I have renew my certificates but still can't login into my WebApp

I'm running a Web app and to login I send a request to https://api.bryceai.com, the problem is that the certificate for that url expire. Yesterday I renew the certificate but still can't register or login. It there a time it takes to renew the certificates? or is there another problem I'm missing?

My domain is: https://api.bryceai.com and https://bryceai.com

My hosting provider, if applicable, is: AWS, Ec2 Instance

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11

Hello @serpguru, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is a list of issued certificates crt.sh | bryceai.com, the latest from Let's Encrypt being 2023-02-08 and on 2023-02-09 from C=US, O=Amazon, CN=Amazon RSA 2048 M01

Did you install the certificates after receiving them before the systemctl start nginx?
Also I would expect more likely to see systemctl restart nginx.

Also using Let's Debug is showing a Cloudflare CDN WARNING: https://letsdebug.net/bryceai.com/1368512

1 Like

Is this something you've overlooked?
image

3 Likes

What domain are you having trouble with?

Because bryceai.com is setup to be proxied in Cloudflare and I can connect to it just fine.

But api.bryceai.com has its DNS pointing to an EC2 instance but port 443 (https) is closed. You may need to check your EC2 Security Group to ensure it is open. And, of course, check whatever service is handling api that it is running and configured with that cert for https

(Notice port 443 closed for api domain)
nmap api.bryceai.com
rDNS record for 3.21.192.3: ec2-3-21-192-3.us-east-2.compute.amazonaws.com
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https

(Notice https connects to bryceai domain work fine)
curl -I https://bryceai.com
HTTP/2 200
server: cloudflare
3 Likes

Hello @Bruce5051, I installed them before the systemctl start nginx.

Also I tried with systemctl restart nginx and it hasn't work.

Still thank you for the feedback!

2 Likes

Hello @serpguru, I believe @MikeMcQ has identified the issue

1 Like

you are right! I overlooked that line. That may be the cause, also I'm checking the 443 port to see if its close in my AWS security group

1 Like

I have checked my inbound rules in my security group for my EC2 Instance and it seemes port 443 is open:

I dont know if there is another problem with the port or if it is what @rg305 said about new certificated deployed without reload

Supplemental information, this is what I presently see:

$ nmap -Pn api.bryceai.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-13 16:57 UTC
Nmap scan report for api.bryceai.com (3.21.192.3)
Host is up (0.083s latency).
rDNS record for 3.21.192.3: ec2-3-21-192-3.us-east-2.compute.amazonaws.com
Not shown: 995 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
3000/tcp closed ppp
7000/tcp closed afs3-fileserver

Nmap done: 1 IP address (1 host up) scanned in 6.83 seconds

note HTTPS Port 443 is closed above

$ curl -Ii http://api.bryceai.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.22.0
Date: Mon, 13 Feb 2023 16:59:04 GMT
Content-Type: text/html
Content-Length: 1400
Connection: keep-alive
ETag: "63e3c8a1-578"
$ curl -Ii http://api.bryceai.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 404 Not Found
Server: nginx/1.22.0
Date: Mon, 13 Feb 2023 16:59:24 GMT
Content-Type: text/html
Content-Length: 1400
Connection: keep-alive
ETag: "63e3c8a1-578"
$ nmap -Pn bryceai.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-13 16:59 UTC
Nmap scan report for bryceai.com (172.67.215.131)
Host is up (0.010s latency).
Other addresses for bryceai.com (not scanned): 104.21.37.240 2606:4700:3036::6815:25f0 2606:4700:3033::ac43:d783
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 4.84 seconds

note HTTPS is open above

$ curl -Ii http://bryceai.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Mon, 13 Feb 2023 17:00:03 GMT
Content-Type: text/html
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EK%2BReUwe1S7faZ%2FNnw233RB34xRmBXHRXKEX8PHes9AMv0Io4Boo5vw57tbA5zmweaIPfbyI0Fry37Orv5xMaEWTYB7%2BkM0zreven3oQLeHxYrsLiodIUpGwMpV86A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 798f1e377a11ef47-PDX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
$ curl -Ii http://bryceai.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 404 Not Found
Date: Mon, 13 Feb 2023 17:00:19 GMT
Content-Type: text/html
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=un2UVe7H2jkVUbRs0AnN8ZRiG5k5w5LVRRtCeTY3NMaRoeZnPGqD9CLIqA9uVagyBec%2FcgG5N4qr4GgojA8jM%2Bs3ZafHZ376Wo6gIpPsoKeHwpo8B3k0H5YArUpEsQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 798f1e9f4d36ef6b-PDX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
1 Like

What does your nginx config look like on your EC2 instance? Because nginx is responding to http (port 80) but still nothing on https (port 443).

Can you show result of sudo nginx -T command? It is upper case T and omit sudo if don't need it. Please add 3 backticks before and after output like:
```
output of: nginx -T
```

3 Likes

Here is the output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root        /var/www/bryceaicom;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /index.html;
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2;
#        listen       [::]:443 ssl http2;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers PROFILE=SYSTEM;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}


# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

Where is the server section for Port 443?

1 Like
#    server {
#        listen       443 ssl http2;
#        listen       [::]:443 ssl http2;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers PROFILE=SYSTEM;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

Are you talking about this section? I didn't configure the server so I'm a little lost about the cofig.

That is a commented out section, thus it is as if it is not there.

1 Like

So thats where the problem is? Maybe I need to uncomment that section, because thats all the nginx config file.

1 Like

I would say yes. Since it was commented out I did not actually read through it, so details may need adjust (or maybe it is fine as is). :slight_smile:

1 Like

No, just uncommenting that is not enough. You need to reference the Let's Encrypt certs among other things.

See Mozilla site for guidelines. Also make sure you have a server block with a server_name for each domain and each port. You are just using default names.

In short, you haven't configured anything yet. See below and nginx.org

3 Likes

You might find nginx documentation and https://forum.nginx.org/ helpful as well.

2 Likes

Thank you all for the feedback!! I see the problem now. :slight_smile:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.