I just nuked my website

Hadi · June 22, 2018, 8:51am

I ran this command: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

It produced this output: This site can’t be reached

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS

My hosting provider, if applicable, is: https://www.atlantic.net/

I can login to a root shell on my machine (yes or no, or I don’t know): Yes using PuTTY

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No (I do use WordPress on the site, does it count?)

More detail:

Hello there. I am junior developer at the company. My boss has gave me a domain for me to develop our new website. Right now, I am configuring WordPress on the temporary domain, before it is moved to permanent domain. I have followed the instruction as per ubuntuxenial-nginx. Everything went smoothly. I even restarted nginx and apache2. When I navigate to the website, it says it can’t be reached. Help me, I’m stuck and don’t know what to do.

Thank you and have a nice day.

_az · June 22, 2018, 9:59am

Whatever is running on port 443 on your server is just dropping connections.

Could you please check /var/log/nginx/error.log as well as showing what processes are bound to what:

sudo ss -tlnp

JuergenAuer · June 22, 2018, 10:47am

Hi @Hadi

there is a misconfiguration.

D:\download http://temp.raqib.co -h
Connection: keep-alive
Content-Length: 194
Content-Type: text/html
Date: Fri, 22 Jun 2018 10:39:32 GMT
Location: https://temp.raqib.co/
Server: nginx/1.10.3 (Ubuntu)

Status: 301 MovedPermanently

http://temp.raqib.co is redirected to https. But https doesn't work:

download https://temp.raqib.co -h
Error (1): Die zugrunde liegende Verbindung wurde geschlossen: Unerwarteter Fehler beim Senden..
SendFailure
Fehler bei Authentifizierung, da die Gegenseite den Transportstream geschlossen hat.

But loading https://temp.raqib.co:80/ (https on port 80) gets (FireFox):

Ein Fehler ist während einer Verbindung mit temp.raqib.co:80 aufgetreten. SSL hat einen Eintrag erhalten, der die maximal erlaubte Länge überschritten hat. Fehlercode: SSL_ERROR_RX_RECORD_TOO_LONG

So it looks like you send http-content over https. And the 443-port has a wrong configuration.

Edit: The messages in english:

Calling https://temp.raqib.co

This site can’t be reached
temp.raqib.co unexpectedly closed the connection.

https://temp.raqib.co:80

This site can’t provide a secure connection
temp.raqib.co sent an invalid response.

Switched Opera to english, but there the messages are a little bit different.

Osiris · June 22, 2018, 6:18pm

No, your test asks for HTTPS content over HTTP

But in any case, the server listening on port 443 isn't doing a very well job:

It doesn't respond properly to TLS requests ("ssl handshake failure")
It doesn't respond to "normal" HTTP requests too

So I'm with @_az on what you should do first: debug nginx, debug what's running on port 443.

Hadi · June 25, 2018, 1:43am

Below is for sudo ss -tlnp

State      Recv-Q Send-Q Local Address:Port               Peer Address:Port                                                                                                                                                           
LISTEN     0      80     127.0.0.1:3306                     *:*                                                                                                                                                                         users:(("mysqld",pid=13181,fd=27))
LISTEN     0      128          *:80                       *:*                                                                                                                                                                         users:(("nginx",pid=27256,fd=6),("nginx",pid=27255,fd=6),("nginx",pid=27254,fd=6                                                                                                                                                      ))
LISTEN     0      128          *:22                       *:*                                                                                                                                                                         users:(("sshd",pid=1171,fd=3))
LISTEN     0      128          *:443                      *:*                                                                                                                                                                         users:(("nginx",pid=27256,fd=7),("nginx",pid=27255,fd=7),("nginx",pid=27254,fd=7                                                                                                                                                      ))
LISTEN     0      128         :::80                      :::*                                                                                                                                                                         users:(("nginx",pid=27256,fd=8),("nginx",pid=27255,fd=8),("nginx",pid=27254,fd=8                                                                                                                                                      ))
LISTEN     0      128         :::22                      :::*                                                                                                                                                                         users:(("sshd",pid=1171,fd=4))

