My ssl certificate installed successfully and nginx server runs without any errors

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tendaafrica.net
i am serving a nodejs api at port 3000
I ran this command: but when i access it from the browser; its doesn't seem to work
this is my sites-availale confi for my site

server {
    listen 80;
    server_name tendaafrica.net;
    return 301 https://$host$request_uri;
    root /var/www/tenda-express-api;

    location / {
        proxy_pass http://localhost:3000; # Node.js app port
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

and this is the default.conf in my sites-enable

server {
    #listen 443 default_server;
    #listen [::]:443 default_server;
    ssl_reject_handshake on;
    server_name tendaafrica.net; # managed by Certbot
    return 444;


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}server {
    if ($host = tendaafrica.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80 ;
    server_name tendaafrica.net;
    return 404; # managed by Certbot


}

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: hostinger
I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi!

Remove ssl_reject_handshake on; from your configuration. How did it get there?

Not_so_ninja_edit: that's what I saw immediately, but looking closer, config doesn't make much sense. Server block for 443 looks to be a catch-all for requests without SNI (or with a wrong one) to reject erroneous connections. If server_name was indeed added by Certbot—that sound like a bug.

You should look into getting your config in order. I don't have time for a thorough walk-through, but it looks like the config in sites-available is mostly correct, just needs to be “converted” for serving TLS connections.

2 Likes

Yes, Thank you; have commented out the handshake but still; its not working

1 Like

I have converted the config in sites available to this

server {
    listen 80;
    server_name tendaafrica.net;
    return 301 https://$host$request_uri;
}

# HTTPS server block
server {
    listen 443 ssl;
    server_name tendaafrica.net;

    # Path to SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem;     # Update this path
    ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem;  # Update this path

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    root /var/www/tenda-express-api;

    location / {
        proxy_pass http://localhost:3000; # Node.js app port
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

and i have commented out the handshake but still my site is not accessible

1 Like

Do you have this config symlinked from sites-enabled?

1 Like

yes i do

Can you post the entire output of nginx -T command?

I applaud the effort to make the code readable, but the way you do this (plain <pre> tags?), makes it hard to horizontally scroll on mobile. And for some reason there's no way to scroll such a block on the desktop at all, lol. Better to use “tripple backticks” syntax of Markdown, like so:

```
<output of nginx -T>
```
3 Likes

Below is my /etc/nginx/sites-available/site-config

    listen 80;
    server_name tendaafrica.net;
    return 301 https://$host$request_uri;
}

# HTTPS server block
server {
    listen 443 ssl;
    server_name tendaafrica.net;

    # Path to SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem;     # Update this path
    ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem;  # Update this path

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    root /var/www/tenda-express-api;

    location / {
        proxy_pass http://localhost:3000; # Node.js app port
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

this is default.config from /etc/nginx/sites-enabled

server {
    #listen 443 default_server;
    #listen [::]:443 default_server;
    ssl_reject_handshake on;
    server_name tendaafrica.net; # managed by Certbot
    return 444;


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed 
    by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed 
     by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}server {
    if ($host = tendaafrica.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80 ;
    server_name tendaafrica.net;
    return 404; # managed by Certbot


}

Below is the output of nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user root;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 2000;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
    geoip_city    /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database

    real_ip_recursive on;

    set_real_ip_from 127.0.0.1;
    set_real_ip_from 10.0.0.0/8;
    set_real_ip_from 172.16.0.0/12;
    set_real_ip_from 192.168.0.0/16;
    set_real_ip_from 0.0.0.0/0;
    #real_ip_header X-Forwarded-For;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    client_body_buffer_size  1K;
    client_header_buffer_size 1k;
    client_max_body_size 64M;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;
    port_in_redirect off;
    access_log off;

    map $scheme $fastcgi_https { ## Detect when HTTPS is used
      default off;
      https on;
    }

    include /etc/nginx/blocked_ips;

    pagespeed off;
    pagespeed XHeaderValue 1;

    ##
    # Security Settings
    ##

    #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    #add_header Content-Security-Policy "img-src 'self' data:;";
    add_header X-Permitted-Cross-Domain-Policies master-only;
    add_header Referrer-Policy same-origin;
    #add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com/' 'https://twofactorauth.org/%27), usb=(), vr=()";

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_prefer_server_ciphers on;
    ssl_stapling off;
    ssl_stapling_verify on;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Limit the requests for php
    ##

    limit_req_zone $binary_remote_addr zone=limit:10m rate=1r/s;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 8;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;

    ##
    # Brotli Settings
    ##

    brotli on;
    brotli_comp_level 8;
    brotli_static on;
    brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}

# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-ngx-brotli.conf:
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-ngx-pagespeed.conf:
load_module modules/ngx_pagespeed.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/blocked_ips:

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default.conf:
server {
    listen 80;
    listen [::]:80 default_server;
    #listen 443 default_server;
    #listen [::]:443 default_server;
    ssl_reject_handshake on;
    server_name _;
    return 444;
}


#server {
   # listen 80;
   # listen [::]:80;
   # listen 443;
    #listen [::]:443
    #ssl_reject_handshake on;
    #server_name tendaafrica.net www.tendaafrica.net;
    #return 444;
    #ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem
    #ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem  

   
#}

server {
    #listen 443 default_server;
    #listen [::]:443 default_server;
    #ssl_reject_handshake on;
    server_name tendaafrica.net; # managed by Certbot
    return 444;


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}server {
    if ($host = tendaafrica.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80 ;
    server_name tendaafrica.net;
    return 404; # managed by Certbot


}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
1 Like

The return 444; causes every connection attempt to fail.

