No install errors, but getting ERR_CONNECTION_TIMED_OUT

uphillhouse · February 4, 2017, 8:25pm

Hi,

Ubuntu 16.04, Nginx, lightsail but I’ve been gleaning instructions from digitalocean and others.

/etc/nginx/conf.d/myconfig.conf
server {

listen 443 ssl;

server_name netplusdesign.net;

ssl_certificate /etc/letsencrypt/live/netplusdesign.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netplusdesign.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ‘log string of stuff’;
ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

root /home/ubuntu/html/netplusdesign.net;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

# server_name _;

location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ =404;
}

location ~ /.well-known {
allow all;
}

}
server {
listen 80;
server_name netplusdesign.net;
return 301 https://$host$request_uri;
}

sudo letsencrypt certonly --webroot --force-renewal -w /home/ubuntu/html/netplusdesign.net -d netplusdesign.net -w /home/ubuntu/html/uphillhouse.netplusdesign.net -d uphillhouse.netplusdesign.net

No errors. But when I try to access https://netplusdesign I get ERR_CONNECTION_TIMED_OUT in Chrome. All worked fine using http before I ran lets encrypt command.

Just need help understanding how to troubleshoot this. Thanks for your help.

Osiris · February 4, 2017, 8:42pm

Your server isn’t reachable on port 443. This could be a firewall thing or, if applicable, a portmap thing if behind a NAT router et cetera.

uphillhouse · February 4, 2017, 8:54pm

I’ve run sudo ufw allow 443 so I don’t think it’s a firewall thing. Not sure how to diagnose a port map thing.

ahaw021 · February 5, 2017, 4:16am

hi uphillhouse

it’s definitely a fiewall thing (could be the provider firewall or your system fire-walling)

as an aside - please firewall SSH - you generally don’t want SSH access to the entire internet (limit SSH access to your home Static IP for example).

run > sudo ufw status and it should tell you what ports are open to whom (note for 443 and 80 you should allow all if this is going to be a web server)

compare your SSH and HTTP and HTTPS settings to give you an idea of how to configure it

uphillhouse · February 5, 2017, 1:56pm

@ahaw021 Thanks for your help, I realize this is likely outside the scope of lets encrypt help.

I think you did your scan while I was trying a different server. Everything is switched back now. And re: ssh, I don’t have a static IP, thus open anywhere. Although I might be able to limit to a range. Will try that soon thx.

If I run, sudo ufw status verbose I get,

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
443                        ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443 (v6)                   ALLOW IN    Anywhere (v6)             
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)

I downloaded and installed nmap,thanks for the hint. nmap says…

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-05 08:30 EST
Nmap scan report for netplusdesign.net (34.198.163.201)
Host is up (0.030s latency).
rDNS record for 34.198.163.201: ec2-34-198-163-201.compute-1.amazonaws.com
Not shown: 98 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

That just doesn’t make sense.

mnordhoff · February 5, 2017, 2:01pm

What are your Lightsail firewall rules set to? Did you add one for port 443? Was it included by default?

https://lightsail.aws.amazon.com/ls/docs/overview/article/understanding-firewall-and-port-mappings-in-amazon-lightsail

uphillhouse · February 5, 2017, 2:07pm

That was it! I had enabled using ‘ufw’. I didn’t realize amazon was over ruling the setting. I had to use the UI to open the port. It was not open by default. Unbelievable how much time I spent on this simple thing. Thank you so much!

ahaw021 · February 6, 2017, 9:13am

well done config looks good for your cert

providers like amazon don’t technically overwrite the rules they just block the traffic upstream

as for your SSH investigate Port Knocking. Please run on a virtual machine first (in your lab) and note you may need to open some other ports as well

uphillhouse · February 7, 2017, 2:34am

I like! I’ll give it a try. Thanks for the advice.

system · March 9, 2017, 2:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.