Nginx- New Certificate Obtained but Not In Use

I can hit my webserver locally at both http://fathomthat.org and https://fathomthat.org

Externally http works, https results in ERR_Empty_response

here is my /etc/nginx/sites-available/default

server {
listen 80;
server_name fathomthat.org www.fathomthat.org;
listen 443 ssl;
listen [::]:443 ssl default_server;

    include snippets/ssl-fathomthat.org.conf;
    include snippets/ssl-params.conf;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    location / {
            try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            # With php7.0-cgi alone:
            #fastcgi_pass 127.0.0.1:9000;
            # With php7.0-fpm:
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
    location ~ /\.ht {
            deny all;
    }
     location ~ /.well-known {
            allow all;
    }
     location ~ /glype/ {
            allow all;
    }

}

nginx -t results in success.

no errors under nginx/error.log

ss-fathomthat.org.conf

ssl_certificate /etc/letsencrypt/live/fathomthat.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fathomthat.org/privkey.pem;

ssl-params.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Not sure if this will help, but the website only supports TLSv1.0
and has s self-signed cert - not the expected “/etc/letsencrypt/live/fathomthat.org/fullchain.pem”:
-----BEGIN CERTIFICATE-----
MIICEzCCAXygAwIBAgIJANPVAn5GkBvIMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAlBMMRMwEQYDVQQIEwpTb21lLVN0YXRlMRwwGgYDVQQKExNNaW5pIFdlYnNl
cnZpY2UgTHRkMB4XDTA5MTAyOTExMzMyMVoXDTEwMTAyOTExMzMyMVowQDELMAkG
A1UEBhMCUEwxEzARBgNVBAgTClNvbWUtU3RhdGUxHDAaBgNVBAoTE01pbmkgV2Vi
c2VydmljZSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMP3UFBe3v9P
iUUsyI15gCpp21Cx4VFz4XHGS/aUFBW/EwPY3dgjxTsEtjr3kJXsTbxLbzJDH28u
sLu3ZH46GIb3i1RjnOWWE1Th4Zock6s5e+F+CSnrl32B9nM2drzz3mofy2QfvruJ
h+Ld5UKuntJHDAz+nWFOcKTC2rOZtGcxAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOBgQAfb9xImKxzEyAiNe1/J9HSUV2C5+KB1Zvx
sLmPS5F1nO5+5K3UZaUcfsbnd9SVOC7fMj989eVgJdFn6I8bQXXRha9/d8upTmnl
30U60zRHGIV5lcMrHGSHwmECTRunzcB5x+oVPogksNRZR8Hh4xn0E9zGOX5ucAEg
nfwRJabv/Q==
-----END CERTIFICATE-----

any suggestions on how to fix that? I used certbot to create the cert, not sure what to do.

restart the web server so it uses the new certificates?

Andrei

I’ve restarted web server probably 50+ times, and physical server multiple times as well.

I suggest grep -r ^ssl_cert /etc/nginx to see if there are other configuration files with potentially conflicting definitions (that point to the self-signed cert).

That resulted in

/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/snippets/ssl-fathomthat.org.conf:ssl_certificate /etc/letsencrypt/live/fathomthat.org/fullchain.pem;
/etc/nginx/snippets/ssl-fathomthat.org.conf:ssl_certificate_key /etc/letsencrypt/live/fathomthat.org/privkey.pem;

I deleted snakeoil.conf and the snakeoil.pem &.key files completely from the system, restarted nginx. No change.

Can you run this command?

openssl x509 -text -noout -in /etc/letsencrypt/live/fathomthat.org/cert.pem

Also I shouldn’t really have had the ^ there because there could be spaces or tabs before the directive.

Maybe just grep -r ssl_cert /etc/nginx will turn up other relevant configuration directives.

