Nginx none ssl domains not working but ssl domains do?


#1

Hi All

Many thanks in advance for any help :slight_smile:

I have a server in AWS EC2 running Ubuntu with Nginx and 10 + domains all was working fine until I wanted to add a new domain with ssl

I used the wrong setup which said I needed to Stop the Nginx service which for some reason deleted my /etc/nginx/sites-available/ DIR so I lost all my domain config files :sob::rage:

I have re created the config files as I thought I had done before for both SSL and none SSL domains but the SSL domains seem to be working but the none SSL domains will not work and I either get cert error where the none SSL domain seems to be picking up the cert from the base SSL domain

Hope that makes sense? see example from google chrome below when I try to access one of the non SSL domains

Your connection is not private
Attackers might be trying to steal your information from www.non-ssl-domain-1.co.uk (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy Policy
This server could not prove that it is www.non-ssl-domain-1.co.uk; its security certificate is from ssl-domain-1.co.uk. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to www.non-ssl-domain-1.co.uk (unsafe)

If i click on Proceed to www.non-ssl-domain-1.co.uk (unsafe) it then re directs me to ssl-domain-1.co.uk

Could some one take a look at my config files and let me know where i’m going wrong please?

SSL nginx config file for one of the domains

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
    server_name ssl-domain-1.co.uk www.ssl-domain-1.co.uk;

    include /etc/nginx/snippets/letsencrypt.conf;

    location / {
        return 301 https://www.ssl-domain-1.co.uk$request_uri;
    }
}
server {
     listen 443 ssl;
     listen [::]:443 ssl;

     server_name ssl-domain-1.co.uk;

     ssl_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/ssl-domain-1.co.uk/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;

     include /etc/nginx/snippets/ssl-params.conf;

     location / {
         return 301 https://www.ssl-domain-1.co.uk$request_uri;
     }
 }
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server ipv6only=on;

    server_name www.ssl-domain-1.co.uk;

    ssl_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ssl-domain-1.co.uk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;

    include /etc/nginx/snippets/ssl-params.conf;

    root /var/www/ssl-domain-1.co.uk/html;
    index index.php index.html;
    location / {
        try_files $uri $uri/ =404;
    }

    location ~ /\.ht {
                deny all;
    }
    location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                include /etc/nginx/fastcgi.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
}

Non SSL nginx config file for one of the domains

server {
    listen 80;
    listen [::]:80;

        root /var/www/non-ssl-domain-1.co.uk/html;
        index index.php index.html index.htm;

        server_name non-ssl-domain-1.co.uk www.non-ssl-domain-1.co.uk;

       location /xmlrpc.php {
        deny all;
       }
        location / {
        try_files $uri $uri/ /index.php$is_args$args;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                include /etc/nginx/fastcgi.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }
        location ~ /\.ht {
                deny all;
        location ~ /.well-known {
                allow all;
        }
        }
        location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt { log_not_found off; access_log off; allow all; }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }

}

Kind regards
Simon


#2

Hi @TheStig

what’s your domain name? It’s often not possible to find errors without checking your domain.


#3

Hi Juergen

Thanks for posting back to me the none SSL domains are
http://www.pathwayscottage.co.uk
and
http://www.paulmarvinjoineryandupvc.co.uk

The base SSL domain is https://www.bra-shop.co.uk/

All are running wordpress

Kind regards
Simon


#4

There

is the certificate ( https://check-your-website.server-daten.de/?q=pathwayscottage.co.uk ) from

CN=bra-shop.co.uk
	21.01.2019
	21.04.2019
	bra-shop.co.uk, www.bra-shop.co.uk - 2 entries

installed. Same with your second domain ( https://check-your-website.server-daten.de/?q=paulmarvinjoineryandupvc.co.uk ).

But your config uses only

ssl_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ssl-domain-1.co.uk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;

so all three domain names use the same certificate.

You should create two new vHosts with separate certificate entries.


#5

Hi Juergen

The cert I had for http://www.pathwayscottage.co.uk never installed correctly and it was this cert I have been trying to install again when the /etc/nginx/sites-available/ DIR was deleted with all the domain config files :frowning:

The two config file examples posted had had the domain names changed

Re this domain it has never had SSL and each domain that has SSL has it’s own cert please see below Same with your second domain ( https://check-your-website.server-daten.de/?q=paulmarvinjoineryandupvc.co.uk ).

But your config uses only

ssl_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ssl-domain-1.co.uk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/ssl-domain-1.co.uk/fullchain.pem;

paulmarvinjoineryandupvc.co.uk has not has ssl cert I never set this domain up to use SSL it worked OK before the config files being deleted but since then it redirect to www.bra-shop.co.uk

Each SSL domain has it’s own certs

bra-shop.co.uk
Has
ssl_certificate /etc/letsencrypt/live/bra-shop.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bra-shop.co.uk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/bra-shop.co.uk/fullchain.pem;

totalsportsgear.co.uk
Has
ssl_certificate /etc/letsencrypt/live/totalsportsgear.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/totalsportsgear.co.uk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/totalsportsgear.co.uk/fullchain.pem;

Hope I am making sense
Any non ssl domain is giving 301 error and redirecting to bra-shop.co.uk when they should be showing the non ssl domains content and not re directing

Kind regards
Simon


#6

But then remove the redirects, if you don’t want these.

I thought, the redirects were intended.


#7

Hi Juergen

No I thought that the 301 was only for the domain bra-shop.co.uk to force and non ssl for that domain to the ssl for bra-shop.co.uk

I have removed the 301 from that config file and set the non ssl config files back to how I had them yesterday but the domain then gives 404? here is the config for

www.paulmarvinjoineryandupvc.co.uk
server {
listen 80;
listen [::]:80;

        server_name paulmarvinjoineryandupvc.co.uk www.paulmarvinjoineryandupvc.co.uk;

        root /var/www/paulmarvinjoineryandupvc.co.uk/html;
        index index.php index.html index.htm;

        location /xmlrpc.php {
        deny all;
       }

        location / {
        try_files $uri $uri/ /index.php$is_args$args;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                include /etc/nginx/fastcgi.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

        location ~ /\.ht {
                deny all;
        location ~ /.well-known {
                allow all;
        }
        }

        location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt { log_not_found off; access_log off; allow all; }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }
}

Here is the config for bra-shop.co.uk
server {
listen 443 ssl;
listen [::]:443 ssl;

     server_name bra-shop.co.uk;

     ssl_certificate /etc/letsencrypt/live/bra-shop.co.uk/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/bra-shop.co.uk/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/bra-shop.co.uk/fullchain.pem;

     include /etc/nginx/snippets/ssl-params.conf;
 }
server {
    listen 443 ssl http2 ;
    listen [::]:443 ssl http2 ;

    server_name www.bra-shop.co.uk;

    ssl_certificate /etc/letsencrypt/live/bra-shop.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/bra-shop.co.uk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/bra-shop.co.uk/fullchain.pem;

    include /etc/nginx/snippets/ssl-params.conf;

    root /var/www/bra-shop.co.uk/html;
    index index.php index.html;
    location / {
        try_files $uri $uri/ =404;
    }

    location ~ /\.ht {
                deny all;
    }
    location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                include /etc/nginx/fastcgi.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
}

#8

This file has two server blocks.
Both serving the same name.
One has a root but the other one doesn’t.
I think you should combine them into just one block (deleting duplicate lines).
And user either:

  1. server_name bra-shop.co.uk www.bra-shop.co.uk;
    or
  2. server_name bra-shop.co.uk;
    server_name www.bra-shop.co.uk;

[whichever works with your version - think the second way is best]