I have generated the certs but site not working

Help
1

My domain is:
retrostalker.com

I ran this command:
sudo certbot -m @gmail.com --agree-tos -n --nginx -d retrostalker.com -d www.retrostalker.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
Deploying certificate
Successfully deployed certificate for retrostalker.com to /etc/nginx/nginx.conf
Successfully deployed certificate for www.retrostalker.com to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://retrostalker.com and https://www.retrostalker.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
Nginx (Latest)

The operating system my web server runs on is (include version):
Ubuntu 22 (Digital Ocean Droplet)

My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know):
Logged into the shell

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.0

My nginx conf looks like this after running certbot:

events {
  worker_connections  1024;  ## Default: 1024
}


http {
    server {
        server_name retrostalker.com www.retrostalker.com;

        location /.well-known/acme-challenge/ {
            root /var/www/cerbot;
        }

        location / {
            proxy_pass http://127.0.0.1:3000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/retrostalker.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/retrostalker.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

    server {
    if ($host = www.retrostalker.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = retrostalker.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name retrostalker.com www.retrostalker.com;
    return 404; # managed by Certbot




}}

Godaddy DNS config

Screenshot 2024-06-21 at 18.13.21
Screenshot 2024-06-21 at 18.13.212196Ɨ1642 224 KB

The site is reachable via http if i remove all the certbot generated nginx config...

This is the site: http://143.198.240.23:3000/

2

It looks like port 443 is just blocked probably by a firewall. Or, are there comms config settings at DO that you have to setup the port?

Your nginx config looks fine.

curl -I -m6 http://retrostalker.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Location: https://retrostalker.com/

curl -I -m6 https://retrostalker.com
curl: (28) Connection timed out after 6001 milliseconds
3 Likes
3

Your port 443 is not opened to the public. HTTPS works by default on port 443 and the redirects installed by Certbot from HTTP to HTTPS do not use a specific port, but just redirect to https://, thus using port 443.

That's just HTTP and you're proxying to that using nginx. Why is that port accessible from the public internet? Why reverse proxy to it and have it publicly available? That doesn't make much sense. Usually there would be a firewall blocking access to every port, except the ports you want to have open, i.e. port 80 and 443 for the webserver and perhaps other ports for e.g. a mailserver, if applicable et c. Having a "custom" port to which is reverse proxied open to the public isn't common.

3 Likes
5

Thanks, maybe Digital Ocean block this port by default?

1 Like
6

Thanks, It might be Digital Ocean that blocks this port by default....

1 Like
7

Maybe. Did their droplet have ufw setup by default?

sudo ufw status

Otherwise you may need to ask their support about it. Did you have to do anything to allow port 80 or 3000?

2 Likes
8

Yes, here

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere                  
2375/tcp                   ALLOW       Anywhere                  
2376/tcp                   ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
22/tcp (v6)                LIMIT       Anywhere (v6)             
2375/tcp (v6)              ALLOW       Anywhere (v6)             
2376/tcp (v6)              ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Thanks

1 Like
9

This article for Ubuntu 18 still applies. You are missing "HTTPS" which is by default port 443

3 Likes
10

Thanks!

I have this output now:

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
2375/tcp                   ALLOW       Anywhere                  
2376/tcp                   ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
Nginx HTTPS                ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
2375/tcp (v6)              ALLOW       Anywhere (v6)             
2376/tcp (v6)              ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)             
Nginx HTTPS (v6)           ALLOW       Anywhere (v6)

but now when i try to restart the container i get

root@retrostalker-web:~# sudo systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.

I'll try and re run all this with terraform so its does this on start up and see if that fixes it

11

Thanks guys it's working!

3 Likes
12

Port 3000 is still open.

3 Likes
13

Thanks i'll look into this

3 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.