HTTPS unreachable for no apparent reason

Lea.cookie · June 23, 2023, 8:41pm

Hello, I have been struggling to get my website running with my certificate, it works with http but not with https, so my index.html in var/www/html can be found. I've tried pretty much everything I found and the page just wont load. This is my first time setting up a server and don't understand what most of the errors in the errorlog below mean.
I have a redirect from http to https, I only did that after making sure the http is working fine, taking out the redirect and loading the http works fine.

I am not hosting on Strato, we only got the domain and www subdomain from there, I am hosting on BWCloud(a cloud platform developed and operated by the government of Baden-Württemberg in Germany). It offers a range of cloud services and infrastructure for public sector organizations, such as government agencies and educational institutions, students at our university use it on a regular and a friend of mine has no issues with it, the only difference is that he uses apache, but that is very unlikely to be the reason.

SSL Labs only respons with "Assessment failed: Unable to connect to the server" but I don't get why.

If you need any more information let me know. Thank you in advance.

My Port 443 and 80 are open, "sudo ss -tulpn | grep LISTEN" outputs

tcp    LISTEN  0       151               127.0.0.1:3306           0.0.0.0:*      users:(("mysqld",pid=821,fd=23))   
tcp    LISTEN  0       511                 0.0.0.0:80             0.0.0.0:*      users:(("nginx",pid=15372,fd=8),("nginx",pid=15371,fd=8),("nginx",pid=15370,fd=8))
tcp    LISTEN  0       4096          127.0.0.53%lo:53             0.0.0.0:*      users:(("systemd-resolve",pid=658,fd=13))
tcp    LISTEN  0       128                 0.0.0.0:22             0.0.0.0:*      users:(("sshd",pid=762,fd=3))      
tcp    LISTEN  0       511                 0.0.0.0:443            0.0.0.0:*      users:(("nginx",pid=15372,fd=7),("nginx",pid=15371,fd=7),("nginx",pid=15370,fd=7))
tcp    LISTEN  0       70                127.0.0.1:33060          0.0.0.0:*      users:(("mysqld",pid=821,fd=21))   
tcp    LISTEN  0       511                    [::]:80                [::]:*      users:(("nginx",pid=15372,fd=9),("nginx",pid=15371,fd=9),("nginx",pid=15370,fd=9))
tcp    LISTEN  0       128                    [::]:22                [::]:*      users:(("sshd",pid=762,fd=4))      
tcp    LISTEN  0       511                    [::]:443               [::]:*      users:(("nginx",pid=15372,fd=6),("nginx",pid=15371,fd=6),("nginx",pid=15370,fd=6))

The firewall allows access from anywhere, I had it set to inactive before and that didn't change anything, "sudo ufw status" outputs

Status: active

To                         Action      From
--                         ------      ----
Nginx HTTPS                ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
Nginx HTTPS (v6)           ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

The ownership of my sites available and sites enabled is set to www-data

"sudo nginx -t" responds with

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

My domain is:
brainknots.de / www.brainknots.de

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

I got the domain from:
Strato

I can login to a root shell on my machine:
Yes

I'm using a control panel to manage my site:
No

The version of my client is:
certbot 0.40.0

My brainknots.de.conf in my sites available is linked to the sites enabled and looks like this


server {
    root /var/www/html;
    server_name brainknots.de www.brainknots.de;
        index index.html index.htm;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/brainknots.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/brainknots.de/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

            ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
       return 301 https://$host$request_uri;
    } # managed by Certbot



}
server {
    if ($host = www.brainknots.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = brainknots.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 default_server;
    listen [::]:80 default_server;
    server_name  brainknots.de www.brainknots.de;
    return 301 https://$server_name$request_uri;


}

My nginx.conf looks like this:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

         server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log debug;

        ##

	#gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

I ran this command:
cat /var/log/nginx/error.log

It produced this output:
(I only put the last few lines)


