Nginx server shows 400 Bad Request after certificate generated

I successfully used certbot --nginx to generate my certificate on my Ubuntu 16.04 64 bit VPS. The domain is www.zozzxx.xyz. I chose “Easy - Allow both HTTP and HTTPS access to these sites”

However, when I access the domain in Firefox I get: “The page isn’t redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”

In Chrome, I get: “The plain HTTP request was sent to HTTPS port. 400 Bad Request.”

How can I rectify this error? Thanks. I imagine I need to edit some nginx files but I’m not sure what to change.

The “server block” shows:

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTP
server {
    include /etc/nginx/sites-conf.d/default/*.conf;

    listen 443 ssl;

    server_name www.zozzxx.xyz;

    ssl on;
ssl_certificate /etc/letsencrypt/live/www.zozzxx.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.zozzxx.xyz/privkey.pem;	
 # managed by Certbot

http to https redirection happens in the vhost for http (listen 80)
you only show the vhost for https

you failed to mention that your sites’ IPs are using CloudFlare

and the only “working” connection redirects (back to itself) infinitely:
wget https://www.zozzxx.xyz/mail/
Resolving www.zozzxx.xyz (www.zozzxx.xyz)… 139.59.166.172
Connecting to www.zozzxx.xyz (www.zozzxx.xyz)|139.59.166.172|:443… connected.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://www.zozzxx.xyz/mail/ [following]
Reusing existing connection to www.zozzxx.xyz:443.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://www.zozzxx.xyz/mail/ [following]
Reusing existing connection to www.zozzxx.xyz:443.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://www.zozzxx.xyz/mail/ [following]
Reusing existing connection to www.zozzxx.xyz:443.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://www.zozzxx.xyz/mail/ [following]
Reusing existing connection to www.zozzxx.xyz:443.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://www.zozzxx.xyz/mail/ [following]
Reusing existing connection to www.zozzxx.xyz:443.

Rudy - thanks for your response. I appreciate it.

My VPS uses Nginx and, in /etc/nginx/sites-available/00-default.conf, I did add a vhost for HTTP 80. However, that created numerous other different errors.

I have, in /etc/nginx/sites-available.bak/default, the following code:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html index.htm index.nginx-debian.html;

    server_name _;

I did edit and add this code to the 00-default.conf file but it made more of a mess than was the case previously. How would you edit this code (if this is, indeed, the correct code) so that I can include it in the 00-default.conf file?

You mentioned Cloudflare. My domain registrar DNS is pointed to Cloudflare and Cloudflare shows:

A www --> points to IP address.

A zozzxx.xyz --> points to IP address.

Is this wrong? Is this why I have the redirection? I can’t see how else I should set up Cloudflare.

Any other help you can provide would be warmly appreciated.

The code you show doesn’t include redirection.
Let’s begin a bit higher up…
Show:
ls -l /etc/nginx/sites-enabled/

Thanks for your help.

ls -l /etc/nginx/sites-enabled/ shows:

lrwxrwxrwx 1 root root 42 Jul 4 16:28 00-default.conf -> /etc/nginx/sites-available/00-default.conf
lrwxrwxrwx 1 root root 46 Jul 4 16:28 00-default-ssl.conf -> /etc/nginx/sites-available/00-default-ssl.conf

ok, show both of those (sites-enabled) files:
/etc/nginx/sites-enabled/00-default.conf
/etc/nginx/sites-enabled/00-default-ssl.conf

/etc/nginx/sites-enabled/00-default.conf

server {
include /etc/nginx/sites-conf.d/default/*.conf;

listen 443 ssl;
server_name www.zozzxx.xyz;
ssl on;

ssl_certificate /etc/letsencrypt/live/www.zozzxx.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.zozzxx.xyz/privkey.pem;

managed by Certbot

}

/etc/nginx/sites-enabled/00-default-ssl.conf

server {
include /etc/nginx/sites-conf.d/default-ssl/*.conf;
}

actually there are two ongoing issues:

ISSUE 1. the endless (looped) redirection:
All of that looks ok.
Unless there is something strange in either:
include /etc/nginx/sites-conf.d/default/.conf;
or
include /etc/nginx/sites-conf.d/default-ssl/
.conf;
(very low probability)

https://www.zozzxx.xyz/
returns:
<html><head><meta HTTP-EQUIV=“REFRESH” content=“0; url=/mail/”></head></html>
(which seems well enough; and not behind CloudFlare - using IP 139.59.166.172)
But it is using a self-signed cert - not one from LE.
This indicates that we have definitely missed something…

So, what is in the /var/www/html/mail/ folder that makes this loop?

ISSUE 2. error 400 on http://zozzxx.xyz/ and https://zozzxx.xyz/
This error is most likely corrected somewhere within the CloudFlare configuration.
Most likely the backend is misconfigured or inaccessible by CloudFlare.

I think the best thing is to reinstall and see what happens.

In terms of Issue 1, Firefox tells me that I do have a secure connection and that it is verified by Let’s Encrypt.

Also, there is no /mail folder at /var/www/html. Just:

-rw-r–r-- 1 root root 78 Jul 4 16:28 index.html
-rw-r–r-- 1 root root 612 Jul 4 16:26 index.nginx-debian.html
-rw-r–r-- 1 root root 26 Jul 4 16:28 robots.txt

Thanks again.

The looping is gone but:
https://zozzxx.xyz/
https://zozzxx.xyz/mail/
https://www.zozzxx.xyz/
https://www.zozzxx.xyz/mail/
(IP 178.62.8.107)
all return a self-signed cert:

The current situation is that I have one of two errors. In the first, I have a valid certificate but with unending 302 redirections (looping).

In the second, as you mention, I have a self-signed certificate but I can access the site.

Right now, I have set it to the looping. I have no idea how to resolve this. A search for Lets Encrypt 302 nginx doesn’t reveal anything. How can I have looping but a valid certificate or no looping but a self-signed certificate?

Well, those are two different aspects of web server configuration (at the HTTP protocol layer or at the TLS protocol layer, respectively).

Fair enough. I installed LE certs using certbot --nginx and it worked. The certs are in the /live/domain_name directory. But when I connect to my domain, the cert works but it creates a 302. If I disable the cert in Nginx, I can connect (no 302). The only reason I have a 302 is after Certbot created the certs and modified the 00-default,conf file.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.