openssl x509 -text -noout -in /etc/letsencrypt/live/fathomthat.org/cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:b0:6f:28:80:47:bd:9a:df:6a:f5:69:ba:e0:46:5a:bb:3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Jun 4 22:14:00 2017 GMT
Not After : Sep 2 22:14:00 2017 GMT
Subject: CN=fathomthat.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:92:bb:09:f1:33:35:78:07:79:92:cf:27:cf:
cc:b7:fe:1d:56:bf:98:fb:20:ca:0b:27:93:6a:4c:
b3:0d:5c:24:01:d3:69:45:17:28:1a:88:33:83:bc:
36:13:a7:81:cc:9c:a0:b1:e1:50:6b:47:bf:c5:ec:
88:1b:03:73:f5:5d:3e:af:dd:0e:52:fa:af:a0:a8:
5b:3b:d7:b3:50:65:86:b1:f5:0c:f3:d5:89:89:30:
5a:26:50:79:96:a8:eb:7c:23:98:af:18:3d:e1:cf:
23:50:a9:80:c2:f3:d2:c1:9c:57:13:4c:f1:c8:04:
8c:74:44:f7:2e:fe:eb:c5:1d:bd:08:45:fd:9c:56:
f1:e1:89:78:cf:61:01:1a:30:91:c8:27:72:2a:3d:
a0:b0:86:56:e1:87:c9:f1:45:52:f5:71:1d:e1:1e:
6b:83:fa:b6:46:5c:86:4e:d9:18:1e:b0:3a:4d:06:
01:60:8f:52:1e:58:f7:b1:a9:52:3a:00:29:ac:18:
32:69:93:95:26:1a:d9:c1:ff:6d:74:50:30:a2:18:
ad:6a:9d:96:7a:71:15:6b:5a:1f:ba:0f:ae:d6:4c:
c3:88:b2:37:b4:2a:df:1e:92:a3:ad:72:12:93:3c:
1c:7a:4f:de:f5:30:02:84:aa:41:e9:88:c5:6c:70:
19:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
0E:12:54:F4:17:49:D3:29:F9:BD:65:39:F2:2C:85:D7:8E:8B:4E:B6
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access:
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
        X509v3 Subject Alternative Name:
            DNS:fathomthat.org, DNS:www.fathomthat.org
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
     60:60:29:2c:17:ed:70:57:11:bf:b4:02:f1:b6:54:f5:20:fc:
     da:85:10:8e:73:ef:cd:12:b1:8c:b9:85:fd:26:f3:82:b6:8d:
     32:cb:0d:eb:c4:7b:d4:73:77:55:8d:52:7c:54:d4:23:45:da:
     38:88:b3:e4:a2:9d:b9:ed:d7:f3:c2:5c:38:bd:eb:71:af:39:
     fb:d7:ff:0b:a5:23:3d:9b:70:f7:ba:ab:2f:25:56:3f:c0:82:
     53:ea:90:dc:3a:2e:6b:4f:0f:21:86:74:f6:5d:2e:0e:95:b4:
     d0:72:fd:ff:45:9d:df:b7:b2:e9:34:cd:7e:b7:36:1d:03:b1:
     92:6f:7f:b4:12:c6:f0:14:78:81:df:15:04:43:58:89:d6:b2:
     ab:00:7d:e4:ad:29:32:96:55:ea:67:ea:1f:05:d1:1f:78:10:
     e0:e3:7a:bf:f6:b3:b8:3e:f8:dc:2e:d4:db:15:c4:f9:85:9c:
     48:d5:2a:a9:59:df:78:01:3a:55:60:30:a6:9b:58:a9:99:7a:
     c0:99:01:d2:50:32:59:a9:ac:b4:32:16:32:78:f5:e6:25:1f:
     58:0d:c4:5b:c4:9b:ec:e2:f7:d7:b3:18:4e:99:31:f6:12:1e:
     54:4a:a3:62:a9:e0:3a:f7:d1:8e:62:53:7f:4b:c2:36:89:57:
     63:b1:cb:41

grep -r ssl_cert /etc/nginx
/etc/nginx/sites-available/default: # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
/etc/nginx/sites-available/default: ssl_certificate /etc/letsencrypt/live/fathomthat.org/fullchain.pem;
/etc/nginx/sites-available/default: ssl_certificate_key /etc/letsencrypt/live/fathomthat.org/privkey.pem;
/etc/nginx/sites-available/default: # fetch OCSP records from URL in ssl_certificate and cache them
/etc/nginx/snippets/ssl-fathomthat.org.conf:ssl_certificate /etc/letsencrypt/live/fathomthat.org/fullchain.pem;
/etc/nginx/snippets/ssl-fathomthat.org.conf:ssl_certificate_key /etc/letsencrypt/live/fathomthat.org/privkey.pem;

Try my howto guide: https://www.magwinya.co.za/install-letsencrypt-nginx if no joy. Let me know.

good guide, but that’s pretty much exactly how I did it previously, so there’s nothing for me to change.

Change this part of your nginx server block:

location / {
try_files $uri $uri/ =404;
}

to

location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}

It should work!

There also ought to be an error log from nginx showing why the TLS connection is failing (perhaps in /var/log/nginx).

Finally, I am not entirely persuaded that the TLS connections are reaching your nginx server at all, as opposed to some kind of firewall or proxy. Compare this thread:

The self-signed cert that can still be obtained is also from "Mini Webservice Ltd" which seems like it's probably the same appliance.

Well, I feel dumb. After you mentioned that I went and double checked. I just had an AT&T u-verse wireless STB device installed the other day, after googling and reading that post, apparently it automatically adds a forwarding rule on their gateway to the STB box on port 443. So, even though I had all traffic being forwarded to my ubiquity edge router, it had overwritten port 443.

I deleted it and the problem is now Resolved.

Thank you all very much for the help.

I suppose that wireless device matches the certificate I posted earlier: "Mini Webservice Ltd"
I would have shown the picture but I’m not aware of how to post pictures (yet - yes I’m a noob here).

But grats!
All’s well that ends well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.