Not sure what your purpose is for that but just try removing that line.

https://nginx.org/en/docs/http/request_processing.html

3 Likes

Thanks @MikeMcQ Now My SSL seems to work and my site at https://tendaafrica.net is reachable only that i cant access my nodejs api; but try to debug from here.

1 Like

Okay good. Did you notice your active (nginx -T) config did not have the above proxy statements for your nodejs? You showed it from a config in your sites-available, but, is not in the server blocks in sites-enabled

3 Likes

i created a symbolic link between sites-available and sites enabled and when i list the contents of sites-enabled i have the default.conf and the tendaafrica.net unless when i have to transfer the contents of tendaafrica.net; the whole server block that includes the proxy to default.conf as another server block; will it work?

I am not sure what you are explaining. But, you should focus on what the nginx -T command shows. I was just pointing out a different between what you showed earlier and the nginx -T result to help you on your way.

We focus on helping people with the certificates. Help with configuring your app and other services is best done on forums specializing in nginx or nodejs.

4 Likes

I think the issue was with the way i named the sites-available/site-config; it didnt have the .conf and it couldnt be loaded since the directive says include/files/*.conf so have changed that this is how my output for "nginx -T" looks like

nginx: [warn] conflicting server name "tendaafrica.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "tendaafrica.net" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user root;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 2000;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
    geoip_city    /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database

    real_ip_recursive on;

    set_real_ip_from 127.0.0.1;
    set_real_ip_from 10.0.0.0/8;
    set_real_ip_from 172.16.0.0/12;
    set_real_ip_from 192.168.0.0/16;
    set_real_ip_from 0.0.0.0/0;
    #real_ip_header X-Forwarded-For;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    client_body_buffer_size  1K;
    client_header_buffer_size 1k;
    client_max_body_size 64M;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;
    port_in_redirect off;
    access_log off;

    map $scheme $fastcgi_https { ## Detect when HTTPS is used
      default off;
      https on;
    }

    include /etc/nginx/blocked_ips;

    pagespeed off;
    pagespeed XHeaderValue 1;

    ##
    # Security Settings
    ##

    #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    #add_header Content-Security-Policy "img-src 'self' data:;";
    add_header X-Permitted-Cross-Domain-Policies master-only;
    add_header Referrer-Policy same-origin;
    #add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com/' 'https://twofactorauth.org/%27), usb=(), vr=()";

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_prefer_server_ciphers on;
    ssl_stapling off;
    ssl_stapling_verify on;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Limit the requests for php
    ##

    limit_req_zone $binary_remote_addr zone=limit:10m rate=1r/s;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 8;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;

    ##
    # Brotli Settings
    ##

    brotli on;
    brotli_comp_level 8;
    brotli_static on;
    brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}

# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-ngx-brotli.conf:
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-ngx-pagespeed.conf:
load_module modules/ngx_pagespeed.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/blocked_ips:

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default.conf:
server {
    listen 80;
    listen [::]:80 default_server;
    #listen 443 default_server;
    #listen [::]:443 default_server;
    ssl_reject_handshake on;
    server_name _;
    return 444;
}


#server {
   # listen 80;
   # listen [::]:80;
   # listen 443;
    #listen [::]:443
    #ssl_reject_handshake on;
    #server_name tendaafrica.net www.tendaafrica.net;
    #return 444;
    #ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem
    #ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem  

   
#}

server {
    #listen 443 default_server;
    #listen [::]:443 default_server;
    #ssl_reject_handshake on;
    server_name tendaafrica.net; # managed by Certbot
    #return 444;


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}server {
    if ($host = tendaafrica.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80 ;
    server_name tendaafrica.net;
    return 404; # managed by Certbot


}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/sites-enabled/tendaafrica.conf:
#server {
#    listen 80;
#    server_name tendaafrica.net;
#    return 301 https://$host$request_uri;
#    root /var/www/tenda-express-api;
#    index index.js
#   
#    location / {
#        proxy_pass http://localhost:3000; # Node.js app port
#        proxy_http_version 1.1;
#        proxy_set_header Upgrade $http_upgrade;
#        proxy_set_header Connection 'upgrade';
#        proxy_set_header Host $host;
#        proxy_cache_bypass $http_upgrade;
#    }
#}

# Redirect HTTP to HTTPS
server {
    if ($host = tendaafrica.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name tendaafrica.net;
    return 301 https://$host$request_uri;


}

# HTTPS server block
server {
    listen 443 ssl;
    server_name tendaafrica.net;

    # Path to SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
     # Update this path
    ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
  # Update this path

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    root /var/www/tenda-express-api;
    index index.js;

    location / {
        proxy_pass http://localhost:3000; # Node.js app port
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

}

but then the first two lines; of conflicting server names; have failed to fix that

Alright @MikeMcQ; Thank you very much for the assistance.

1 Like

A post was split to a new topic: Certbot timeout problem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.