Let's encrypt SSL not working on tablet, port 80 closed, 443 open


#1

I installed Let’s Encrypt SSL on my Ubuntu 14.04 server on Digital Ocean by using tutorial https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

When i ran the website on my laptop chrome browser, https works fine. But when i ran it on my tablet chrome browser, https is not recognized by browser, it act like SSL is self-signed. my server shows that the port 80 is closed and port 443 is open, i checked the server block, i changed the original 80 to 443 and add another server block for 80, just as what tutorial specified.

I can’t figure out why this is happening, pls help.


#2

It could be that the chain file configuration on your server is not correct. Are you happy to provide your domain name so we can check ? You can check yourself using https://www.ssllabs.com/ssltest/ and see if it gives any chain errors.


#3

Sure, my domain is usorgames.net or www.usorgames.net
thank you very much for your help


#4

As suspected it’s a chain issue. You haven’t included the intermediate cert into your apache server config. Have a look at https://mozilla.github.io/server-side-tls/ssl-config-generator/ for what should be a good, secure, config.


#5

Thanks. I am the original user jy2008, i just created a new account.
So go back to where we were. I really appreciate your help. the thing is i am newbie, so i still don’t exactly know what to do after my study. this is the tutorial i followed, what is wrong with this tutorial? i guess they didn’t include intermediate cert? and this is how my server block looks as below. Is it possible for you to identify where went wrong and how to fix it, or you can show me a tutorial that does that. Greatly appreciate your help.

server {
        listen 80;
        server_name usorgames.net www.usorgames.net;
        return 301 https://$host$request_uri;
 }

server {
        location ~ /.well-known {
                allow all;
        }

        root /usr/share/nginx/html;
        index index.html index.htm;

        listen 443 ssl;

        server_name usorgames.net www.usorgames.net;
        server_name usorgames.net www.usorgames.net;

        ssl_certificate /etc/letsencrypt/live/usorgames.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/usorgames.net/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:$
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

      # Make site accessible from http://localhost/
      server_name localhost;      

       location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
            # Uncomment to enable naxsi on this location
            # include /etc/nginx/naxsi.rules
       }
 }

#6

I am sorry, i forget to include the link of the tutorial i followed, i am using digital ocean ubuntu 14.04 with Nginx


#7

That configuration looks OK ( the intermediate certificate is within fullchain.pem).

Have you restarted nginx since updating the configuration ?

if so, what’s in the fullchain.pem ? has it got multiple certs in there ? ( it would be odd if it didn’t have ).


#8

looks like it got two certificates in fullchain.pem:

   -----BEGIN CERTIFICATE-----
   MIIFETCCA/mgAwIBAgISA+PDZfvv7LQ04loIKZAEsLWCMA0GCSqGSIb3DQEBCwUA
   .....
   cdkuraU=
   -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
`...`
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Does this look right to you?


#9

Yes, that looks right, that should be your domain cert, and the Intermediate cert.

Have you tried rebooting the server, just to ensure that nginx has restarted ? (I have seen occasions whereby just issuing a restart command for nginx hasn’t restarted it, because there have been 2 versions running, and hence the main one hasn’t been restarted).


#10

I power off my server and power back on. Still the same, works on desktop, but not tablet or mobile.
I give up, i think at some point i am just gonna reinstall Let’s Encrypt. I think at certain level it still works, because there are certain apps i installed (like hubot chat adapter) only will work if i have legitimate SSL, and it does work.
Anyway, thank you so very much for all the work and response. at least now i know that this community works very well. it is one of the best in terms of addressing question on a timely manner. :slight_smile:


#11

Chain problems like those described above often have the symptom that one client will accept the cert while another client will reject it. This is because some clients are willing to cache intermediate certificates and others aren’t, or simply haven’t seen the particular intermediate in question before. So, the explanation that others gave about the problem is most likely correct.


#12

Thanks. so my only solution is to reinstall at some point, is that right?


#13

No, we just have to figure out what’s going on with your nginx configuration and why it fails to serve the full chain despite apparently being configured to do so. It’s a mystery, but there ought to be some solution that doesn’t require reinstallation!


#14

I have a hypothesis that somehow that nginx configuration isn’t being used, because I can’t connect on port 80 at all, even though the configuration appears to say that it should listen on port 80. If you don’t have another explanation for that, I’d suggest that somehow you’re using a different configuration than the one you think you are.


#15

You are absolutely right! What do you think I can do right now?


#16

Maybe you can look at the configurations in /etc/nginx to try to understand what they are telling nginx to do, and why they are loading a different one from the one you expected.


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.