Below is for /var/log/nginx/error.log

2018/06/24 07:36:25 [warn] 7824#7824: conflicting server name "test.raqib.co" on 0.0.0.0:443, ignored
2018/06/24 08:06:46 [error] 27255#27255: *4063 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 141.212.122.112, server: 0.0.0.0:443
2018/06/24 08:34:50 [error] 27255#27255: *4066 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 146.0.75.216, server: 0.0.0.0:443
2018/06/24 14:21:37 [error] 27256#27256: *4137 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 74.82.47.5, server: 0.0.0.0:443
2018/06/24 17:33:34 [warn] 11822#11822: conflicting server name "test.raqib.co" on 0.0.0.0:443, ignored
2018/06/24 17:41:37 [error] 27256#27256: *4158 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 139.162.113.204, server: 0.0.0.0:443
2018/06/24 23:58:29 [error] 27256#27256: *4191 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 36.5.176.226, server: 0.0.0.0:443
2018/06/25 01:33:57 [error] 27256#27256: *5268 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 185.35.63.215, server: 0.0.0.0:443
2018/06/25 01:39:45 [error] 27256#27256: *5538 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443
2018/06/25 01:39:45 [error] 27256#27256: *5539 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443
2018/06/25 01:39:45 [error] 27256#27256: *5540 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443
2018/06/25 01:39:45 [error] 27256#27256: *5541 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443
2018/06/25 01:39:46 [error] 27256#27256: *5542 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443
2018/06/25 01:39:46 [error] 27256#27256: *5543 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443
2018/06/25 01:39:46 [error] 27256#27256: *5544 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443
2018/06/25 01:39:47 [error] 27256#27256: *5545 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 60.54.120.129, server: 0.0.0.0:443

_az · June 25, 2018, 1:54am

You have two server { } blocks that have server_name test.raqib.co:

One of these would be the one from Certbot, and the other is a duplicate that is not configured with any SSL certificate:

The server created by Certbot is being ignored due to being detected as a duplicate, so your site doesn't work.

You can view your full parsed configuration with nginx -T which should make it obvious where the duplicate is.

Once you find the duplicate (without the ssl_certificate), get rid of it.

Hadi · June 25, 2018, 1:55am

Yes my friend, seems like there is a problem with the port, I don’t know what to do

Hadi · June 25, 2018, 1:58am

Here’s my nginx -T. BTW I am new, and I am scared of posting following block code, so if it is sensitive, please tell me so I can hide it.

nginx: [warn] conflicting server name "test.raqib.co" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

         server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript                                                                                                                                                       text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    d                                                                                                                                                      ocx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          x                                                                                                                                                      lsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  p                                                                                                                                                      ptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/crm.raqib.co.conf:
server {
        listen  80;
         root /var/www/crm.raqib.co;
         index index.php index.html index.htm index.nginx-debian.html;

         server_name crm.raqib.co;

       #  include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.html$is_args$args;
        }

        error_page 404 /404.html;
        error_page 500 520 503 504 /50x.html;

}

server {
        listen  443 ssl;
        root /var/www/crm.raqib.co;
        index index.php index.html index.htm index.nginx-debian.html;

        server_name crm.raqib.co;


        #include /etc/nginx/conf.d/ssl.conf;
        #include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.html$is_args$args;
        }

        error_page 404 /404.html;
        error_page 500 520 503 504 /50x.html;

}


# configuration file /etc/nginx/conf.d/dashboard.raqib.co.conf:
server {
        listen  80;
         root /var/www/dashboard.raqib.co;
         index index.php index.html index.htm index.nginx-debian.html;

         server_name dashboard.raqib.co;

#         include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }


        location ~ \.php$ {
                include fastcgi_params;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#               fastcgi_pass 127.0.0.1:9000;
                #fastcgi_index index.php;
        #       fastcgi_param  SCRIPT_FILENAME   /var/www/dashboard.raqib.co$fas                                                                                                                                                      tcgi_script_name;
}
location ~ /\.ht {
        deny all;
}


}

server {
        listen  443 ssl;
        root /var/www/dashboard.raqib.co;
        index index.php index.html index.htm index.nginx-debian.html;

        server_name dashboard.raqib.co;


        #include /etc/nginx/conf.d/ssl.conf;
        #include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.html$is_args$args;
        }

        error_page 404 /404.html;
        error_page 500 520 503 504 /50x.html;

}


# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/conf.d/raqib.co.conf:
server {
        listen  80;
         root /var/www/raqib.co;
         index index.php index.html index.htm index.nginx-debian.html;

         server_name raqib.co www.raqib.co;