2023/06/23 19:52:26 [debug] 15371#15371: *353 http write filter: l:1 f:0 s:384
2023/06/23 19:52:26 [debug] 15371#15371: *353 http write filter limit 0
2023/06/23 19:52:26 [debug] 15371#15371: *353 writev: 384 of 384
2023/06/23 19:52:26 [debug] 15371#15371: *353 http write filter 0000000000000000
2023/06/23 19:52:26 [debug] 15371#15371: *353 http copy filter: 0 "/?"
2023/06/23 19:52:26 [debug] 15371#15371: *353 http finalize request: 0, "/?" a:1, c:2
2023/06/23 19:52:26 [debug] 15371#15371: *353 event timer add: 4: 5000:293377440
2023/06/23 19:52:26 [debug] 15371#15371: *353 http request count:2 blk:0
2023/06/23 19:52:26 [debug] 15371#15371: *353 http run request: "/?"
2023/06/23 19:52:26 [debug] 15371#15371: *353 http read discarded body
2023/06/23 19:52:26 [debug] 15371#15371: *353 recv: eof:0, avail:-1
2023/06/23 19:52:26 [debug] 15371#15371: *353 recv: fd:4 20 of 20
2023/06/23 19:52:26 [debug] 15371#15371: *353 recv: avail:0
2023/06/23 19:52:26 [debug] 15371#15371: *353 http finalize request: -4, "/?" a:1, c:1
2023/06/23 19:52:26 [debug] 15371#15371: *353 set http keepalive handler
2023/06/23 19:52:26 [debug] 15371#15371: *353 http close request
2023/06/23 19:52:26 [debug] 15371#15371: *353 http log handler
2023/06/23 19:52:26 [debug] 15371#15371: *353 free: 000055C90724F6B0, unused: 1
2023/06/23 19:52:26 [debug] 15371#15371: *353 free: 000055C907225E40, unused: 2442
2023/06/23 19:52:26 [debug] 15371#15371: *353 free: 000055C9072061B0
2023/06/23 19:52:26 [debug] 15371#15371: *353 hc free: 0000000000000000
2023/06/23 19:52:26 [debug] 15371#15371: *353 hc busy: 0000000000000000 0
2023/06/23 19:52:26 [debug] 15371#15371: *353 tcp_nodelay
2023/06/23 19:52:26 [debug] 15371#15371: *353 reusable connection: 1
2023/06/23 19:52:26 [debug] 15371#15371: *353 event timer del: 4: 293377440
2023/06/23 19:52:26 [debug] 15371#15371: *353 event timer add: 4: 65000:293437440
2023/06/23 19:52:26 [debug] 15371#15371: *353 post event 000055C907282A50
2023/06/23 19:52:26 [debug] 15371#15371: *353 delete posted event 000055C907282A50
2023/06/23 19:52:26 [debug] 15371#15371: *353 http keepalive handler
2023/06/23 19:52:26 [debug] 15371#15371: *353 malloc: 000055C9072061B0:1024
2023/06/23 19:52:26 [debug] 15371#15371: *353 recv: eof:0, avail:0
2023/06/23 19:52:26 [debug] 15371#15371: *353 free: 000055C9072061B0
2023/06/23 19:52:26 [debug] 15371#15371: *353 http keepalive handler
2023/06/23 19:52:26 [debug] 15371#15371: *353 malloc: 000055C9072061B0:1024
2023/06/23 19:52:26 [debug] 15371#15371: *353 recv: eof:1, avail:-1
2023/06/23 19:52:26 [debug] 15371#15371: *353 recv: fd:4 0 of 1024
2023/06/23 19:52:26 [info] 15371#15371: *353 client 162.19.180.189 closed keepalive connection
2023/06/23 19:52:26 [debug] 15371#15371: *353 close http connection: 4
2023/06/23 19:52:26 [debug] 15371#15371: *353 event timer del: 4: 293437440
2023/06/23 19:52:26 [debug] 15371#15371: *353 reusable connection: 0
2023/06/23 19:52:26 [debug] 15371#15371: *353 free: 000055C9072061B0
2023/06/23 19:52:26 [debug] 15371#15371: *353 free: 000055C90721D9B0, unused: 136

If I run "sudo certbot renew --dry-run" I get no errors as you can see here


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/brainknots.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 2.6.0 renewal configuration file found at /etc/letsencrypt/renewal/brainknots.de.conf with version 0.40.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for brainknots.de
http-01 challenge for www.brainknots.de
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/brainknots.de/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/brainknots.de/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And running "sudo certbot certificates" outputs


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 2.6.0 renewal configuration file found at /etc/letsencrypt/renewal/brainknots.de.conf with version 0.40.0 of Certbot. This might not work.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: brainknots.de
    Domains: brainknots.de www.brainknots.de
    Expiry Date: 2023-09-17 17:00:49+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/brainknots.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/brainknots.de/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

