hkim009
February 8, 2019, 4:05pm
21
Probably messed up something since it is not working. I have entered this in my nginx config:
server {
#
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
index index.html index.htm index.nginx-debian.html;
server_name psykolog.nu www.psykolog.nu; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/psykolog.nu-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/psykolog.nu-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
And I reloaded my server
service nginx restart
hkim009
February 8, 2019, 4:06pm
22
Thank you. I cleaned up the /psykolog.nu/ files in archive, live and renewal. No more errors when I enter
certbot certificates
Then you have more then one server with this server-name. Or your default server is used.
So check which certificate your default server is using.
hkim009
February 8, 2019, 4:08pm
24
Strange thing when I type curl -v https://psykolog.nu :
curl -v https://psykolog.nu
Rebuilt URL to: https://psykolog.nu/
Trying 127.0.0.1…
TCP_NODELAY set
Connected to psykolog.nu (127.0.0.1) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
and when I enter curl -v https://www.psykolog.nu :
curl -v https://www.psykolog.nu
Rebuilt URL to: https://www.psykolog.nu/
Trying 178.79.154.124…
TCP_NODELAY set
Connected to www.psykolog.nu (178.79.154.124) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
why not 127.0.0.1 for https://www.psykolog.nu as well?
hkim009
February 8, 2019, 4:09pm
25
Only got one server. So should I change this line?
What certificate(s) does “certbot certificates
” show now?
hkim009:
Only got one server.
You must have a second server config. If you change your certificate and if my browser can't see it, then it isn't used -> second config, perhaps the default config without a server-name.
What’s that?
I see, you have rechecked your domain via https://check-your-website.server-daten.de/?q=psykolog.nu
There is this (Html-content):
link
stylesheet
https://psykolog.nu/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css
Is there a Wordpress? Perhaps there is the second server.
hkim009
February 8, 2019, 4:52pm
29
Yes. I have a nginx webserver and a wordpress installation.
hkim009
February 8, 2019, 4:52pm
30
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: psykolog.nu-0001
Domains: psykolog.nu www.psykolog.nu
Expiry Date: 2019-05-08 19:49:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/psykolog.nu-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/psykolog.nu-0001/privkey.pem
hkim009
February 8, 2019, 5:31pm
31
I’m using Easy Engine 4. From what I understand ee4 uses nginx proxy. Could this problem be due to this? That I have to edit the default.conf file of the nginx-proxy? The server block in that file only defines psykolog.nu and not www.psykolog.nu.
rg305
February 8, 2019, 5:49pm
32
That is a DNS issue.
Check your /etc/hosts
file.
hkim009
February 8, 2019, 5:51pm
33
Nope too early. That fixed the curl issues though.
curl -v https://www.psykolog.nu
Rebuilt URL to: https://www.psykolog.nu/
Trying 127.0.0.1...
TCP_NODELAY set
Connected to www.psykolog.nu (127.0.0.1) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
(304) (OUT), TLS handshake, Client hello (1):
(304) (IN), TLS handshake, Server hello (2):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Unknown (8):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Certificate (11):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, CERT verify (15):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Finished (20):
(304) (OUT), TLS change cipher, Client hello (1):
(304) (OUT), TLS Unknown, Certificate Status (22):
(304) (OUT), TLS handshake, Finished (20):
SSL connection using unknown / TLS_AES_256_GCM_SHA384
ALPN, server accepted to use http/1.1
Server certificate:
subject: CN=psykolog.nu
start date: Feb 7 19:49:33 2019 GMT
expire date: May 8 19:49:33 2019 GMT
subjectAltName: host "www.psykolog.nu" matched cert's "www.psykolog.nu"
issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
SSL certificate verify ok.
(304) (OUT), TLS Unknown, Unknown (23):
GET / HTTP/1.1
Host: www.psykolog.nu
User-Agent: curl/7.58.0
Accept: /
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Newsession Ticket (4):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Newsession Ticket (4):
(304) (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 08 Feb 2019 18:00:14 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< Location: https://psykolog.nu/
<
301 Moved Permanently
301 Moved Permanently
nginx/1.14.0 (Ubuntu)
* Connection #0 to host www.psykolog.nu left intact
curl -v http://www.psykolog.nu
curl -v http://www.psykolog.nu
Rebuilt URL to: http://www.psykolog.nu/
Trying 127.0.0.1...
TCP_NODELAY set
Connected to www.psykolog.nu (127.0.0.1) port 80 (#0 )
GET / HTTP/1.1
Host: www.psykolog.nu
User-Agent: curl/7.58.0
Accept: /
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 08 Feb 2019 18:00:42 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< Location: https://psykolog.nu/
<
301 Moved Permanently
301 Moved Permanently
nginx/1.14.0 (Ubuntu)
* Connection #0 to host www.psykolog.nu left intact
Shouldn't this mean that this is fixed? But SSL-Checker and Check-your-website.server-daten.de still reports 503 error and certificate mismatch. And of course, if I enter http:// and https://www.psykolog.nu I still get errors on the webbrowser...
That's the problem: The individual vHost isn't used, instead the default config is used.
1 Like
No, it isn't fixed. Your https + non www uses the certificate with one domain name.
And your https + www has the wrong certificate.
But if you have two vHosts with the same server name, only one is used. So change the SSL configuration of that vHost.
I see, you have rechecked your domain ( https://check-your-website.server-daten.de/?q=psykolog.nu ):
Now it’s fixed:
Both connections use the same certificate with both domain names:
CN=psykolog.nu
07.02.2019
08.05.2019
psykolog.nu, www.psykolog.nu - 2 entries
Now fix your http + www - 503 error.
Perhaps there is the same - no server defined.
hkim009
February 8, 2019, 6:48pm
37
I got this working now - I think. For some reason the certs for nginx-proxy was not updated. After updating this www.psykolog.nu is working as it should.
Thank you all for your help!
2 Likes
hkim009
February 8, 2019, 6:48pm
38
Yeah. I do not get this. But this must be a nginx configuration error?
Yes. This nginx-proxy must handle that correct.
Check the port 80 definition of this proxy, if there the www version is defined.
hkim009
February 9, 2019, 10:54pm
40
I have now fixed the last 503 error. It was nginx-proxy related: I had to create a file under /opt/easyengine/services/nginx-proxy/conf.d with the specific www.psykolog.nu-redirect.conf with a server block:
server {
listen 80;
server_name www.psykolog.nu;
return 301 $host$request_uri;
}
to get that last error fixed.
Thank you all for your help!
2 Likes