything in the logs that is helpful.

I have checked that port 443 is open - it is!
I have run nginx -T - all good.

Any help would be much appreciated.
Pedro

Hi @PoQStacker, and welcome to the LE community forum :slight_smile:

Is the firewall open for port 443?

From the Internet?

3 Likes

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

Thank you for looking at this case.

My domain is:

Petersplace.net.au (*.petersplace.net.au)

I ran this command:

Please view topic

It produced this output:

My web server is (include version):

Nginx 1.19.8

The operating system my web server runs on is (include version):

Opensuse 15.3

My hosting provider, if applicable, is:

NA

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Certbot –version 1.22.0

Your port 80 is open but port 443 is not. Check your firewall and router if you have one

nmap petersplace.net.au -p80,443

rDNS record for 14.201.33.13: 14-201-33-13.static.tpgi.com.au
PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

2 Likes

Thank you for your assistance with my issue.

If there is a blockage, it is not at my end. I am looking at what is upstream from me that can do this...

With a 443 port blockage, is it typical to get a 'timeout error' or a 'denial error'?

In the meantime, I have fixed a bug in the certbot conf settings. Making the changes below has made an improvement - I don't get the 404 error...

set $a 0;
if ( $host = 'petersplace.net.au' ){
    set $a 1;
}
if ( $host = '*.petersplace.net.au' ){
    set $a 1;
}
if ( $a = 1 ){
    return 301 https://$host$request_uri;
}

Pedro

Just to be clear:
Wildcard certs require DNS authentication [not HTTP authentication].

I reviewed the topic, I can't find the command.

2 Likes

There is a blockage (no if). Port 80 still is open but port 443 is blocked.

This site cannot reach your https site from several places around the world. I can't reach it from US:

curl -I https://petersplace.net.au
curl: (28) Failed to connect to petersplace.net.au port 443 after 131288 ms: Connection timed out

Can you describe more about your hosting? Are you hosting at home?

If at home check each piece of equipment from your server which connects to your ISP. You have some sort of modem or router connecting to your ISP. You might have other equipment between that and your server. Check all of them.

There is nothing in the wide internet infrastructure that could do this. It is most likely on your premises or less likely in your hosting service.

EDIT:
Can you reach your https site from outside your local network? Maybe try a mobile phone but disable wifi so it uses the cell network.

3 Likes

These are the commands that I ran...

I did the following tests using Firefox:-
Localnet:-
http://my.domain.name = okay
https://my.domain.name = "Unable to connect"
http://IPAddress = okay
https://IPAddress = "Unable to connect"

Internet:-
http://my.domain.name = okay
https://my.domain.name = "The connection has timed out"
http://IPAddress = okay
https://IPAddress = "The connection has timed out"

There is a variation when using a browser:-
Localnet:-
http://www.my.domain.name = 404 (this is from "return 404; # managed by Certbot")
http://my.domain.name = gets converted to https://my.domain.name, but then fails with "net::ERR_CONNECTION_REFUSED"

Internet:-
http://www.my.domain.name = 404 (this is from "return 404; # managed by Certbot")
http://my.domain.name = gets converted to https://my.domain.name, but then fails with "net::ERR_CONNECTION_TIMED_OUT"

Regards
Pedro

This is the way I have been testing it - I tethered my laptop to my phone, then I can switch it from internal to external.

Yes, I am hosting at this location. I have been running the site for many years using http - all good. I am looking to transition to https - petersplace.net.au is just a trial.

I have been in contact ALL parties upstream. I suspect it is the modem my ISP has provided. My ISP is trying to locate an earlier model which MAY resolve this issue.

When I started this topic, I had 3 problems - 404, Timeout, Denial. Hopefully, I have fixed the 404. But will unblocking 443 fix the other 2?

Regards
Pedro

Yes, it should.

We can test that nginx is listening. Show output of this:

sudo netstat -pant | grep -i listen | grep -E '80|443|nginx'
3 Likes

netstat is not apart of opensuse. I can use:-

sudo lsof -i -P -n|grep LISTEN

which gives me:
nginx ****** root 18u IPv4 904275 0t0 TCP *:80 (LISTEN)
nginx ****** root 19u IPv4 904276 0t0 TCP *:443 (LISTEN)

Regards
Pedro

2 Likes

Thank you very much for the heads-up on the wildcard certificates.

I will look further into that when I get time. In the meantime, I have split my domain into two separate certificates (petersplace.net.au & www.petersplace.net.au).

Regards
Pedro

1 Like

An update:- I have received a replacement modem from my ISP, this has resolved the port 443 blockage. However, it has created some other challenges for me...

Thank you everyone for your assistance with this matter.

Regards
Pedro

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.