I installed letsencrypt for Nginx but now when I connect with https://mydomain.com I get a 403 Forbidden Error from nginx but when I connect with http://mydomain.com everything works fine
server {
listen 443 ssl;
root /srv/users/serverpilot/apps/mydomain/public;
index index.php index.html index.htm;
# Make site accessible from http://localhost/
server_name mydomain.com www.mydomain.com;
# if you are using hhvm, otherwhise include your standard php config or whatever
#include hhvm.conf;
as jhass says, seeing the working (http) section for comparison might help.
For example, is there a typo in the “/srv/users/serverpilot/apps/mydomain/public”, it’s impossible to say without checking against the working version. The error does say permissions rather than a “not found”. Is there any separate firewall issue ( maybe port 80 is open, but not port 443 ) ? Is the server actually listening on port 443 (worth checking ) ? Has the server NGINX got permission to see / read the files at /etc/letsencrypt/live/ ?
server {
root /var/www/example.com;
server_name example.com;
index index.html;
error_log /var/www/example.com/error.log;
access_log off;
## Certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
## Common SSL config
include ssl.conf;
location / {
try_files $uri $uri/ /index.html$args;
}
}
I hope it helps. This is the basic configuration I’m using (and it works). I had a small issue with my WordPress security config, which is preventing anyone to access any query starting with dot. So I’ve added following code which removed that problem.
When I’m about to verify a new domain for WordPress installation, I simply switch deny for allow, reload server, run Let’s Encrypt and when it’s done, I’ll put it back to deny. May not be sophisticated, enterprise and robust but it’s simple and does what I need
Oh, an just in case you have not checked it yet, in /var/log/nginx (mostly) is error.log file, which should contain the reason of your 403 error.
Please share the nginx configuration you use for http, i.e. the server block with listen 80;, so we can compare it to what you have for https. This is unlikely to be related to Let’s Encrypt directly.
server_names_hash_max_size 65536;
server_names_hash_bucket_size 1024; # Max length of domain names.
types_hash_max_size 2048;
sendfile on;
gzip on;
# text/html does not need to be listed as it is always included by nginx.
# WOFF files are already compressed, so application/x-font-woff is not needed.
gzip_types text/plain text/css application/json
text/javascript application/javascript application/x-javascript
text/xml application/xml application/xml+rss image/svg+xml
application/vnd.ms-fontobject application/x-font-ttf font/opentype;
gzip_vary on;
gzip_disable "msie6";
# CloudFlare proxy addresses.
# Do not modify this list. If you believe the CloudFlare proxy address list is
# out of date, please contact support@serverpilot.io.
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
real_ip_header X-Forwarded-For;
include /etc/nginx-sp/conf.d/*.conf;
include /etc/nginx-sp/http.d/*.conf;
include /etc/nginx-sp/vhosts.d/*.conf;
If that doesn’t get you anywhere, I’d look into deleting the nginx config file you created changing files in /etc/nginx-sp/vhosts.d/ by adding the SSL listen directive, certificate and cipher configuration in some file in there. I can’t tell you if that will break anything else though, since ServerPilot might expect the files not to be changed manually.