Lets Encrypt SSL Certificate Setup Issue

Hello, I am having issues getting Lets Encrypt SSL certificate to work on my site.

I am just learning about SSL and Certificates so am new to this and have found it very very difficult to troubleshoot the issue with my limited knowledge. I would really appreciate some pointers or advice!

Background: My server is nginx installed on a Ubuntu 14.04 droplet on Digital Ocean.

What I have done / tried:

  • I have set up A records for the domain for www.example.com and example.com pointing to the server.

  • I have used the following tutorial to set up SSL for my domain: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

  • I successfully created the certificates on my server as shown by running the following command: sudo ls -l /etc/letsencrypt/live/example.com/

  • I get no errors when running either of the following: (sudo nginx -t) (sudo service nginx restart)

  • Visiting ssllabs.com gives me the following message when I test my domain. https://www.ssllabs.com/ssltest/analyze.html?d=example.com

    "Assessment failed: No secure protocols supported"

    My /etc/nginx/sites-available/example.com Config File:

    server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
    }

    server {
    listen 443 ssl;

      server_name example.com www.example.com;
    
      ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
      root /var/www/example.com/public;
      index index.php index.html index.htm;
    
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:50m;
      ssl_stapling on;
      ssl_stapling_verify on;
      add_header Strict-Transport-Security max-age=15768000;
    
    
      error_log  /var/log/nginx/example.com-error.log error;
    
      # Lets Encrypt
      location ~ /.well-known {
              allow all;
      }
    
      location / {
              # First attempt to serve request as file, then
              # as directory, then fall back to displaying a 404.
              try_files $uri $uri/ =404;
              # Uncomment to enable naxsi on this location
              # include /etc/nginx/naxsi.rules
      }
    
      location ~ \.php$ {
              try_files $uri /index.php =404;
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
              fastcgi_pass unix:/run/php/php7.0-fpm.sock;
              fastcgi_index index.php;
              fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
              include fastcgi_params;
      }
    

    }
    Thank you for looking and any pointers would be greatly appreciated as I’ve spend hours on this with no luck!
    I have also posted this to stackexchange: https://stackoverflow.com/questions/44911459/lets-encrypt-ssl-certificate-setup-issue

ensure you have corresponding
/etc/nginx/sites-enabled/example.com.conf
that links to your
/etc/nginx/sites-available/example.com (conf file)

Thanks for your response rg305.
Yes I do have a link between the following:

/etc/nginx/sites-available/example.com
/etc/nginx/sites-enabled/example.com

to be clear:
the sites-enabled link ends with “.conf” ?
if not, it may not match the include *.conf setting.

I have changed the following file names as per your suggestion:
From:

/etc/nginx/sites-available/example.com
/etc/nginx/sites-enabled/example.com

To (including remaking the symbolic link)

/etc/nginx/sites-available/example.com.conf
/etc/nginx/sites-enabled/example.com.conf

I then ran
sudo service nginx restart

It still doesn’t work. I am baffled!

Running the curl command:
curl -I https://example.com

Gives me the following error:
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

Do Nginx’s access and error logs say anything?

What does “curl -I http://example.com:443/” do?

What’s your actual site? What’s the rest of Nginx’s configuration? Are the “listen” and (deprecated) “ssl on;” directives correct?

show results of:
netstat -nap tcp | grep 443

it should look something like this:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2321/nginx.conf

if so, then find that conf file:
cd /
find / -name nginx.conf -type f

then show us the contents:
more /path/to/your/nginx.conf

Hi mnordhoff,

curl -I http://example.com:443/

Returns:

curl: (52) Empty reply from server

I haven’t edited the rest of nginx’s configuration files, only the files for this domain in: /etc/nginx/sites-available/ & …sites-enabled

I believe the directives shown in my config file for the domain are correct as I followed the Digital Ocean tutorial and the comments on that page report that it works for other users.

Hi rg305,
The output for the netstat command:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 21905/nginx

Note that it displays “nginx” and not “nginx.conf” (I don’t know if that is significant?)

The find command for “nginx” as type file returns:

/etc/logrotate.d/nginx
/etc/default/nginx
/etc/ufw/applications.d/nginx
/etc/init.d/nginx
/usr/sbin/nginx

However, I do have a nginx.conf file located here: /etc/nginx/nginx.conf
Which of the above files content would you like to see, and thank you!

Show:
/etc/nginx/nginx.conf

Contents of /etc/nginx/nginx.conf:

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##
	
	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

@TheSycamore, run the following and paste the output here:

grep -rsi server_name /etc/nginx/

You may have an additional server block for the same domain name incorrectly defined some place else. If it gets found first, you may see an error while trying to access the domain. It won’t prevent the successful restart though, so you might not notice the problem unless you have a habit of running:

service nginx configtest

after any changes made …

Dear leader, thank you for the suggestion.
This is what I get when running:

grep -rsi server_name /etc/nginx/

Result

/etc/nginx/uwsgi_params:uwsgi_param	SERVER_NAME		$server_name;
/etc/nginx/scgi_params:scgi_param	SERVER_NAME		$server_name;
/etc/nginx/fastcgi_params:fastcgi_param	SERVER_NAME		$server_name;
/etc/nginx/nginx.conf:	server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf:	# server_name_in_redirect off;
/etc/nginx/sites-available/example.com.conf:    server_name example.com www.example.com;
/etc/nginx/sites-available/example.com.conf:        server_name example.com www.example.com;
/etc/nginx/sites-available/default:	server_name localhost;
/etc/nginx/sites-available/default:#	server_name somename alias another.alias;
/etc/nginx/sites-available/default:#	server_name localhost;

It looks like the server_name is defined just in one place.
Thanks

can you show the (sites-enabled) conf:
/etc/nginx/sites-enabled/example.com.conf

Contents of /etc/nginx/sites-enabled/example.com.conf

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;

        server_name example.com www.example.com;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

	root /var/www/example.com/public;
	index index.php index.html index.htm;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;


        error_log  /var/log/nginx/example.com-error.log error;

	# Lets Encrypt
        location ~ /.well-known {
                allow all;
        }

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		# Uncomment to enable naxsi on this location
		# include /etc/nginx/naxsi.rules
	}

	location ~ \.php$ {
        	try_files $uri /index.php =404;
        	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
       		fastcgi_index index.php;
        	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        	include fastcgi_params;
    	}
}

After I visit the domain in my browser, there is no record in the file:
/var/log/nginx/access.log

There is also no error reported in the domain specific error log file:
/var/log/nginx/example.com-error.log

Some more background: This is a very simple static html site that was working on this very same server when the config files were just using port 80 with no SSL Certificates. The problem I am experiencing began when I attempted to switch the server to use SSL. So I believe nginx is reading the correct config files.

I don’t know how to troubleshoot this problem, what is the process of eliminating possible causes?

I would suggest that there is some kind of firewall blocking connections to port 443 of the server. Can you check anything to eliminate that possibility?

Hi Schoen,
netstat -tuplen (on the server)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 18817813 -

So I believe the port 443 is open and listening successfully.

On my local machine I ran this command:
sudo nmap -p 443 example.com

Starting Nmap ( https://nmap.org ) at 2017-07-06 01:46 BST
Nmap scan report for example.com (xx.xxx.x.xx)
Host is up (0.076s latency).
PORT    STATE SERVICE
443/tcp open  https

sudo iptables -L -n
Doesn’t show that I am banning any ports