Lightsail subdomain not encrypted

I encrypted subdomains following the

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

and checked the txt records using

https://mxtoolbox.com/SuperTool.aspx?action=txt%3A_acme-challenge.example.comxxx#

but api.example.com is not showing encrypted, i.e., rendering not secured.

In the Nginx configuration, it is set as follows:

if ($host ~ ^[^.]+\.example\.com$) {
    return 301 https://$host$request_uri;
} # managed by Certbot

So, it should be working, but not. What’s missing here?

Thanks

Hi @allison9y

checked your main domain there is a new wildcard certificate ( https://check-your-website.server-daten.de/?q=livelang.sydney ):

CN=livelang.sydney
	07.06.2019
	05.09.2019
expires in 86 days	
*.livelang.sydney, livelang.sydney - 2 entries

But checking your subdomain no https is configured ( https://check-your-website.server-daten.de/?q=api.livelang.sydney ):

Domainname Http-Status redirect Sec. G
http://api.livelang.sydney/
3.13.97.72 200 0.260 H
https://api.livelang.sydney/
3.13.97.72 -2 1.374 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 3.13.97.72:443
http://api.livelang.sydney/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.13.97.72 404 0.253 A
Not Found
Visible Content: 404 Not Found nginx/1.14.0 (Ubuntu)

So add a port 443 vHost that uses the wildcard certificate.

What doesn’t it mean no https are configured. How can I configure this? Where?

in nginx.conf (or a file included in nginx.conf)
you should already have a 'server' directive in it else your http would not be served.
You have to add another with something like

server {
listen *:443 ssl http2;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
(...see nginx doc and tutorials...)

That's what @JuergenAuer is referring to when he is writing about 'vHost' (that's more an Apache term)

Thanks.

This api.example.com uses a different IP address to the main www.example.com. Thus do I have to configure the 443 server in as

server {
listen *:443 ssl http2;
server_name www.example.com

}

I gather that
13.xxx.xxx.xxx has to have a https directive but there is no certificates for the IP address. Does that mean that the IP has to be encrypted as well?

Yes the server_name directive should match your server name (duh.)
And the rest should look similar to your http (port 80) server section; with the addition of ssl directives of course (I did not look precisely but it’s certain that at least ssl_certificate and ssl_certificate_key directive should be present and point at your certificates - other directives can be present such as ssl_protocols, ssl_ciphers, and others but I’m not sure these are mandatory)
Normally you don’t use certificates with IP addresses (you don’t use pure IP addresses at all in modern Web)

I have no idea of what you could mean by that. No one is encrypting localhost.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.