NGINX 403 Forbidden Error

reedhawk · 2015-12-06 12:21:31 UTC

Hello,

I installed letsencrypt for Nginx but now when I connect with https://mydomain.com I get a 403 Forbidden Error from nginx but when I connect with http://mydomain.com everything works fine

server {
listen 443 ssl;

    root   /srv/users/serverpilot/apps/mydomain/public;
    index index.php index.html index.htm;
    # Make site accessible from http://localhost/
    server_name  mydomain.com www.mydomain.com;

    # if you are using hhvm, otherwhise include your standard php config or whatever
    #include hhvm.conf;

    location / {
         try_files $uri $uri/ /index.php$is_args$args;
    }

    ssl on;

    ssl_certificate /etc/letsencrypt/live/mydomain.com/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;

    ssl_session_timeout 5m;

}

I hope someone can help me out

jhass · 2015-12-06 12:24:03 UTC

Seeing the working server section for comparison might help.

reedhawk · 2015-12-07 14:10:43 UTC

Can nobody help? I cant understand why this problem is there

serverco · 2015-12-07 14:30:31 UTC

as jhass says, seeing the working (http) section for comparison might help.

For example, is there a typo in the “/srv/users/serverpilot/apps/mydomain/public”, it’s impossible to say without checking against the working version. The error does say permissions rather than a “not found”. Is there any separate firewall issue ( maybe port 80 is open, but not port 443 ) ? Is the server actually listening on port 443 (worth checking ) ? Has the server NGINX got permission to see / read the files at /etc/letsencrypt/live/ ?

andredierker · 2015-12-07 17:59:42 UTC

try to point at fullchain.pem

ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;

danaketh · 2015-12-07 20:17:33 UTC

Ok, let’s check it out…

ssl.conf

## Listen on 443 only
listen 443 ssl;

## Turn off support for old, broken and insecure stuff
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
## Solves problem with weak Diffie-Hellman - https://weakdh.org/sysadmin.html
ssl_dhparam /etc/ssl/dhparams.pem;

## HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

## OCSP
ssl_stapling on;
ssl_stapling_verify on;

example.com

server {
  root /var/www/example.com;
  server_name example.com;
  index index.html;
  error_log /var/www/example.com/error.log;
  access_log off;

  ## Certificates
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ## Common SSL config
  include ssl.conf;

  location / {
    try_files $uri $uri/ /index.html$args;
  }
}

I hope it helps. This is the basic configuration I’m using (and it works). I had a small issue with my WordPress security config, which is preventing anyone to access any query starting with dot. So I’ve added following code which removed that problem.

location ~ /\.well-known {
  #allow all;
  deny all;
}

When I’m about to verify a new domain for WordPress installation, I simply switch deny for allow, reload server, run Let’s Encrypt and when it’s done, I’ll put it back to deny. May not be sophisticated, enterprise and robust but it’s simple and does what I need

Oh, an just in case you have not checked it yet, in /var/log/nginx (mostly) is error.log file, which should contain the reason of your 403 error.

reedhawk · 2015-12-07 20:50:23 UTC

Thanks dude but I still have this problem and the error.log shows nothing.

pfg · 2015-12-07 20:52:24 UTC

Please share the nginx configuration you use for http, i.e. the server block with listen 80;, so we can compare it to what you have for https. This is unlikely to be related to Let’s Encrypt directly.

reedhawk · 2015-12-07 21:08:51 UTC

###############################################################################

DO NOT EDIT THIS FILE.

###############################################################################

If you modify this file in any way, you will no longer receive automatic

nginx security updates.

For information on how to customize nginx settings, see:

https://serverpilot.io/community/articles/customize-nginx-settings.html

###############################################################################

error_log /var/log/nginx-sp/error.log;

pid /var/run/nginx-sp.pid;

include /etc/nginx-sp/core.d/*.conf;

events {
multi_accept on;
use epoll;
include /etc/nginx-sp/events.d/*.conf;
}

http {
include mime.types;
default_type application/octet-stream;
server_tokens off;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for" '
                  '$request_length $request_time '
                  '"$upstream_response_length" "$upstream_response_time"';

access_log  /var/log/nginx-sp/access.log  main;

server_names_hash_max_size 65536;
server_names_hash_bucket_size 1024;  # Max length of domain names.
types_hash_max_size 2048;

sendfile        on;

gzip         on;
# text/html does not need to be listed as it is always included by nginx.
# WOFF files are already compressed, so application/x-font-woff is not needed.
gzip_types   text/plain text/css application/json
             text/javascript application/javascript application/x-javascript
             text/xml application/xml application/xml+rss image/svg+xml
             application/vnd.ms-fontobject application/x-font-ttf font/opentype;
gzip_vary    on;
gzip_disable "msie6";

# CloudFlare proxy addresses.
# Do not modify this list. If you believe the CloudFlare proxy address list is
# out of date, please contact support@serverpilot.io.
set_real_ip_from    199.27.128.0/21;
set_real_ip_from    173.245.48.0/20;
set_real_ip_from    103.21.244.0/22;
set_real_ip_from    103.22.200.0/22;
set_real_ip_from    103.31.4.0/22;
set_real_ip_from    141.101.64.0/18;
set_real_ip_from    108.162.192.0/18;
set_real_ip_from    190.93.240.0/20;
set_real_ip_from    188.114.96.0/20;
set_real_ip_from    197.234.240.0/22;
set_real_ip_from    198.41.128.0/17;
set_real_ip_from    162.158.0.0/15;
set_real_ip_from    104.16.0.0/12;
set_real_ip_from    172.64.0.0/13;
set_real_ip_from    2400:cb00::/32;
set_real_ip_from    2606:4700::/32;
set_real_ip_from    2803:f800::/32;
set_real_ip_from    2405:b500::/32;
set_real_ip_from    2405:8100::/32;
real_ip_header      X-Forwarded-For;

include /etc/nginx-sp/conf.d/*.conf;
include /etc/nginx-sp/http.d/*.conf;
include /etc/nginx-sp/vhosts.d/*.conf;

}

You mean that?

pfg · 2015-12-07 21:27:11 UTC

Looks like this is generated by some kind of third-party tool, but it’s definitely different from your SSL server block. I’m not sure if this is relevant to you, but SSL configuration seems to work differently with ServerPilot: https://serverpilot.io/community/articles/how-to-install-an-ssl-certificate-on-your-site.html

If that doesn’t get you anywhere, I’d look into deleting the nginx config file you created changing files in /etc/nginx-sp/vhosts.d/ by adding the SSL listen directive, certificate and cipher configuration in some file in there. I can’t tell you if that will break anything else though, since ServerPilot might expect the files not to be changed manually.