Lets Encrypt SSL Cert with Nginx reverse proxy and Plesk Not Working on https

Server
#1

I have two web servers and one public static IP address. All incoming requests first go to server A (Nginx)and then via reverse proxy it comes to server B. I have 4 domains on server B using CentOS 6.9 & Apache.

On server A, I add SSL to one domain (which is hosted on server B) and it works perfect. https://pdappt.com

For managing server B, I am using Plesk. I successfully add SSL certificate for one domain on Plesk but I can not access it. All domains on server B are accessible via http without any issue.

Below is an error I get from Chrome. I cleared cookies multiple times, nothing works. Test if via different browser, it does not work. This page isn’t working myhsts.org redirected you too many times.

When I test the domain online, it shows A+ https://www.ssllabs.com/ssltest/analyze.html?d=myhsts.org

My questions: 1- What is possible causes for this issue?

2- My Plesk uses local IP, is it possible that SSL is issued with local IP not public one and does that affect its accessibility?

3- How can I check what IP address is assigned to a SSL cert for domain on Plesk or Linux command line?

4- Does this has anything to do with DNS settings?

#2

Hi @touchstonewords,

You have a redirection from https://myhsts.org/ to http://myhsts.org/ which doesn’t have too much sens to me ;). But the loop problem is because you also have defined a Strict Transport Header to tell browsers that your site should be accessed via https always, so, you access to https and the browser gets the header to access always to https but you have a redirection to http site and again your browser tries to reach your https site and again the redirection to http… and so on, you know :slight_smile:

HTTP/1.1 302 Found
Server: nginx/1.6.2
Date: Sat, 20 May 2017 13:08:37 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: http://myhsts.org/
Strict-Transport-Security: max-age=15768000

Let’s Encrypt certificates are issued for domains not IPs, so there is no relation between your IPs and the certificate issued.

Cheers,
sahsanu

#3

Thanks Sahsanu for your prompt and helpful response. I fixed the issue. On my .htaccess there was #RewriteRule forcing browsers to https…I commented it out and now everything works perfect.

Have great day…

#4

@touchstonewords, you are welcome, I’m glad you fixed it :+1:.

By the way, you have several issues yet.

For example,

https://pdappt.com/ redirects to http://www.pdappt.com/application/index.php and this to http://pdappt.com/application/index.php which seems not what you want… also, this site uses some links to non https sources so you will get warnings about mixed content in some browsers.

This is the code I was talking about:

<link rel="stylesheet" href="http://code.jquery.com/mobile/1.4.2/jquery.mobile-1.4.2.min.css">
<script src="http://code.jquery.com/jquery-1.10.2.min.js"></script>
<script src="http://code.jquery.com/mobile/1.4.2/jquery.mobile-1.4.2.min.js"></script>

  <link rel="icon" 
      type="image/png" 
      href="http://www.weg2g.com/contents/favicons/pdappt_favoricon.png">

Regarding the first three links you would need to change http://code.jquery.com/blahblah to https://code.jquery.com/blahblah and will be fine but for the fourth link http://www.weg2g.com/contents/favicons/pdappt_favoricon.png seems this is a domain you own and it has the same redirection loop problem that you should fix.

Also, myhsts.org have the same issue, it has links to external sites pointg to http instead of https. http://player.vimeo.com and http://fonts.googleapis.com nad maybe others so this is something you should review.

Have a nice day you too.
sahsanu

#5

Thanks Sahsanu for your note. I fixed the weg2g.com redirect issue…the was the same issue with .htaccess.
I updated all http: urls to https: on weg2g and pdappt.com and now working on myhsts.org.

I appreciate your comment,
Matt

#6

Hey, do u have any idea what is the cause of getting Connection is Not Secure error when I visit below page:
https://www.weg2g.com/site_API/chat_api/client.php?locale=en

It works perfect in http and it is a chat library…I do not have any .htaccess for this. Thanks

#7

I added Apache redirect in .htaccess for redirecting https://www.domain.com to https://domain.com

However, how can add www.domain.com to my cert. What is step by step commands for doing this.

#8

Hi @touchstonewords,

Yes, you are using the wrong cert for www.weg2g.com, It uses the certificate valid only for myhsts.com. If you enter to your chat with this url https://weg2g.com/site_API/chat_api/client.php?locale=en it works as expected so it is a configuration issue on your side.

Ok, but for pdappt.com you have several redirects from https to http yet.

HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Sat, 20 May 2017 18:03:24 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://pdappt.com/
Strict-Transport-Security: max-age=15768000

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Sat, 20 May 2017 18:03:25 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Location: http://www.pdappt.com/application/index.php
X-Powered-By: PleskLin
Strict-Transport-Security: max-age=15768000

HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Sat, 20 May 2017 18:03:25 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://pdappt.com/application/index.php

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Sat, 20 May 2017 18:03:25 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
X-Powered-By: PleskLin

You already did it for myhsts.com and weg2g.org (you have issued 2 valid certificates, the first one only for the domain and the second one for the domain and www.domain);

CRT ID     DOMAIN (CN)  VALID FROM              VALID TO                EXPIRES IN  SANs
139854221  myhsts.org   2017-May-17 19:29 CEST  2017-Aug-15 19:29 CEST  86 days     myhsts.org
                                                                                    www.myhsts.org

139846387  myhsts.org   2017-May-17 19:02 CEST  2017-Aug-15 19:02 CEST  86 days     myhsts.org


CRT ID     DOMAIN (CN)  VALID FROM              VALID TO                EXPIRES IN  SANs
141312936  weg2g.com    2017-May-20 15:10 CEST  2017-Aug-18 15:10 CEST  89 days     weg2g.com
                                                                                    www.weg2g.com

139846456  weg2g.com    2017-May-17 19:02 CEST  2017-Aug-15 19:02 CEST  86 days     weg2g.com

So you should select the right path to the right certificate in your webserver conf. Using certbot client the certificates should be here /etc/letsencrypt/live/ and you could also check what are them and where they are located using certbot certificates command but with Plesk I’ve no idea because I don’t use it.

Cheers,
sahsanu

#9

I am trying to make both below links to works. I already have SSL for the first one but need to add SSL for the second one. I prefer not to use apache to redirect first to 2ed one.

https://weg2g.com/site_API/chat_api/client.php?locale=en

https://www.weg2g.com/site_API/chat_api/client.php?locale=en

I’ll work on pdappt.com redirect issue…

Thanks

#10

I also checked live command in Plesk and I saw two domains myhsts.org and weg2g.com
/usr/local/psa/var/modules/letsencrypt/etc/live

#11

To check what are the domains covered by your current cert, you can use this command:

echo | openssl x509 -in /usr/local/psa/var/modules/letsencrypt/etc/live/myhsts.org/cert.pem -noout -text | grep 'DNS:'

You will see whether the cert is covering your myhsts.org and www.myhsts.org domains or only myhsts.org.

If you see both names, www and non-www then maybe your apache server needs to be reloaded to use the updated cert, if you only see the non-www domain you should review where your Plesk planel saved the issued cert for both domains. The same for weg2g.com.

#12

I run your command and I can see both www and non-www for both myhsts.org and weg2g.com

I restarted Apache but still https://www.weg2g.com and https://www.myhsts.org does not show up.

#13

Then you should figure out why your web server is not using the right cert. I don’t use Plesk so I have no idea how to check it.

#14

No problem. I’ll contact Plesk support folks and let them figure it out. Nevertheless, your comments was very helpful.

1 Like
#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.