Newbie: Cannot get https to work, connection refused

Help
1

My domain is: hahnca.com

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.6

I can login to a root shell on my machine (yes or no, or I don't know): yes, I only use root (please don't judge)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

I have followed certbot installation instructions from multiple tutorials on the web. Cert says my certicates are installed. Certbot modified my server.conf file. I checked and all files mentioned in the certbot modifed section are present and look good. When I go to my site http works but https gives "connection refused". Here are my nginx.conf and server.conf files ...

user root;
worker_processes 4;
pid /run/nginx.pid;

events {
  worker_connections 768;
  # multi_accept on;
}

http {
  index index.html;

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
  # server_tokens off;

  server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;
  log_format scripts '$document_root$fastcgi_script_name > $request';

  ##
  # Gzip Settings
  ##

  gzip on;
  gzip_disable "msie6";

  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

  include /etc/nginx/conf.d/*.conf;
  # include /etc/nginx/sites-enabled/*;
}

server {
  server_name hahnca.com;
  root /root/apps/www/hahnca.com;

  # listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hahnca.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hahnca.com-0001/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Note that the file /root/apps/www/hahnca.com/index.html just outputs "error: hahnca.com is not a valid address.". This is because no one is supposed to go to that default page.

What am I doing wrong? Thanks in advance.

1 Like
2

Hello @mark-hahn,

Port 443 (for HTTPS) is presently being filtered; likely a firewall.

$ nmap -Pn -p80,443 hahnca.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-04 00:11 UTC
Nmap scan report for hahnca.com (71.92.208.41)
Host is up (0.054s latency).
rDNS record for 71.92.208.41: 071-092-208-041.res.spectrum.com

PORT    STATE    SERVICE
80/tcp  closed   http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
2 Likes
3

And now it has changed to Open Port 80, but Port 443 is still filtered.

$ nmap -Pn -p80,443 hahnca.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-04 00:24 UTC
Nmap scan report for hahnca.com (71.92.208.41)
Host is up (0.059s latency).
rDNS record for 71.92.208.41: 071-092-208-041.res.spectrum.com

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 1.68 seconds
2 Likes
4

For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.

2 Likes
5

Hi @mark-hahn,

Here are a few links for Ubuntu 20.04 Firewall

  1. How To Configure Firewall with UFW on Ubuntu 20.04 LTS - nixCraft
  2. https://linuxconfig.org/how-to-enable-disable-firewall-on-ubuntu-20-04-lts-focal-fossa-linux
  3. How To Set Up a Firewall with UFW on Ubuntu 20.04 | DigitalOcean
  4. Security - Firewall | Ubuntu
  5. UncomplicatedFirewall - Ubuntu Wiki
2 Likes
6

That's an indication of something not having gone to plan.
Let's have a look at:

certbot certificates

Also:

Did you intentionally leave out the "www"?

Name:    hahnca.com
Address: 71.92.208.41

Name:    www.hahnca.com
Address: 71.92.208.41

The Internet must reach the HTTPS service [TCP port 443] as it does the HTTP service [TCP port 80].
Check all NAT/port forwarding devices along the way.

3 Likes
7

Is that line still commented out? Usually your active server blocks are in that folder.

There is also the below to look at. But, start with the @rg305 comments and he or someone will look at this after those issues are sorted.

One, there is no redirect from HTTP to HTTPS. And, the "data" from that response "error: hahnca.com ..." is very strange. I think we will need to see your entire nginx config at some point.

curl -i http://hahnca.com
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Content-Type: text/html
Content-Length: 44
Last-Modified: Thu, 02 Jun 2016 05:21:56 GMT

error: hahnca.com is not a valid address.
3 Likes
8

Agreed.

Show us:

nginx -T

3 Likes
9

Wow. I've never seen such good quick feedback from so many people. Thanks.

Check all NAT/port forwarding devices along the way.

Damn damn damn -- I knew it would be something stupid. My gateway was not forwarding 443.

Sorry for all the trouble. Actually it wasn't wasted because I went through everyone's suggestions and learned a whole lot before finding the problem

4 Likes
10

Cheers from Miami :beers:

3 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.