Lightsail subdomain not encrypted

I encrypted subdomains following the

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

and checked the txt records using

https://mxtoolbox.com/SuperTool.aspx?action=txt%3A_acme-challenge.example.comxxx#

but api.example.com is not showing encrypted, i.e., rendering not secured.

In the Nginx configuration, it is set as follows:

if ($host ~ ^[^.]+\.example\.com$) {
    return 301 https://$host$request_uri;
} # managed by Certbot

So, it should be working, but not. What’s missing here?

Thanks

Hi @allison9y

checked your main domain there is a new wildcard certificate ( https://check-your-website.server-daten.de/?q=livelang.sydney ):

CN=livelang.sydney
	07.06.2019
	05.09.2019
expires in 86 days	
*.livelang.sydney, livelang.sydney - 2 entries

But checking your subdomain no https is configured ( https://check-your-website.server-daten.de/?q=api.livelang.sydney ):

Domainname Http-Status redirect Sec. G
http://api.livelang.sydney/
3.13.97.72 200 0.260 H
https://api.livelang.sydney/
3.13.97.72 -2 1.374 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 3.13.97.72:443
http://api.livelang.sydney/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.13.97.72 404 0.253 A
Not Found
Visible Content: 404 Not Found nginx/1.14.0 (Ubuntu)

So add a port 443 vHost that uses the wildcard certificate.

What doesn’t it mean no https are configured. How can I configure this? Where?

in nginx.conf (or a file included in nginx.conf)
you should already have a ‘server’ directive in it else your http would not be served.
You have to add another with something like

server {
listen *:443 ssl http2;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
(…see nginx doc and tutorials…)

That’s what @JuergenAuer is referring to when he is writing about ‘vHost’ (that’s more an Apache term)

Thanks.

This api.example.com uses a different IP address to the main www.example.com. Thus do I have to configure the 443 server in as

server {
listen *:443 ssl http2;
server_name www.example.com

}

I gather that
13.xxx.xxx.xxx has to have a https directive but there is no certificates for the IP address. Does that mean that the IP has to be encrypted as well?

Yes the server_name directive should match your server name (duh.)
And the rest should look similar to your http (port 80) server section; with the addition of ssl directives of course (I did not look precisely but it’s certain that at least ssl_certificate and ssl_certificate_key directive should be present and point at your certificates - other directives can be present such as ssl_protocols, ssl_ciphers, and others but I’m not sure these are mandatory)
Normally you don’t use certificates with IP addresses (you don’t use pure IP addresses at all in modern Web)

I have no idea of what you could mean by that. No one is encrypting localhost.