Issue with the webserver

Hello.
Can someone help?
After I installed Certbot for Nginx I am not able to access website.

Here are the results of the check:

My domain is: kituthegreat.tk

I ran this command: N/A

It produced this output: N/A

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Thanks

Hi @kituthegreat

your http works (with a redirect http -> https), your https has a timeout.

Is there a firewall or something else that blocks?

Or is it a home server with a missing port forwarding?

Hello. It is hosted on AWS. There is a firewall, but was working OK before I added Certbot. Do I have to make some changes to the firewall for this to work?

Thanks

Here is what I see:

OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
3005 ALLOW Anywhere
8000 ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
3005 (v6) ALLOW Anywhere (v6)
8000 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)

Also when I did wget localhost :

–2019-05-01 14:57:04-- http://localhost/
Resolving localhost (localhost)… 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://localhost/ [following]
–2019-05-01 14:57:04-- https://localhost/
Connecting to localhost (localhost)|127.0.0.1|:443… connected.
ERROR: no certificate subject alternative name matches
requested host name ‘localhost’.
To connect to localhost insecurely, use `–no-check-certificate’.

wget localhost --no-check-certificate
–2019-05-01 14:59:11-- http://localhost/
Resolving localhost (localhost)… 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://localhost/ [following]
–2019-05-01 14:59:11-- https://localhost/
Connecting to localhost (localhost)|127.0.0.1|:443… connected.
WARNING: no certificate subject alternative name matches
requested host name ‘localhost’.
HTTP request sent, awaiting response… 200 OK
Length: 612 [text/html]
Saving to: ‘index.html’

index.html 100%[============================================================================>] 612 --.-KB/s in 0s

2019-05-01 14:59:11 (117 MB/s) - ‘index.html’ saved [612/612]

Maybe you need to allow port 443 in the security group in AWS.

You have to allow port 443.

Looks like you have found a solution.

There is a newer check (~~50 minutes old):

Now http and https works.

But you have a Grade O - old connection.

Old connection: Diffie-Hellman Key Exchange with 1024 Bit is unsecure. Update to 2048 Bit Key Exchange.

You should update your SSL settings.

Yes. I allowed port 443 in the AWS security group and that resolved my issue.

How do I update to 2048 Bit Key Exchange?

Thanks,

Vlad

There are a lot of informations about that.

Sample:

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Great. Thanks

Thanks,

Vlad

Hello,

I followed steps in the link below.

I was able to complete them except for this step:

sudo openssl dhparam -out /etc/ssl/certsdhparam.pem 4096

It took a long time to process, but at the end it didn’t create the file.

I spent a long time troubleshooting this issue, but finally realized that it was just a typo.

Command should be “sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096”

It is running now.

Thanks a lot.

92838C368B9544CAA9B0C657389F97EE.png700×1 83 Bytes

Yep, now you have a

DiffieHellman 4096

Key Exchange. And not a Grade O, instead a Grade B.

If the next renew works, perhaps add the HSTS-header.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.