       #  include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.html$is_args$args;
        }

        error_page 404 /404.html;
        error_page 500 520 503 504 /50x.html;

}

server {
        listen  443 ssl;
        root /var/www/raqib.co;
        index index.php index.html index.htm index.nginx-debian.html;

        server_name raqib.co www.raqib.co;


        #include /etc/nginx/conf.d/ssl.conf;
        #include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.html$is_args$args;
        }

        error_page 404 /404.html;
        error_page 500 520 503 504 /50x.html;

}


# configuration file /etc/nginx/conf.d/temp.raqib.co.conf:
server {
         root /var/www/temp.raqib.co;
         index index.php index.html index.htm index.nginx-debian.html;

         server_name temp.raqib.co;

#         include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }


        location ~ \.php$ {
                include fastcgi_params;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#               fastcgi_pass 127.0.0.1:9000;
                #fastcgi_index index.php;
}
location ~ /\.ht {
        deny all;
}



    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/temp.raqib.co/fullchain.pem; # managed                                                                                                                                                       by Certbot
    ssl_certificate_key /etc/letsencrypt/live/temp.raqib.co/privkey.pem; # manag                                                                                                                                                      ed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
        listen  443 ssl;
        root /var/www/test.raqib.co;
        index index.php index.html index.htm index.nginx-debian.html;

        server_name test.raqib.co;


        #include /etc/nginx/conf.d/ssl.conf;
        #include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.html$is_args$args;
        }

        error_page 404 /404.html;
        error_page 500 520 503 504 /50x.html;

}

server {
    if ($host = temp.raqib.co) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen  80;

         server_name temp.raqib.co;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECD                                                                                                                                                      SA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:E                                                                                                                                                      CDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:E                                                                                                                                                      CDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RS                                                                                                                                                      A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES25                                                                                                                                                      6-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES2                                                                                                                                                      56-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH                                                                                                                                                      -RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA25                                                                                                                                                      6:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

# configuration file /etc/nginx/conf.d/test.raqib.co.conf:
server {
        listen  80;
         root /var/www/test.raqib.co;
         index index.php index.html index.htm index.nginx-debian.html;

         server_name test.raqib.co;

#         include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }


        location ~ \.php$ {
                include fastcgi_params;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#               fastcgi_pass 127.0.0.1:9000;
                #fastcgi_index index.php;
        #       fastcgi_param  SCRIPT_FILENAME   /var/www/dashboard.raqib.co$fas                                                                                                                                                      tcgi_script_name;
}
location ~ /\.ht {
        deny all;
}


}

server {
        listen  443 ssl;
        root /var/www/test.raqib.co;
        index index.php index.html index.htm index.nginx-debian.html;

        server_name test.raqib.co;


        #include /etc/nginx/conf.d/ssl.conf;
        #include /etc/nginx/conf.d/gzip.conf;

        location / {
                try_files $uri $uri/ /index.html$is_args$args;
        }

        error_page 404 /404.html;
        error_page 500 520 503 504 /50x.html;

}


# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
        #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

_az · June 25, 2018, 2:04am

Nothing sensitive in there.

The problem is that you haven’t actually created any live certificates for test.raqib.co , at any point in the past, which means you probably did not fully complete the instructions at https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx .

Try

sudo certbot --nginx

and follow the instructions. If you run into any problems, please show the output of the command.

Hadi · June 25, 2018, 3:21am

Hey @_az

You have an existing certificate that has exactly the same domains or certificat                                                                                                                                                      e name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/temp.raqib.co.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/conf.d/temp.raqib.co.conf
nginx: [warn] conflicting server name "test.raqib.co" on 0.0.0.0:443, ignored

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP ac                                                                                                                                                      cess.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/temp.raqib.co                                                                                                                                                      .conf
nginx: [warn] conflicting server name "test.raqib.co" on 0.0.0.0:443, ignored


Congratulations! You have successfully enabled https://temp.raqib.co

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=temp.raqib.co


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/temp.raqib.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/temp.raqib.co/privkey.pem
   Your cert will expire on 2018-09-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@raqib:~# service apache2 restart
root@raqib:~# service nginx restart

Hadi · June 25, 2018, 7:30am

Oh I am doing stuff on temp.raqib.co, test.raqib.co is used for other means

system · July 25, 2018, 7:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.