"nslookup brainknots.de" gives me

Server:         212.227.123.16
Address:        212.227.123.16#53

Non-authoritative answer:
Name:   brainknots.de
Address: 192.52.42.17

Nginx is also running as shown below


ubuntu@brainknots2:/etc/nginx$ sudo nginx status
nginx: invalid option: "status"
ubuntu@brainknots2:/etc/nginx$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-06-21 14:23:37 UTC; 2 days ago
       Docs: man:nginx(8)
   Main PID: 15370 (nginx)
      Tasks: 3 (limit: 4662)
     Memory: 6.5M
     CGroup: /system.slice/nginx.service
             ├─15370 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
             ├─31550 nginx: worker process
             └─31551 nginx: worker process

Jun 21 14:23:37 brainknots2 systemd[1]: Starting A high performance web server and a reverse proxy server...
Jun 21 14:23:37 brainknots2 systemd[1]: Started A high performance web server and a reverse proxy server.

MikeMcQ · June 23, 2023, 9:24pm

Welcome to the community @Lea.cookie

I applaud your thorough report and that you got a cert a few days ago is important to know.

But, right now I cannot even see your domain using HTTP (or HTTPS). Not from various locations around the globe or when using the Let's Debug test site. (link here)

I haven't studied all your config yet. But, should HTTP and HTTPS be working right now?

Osiris · June 23, 2023, 9:38pm

Hm, some moments ago from my location in Europe, I did see a redirect from HTTP to HTTPS, but port 443 was filtered (timeout).

Checked again, same result: port 80 fine, 443 timeout.

MikeMcQ · June 23, 2023, 9:53pm

Hmmm. Yes, one of my trusty testing sites is faulty because it still says it can't reach that domain with HTTP even from Amsterdam.

But, even the Let's Debug link I earlier provided does show HTTP redirected. I spun up my own test server and I see HTTP fine (it redirects) but HTTPS is filtered. So, thanks for correction.

@Lea.cookie Is there anything at Strato that needs configuring to allow port 443 inbound? Because a port probe shows "filtered" which usually means some sort of firewall blocking request rather than wrongly configured nginx. And, besides, your port display shows nginx listening so at least that's right.

Update: Are you hosting your server on Strato too? If not, can you explain more about your hosting setup and any comms gear between your server and the internet. I saw an article about their server cloud firewall but then realized you never said you hosted the server there.

Bruce5051 · June 24, 2023, 2:11am

Hi @Lea.cookie here is an online tool to check host connections from around the world https://check-host.net/ presently https://brainknots.de gets "Connection timed out" see Permanent link to this check report.

Lea.cookie · June 24, 2023, 7:00am

Thank you for your answer, sorry for the confusion, it's correct that I have a redirect from http to https, I only did that after making sure the http is working fine, taking out the redirect and loading the http works fine.

No I am not hosting on Strato, we only got the domain and www subdomain from there, I am hosting on BWCloud(a cloud platform developed and operated by the government of Baden-Württemberg in Germany). It offers a range of cloud services and infrastructure for public sector organizations, such as government agencies and educational institutions, students at our university use it on a regular and a friend of mine has no issues with it, the only difference is that he uses apache, but that is very unlikely to be the reason.

I also updated the question to make it easier for others to understand my problem.

Lea.cookie · June 24, 2023, 7:08am

Thank you, I have used SSL Labs and Whynopadlock before with similar results. My issue is just that I dont understand why I get a time out or Assessment failed: Unable to connect to the server, it shouldnt be my configuration, firewall or my ports from what I can see. Is there any further testing I can do that isn't listed already?

MikeMcQ · June 24, 2023, 11:23am

There is likely a setting in bwCloud that is blocking port 443. It is not unusual for a hosting service to have their own firewall to protect all their customers.

Below is a doc on their site about Security Group that says you must open port 443 for HTTPS. If that isn't enough to get you working you should ask them more about it. Your server looks good so it must be something between your server and the internet

https://www.bw-cloud.org/en/bwcloud_scope/use#open_port

Lea.cookie · June 24, 2023, 9:31pm

Thank you so much, it finally worked! I have spent so much time looking for a mistake I made, but the standard setting in BWCloud wasn't allowing https for my instance and after I added a new security rule for that it finally worked. My friend didn't have to do anything in BWCloud, so it didnt't even occur to me, that there could be an issue.

system · July 24, 2023, 9:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.